Analysis
-
max time kernel
74s -
max time network
85s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 14:24
General
-
Target
Kanium.exe
-
Size
62KB
-
MD5
9f443d030066321fee6205cd755323fc
-
SHA1
d52a7a3d5bfd49b06625fe8f02b68db8bfebdb06
-
SHA256
6b5558005465c5900a4596fd6456754330dc99f12ffb70cb43350549fe8d3d13
-
SHA512
d9e9439bc93e4c56c301445192d82d073c9a75d88ba6771d8c982a35f1b6708e7ee06bfeb4b4dfe92ed2c9763864bb305cc6d22ad82a59828c102f50c4839857
Malware Config
Signatures
-
Executes dropped EXE 21 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kanium.exe"C:\Users\Admin\AppData\Local\Temp\Kanium.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\anoying.exe"C:\Users\Admin\Desktop\anoying.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aca855 /state1:0x41c64e6d1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
C:\Users\Admin\Desktop\anoying.exeMD5
50a6e76512fd1355447b06da0de21ec3
SHA1285d006674164238a82e1cc5d57e98842843cac3
SHA25673dd7697aa3a05bab170815c14029ba7f38a78a026d5e1b9262f3eca351d1059
SHA5129463f1af2d3179b62517ca15599ff8e8ca78933577fd9199328615fdafc1caca4a7cc665d249c5aae9c0b3c74ef299a9720ad0a02b8c068e2bcd89ab69b5b295
-
memory/440-189-0x0000000000000000-mapping.dmp
-
memory/440-194-0x0000000002E10000-0x0000000002E12000-memory.dmpFilesize
8KB
-
memory/608-151-0x0000000001184000-0x0000000001185000-memory.dmpFilesize
4KB
-
memory/608-135-0x0000000001180000-0x0000000001182000-memory.dmpFilesize
8KB
-
memory/608-121-0x0000000000000000-mapping.dmp
-
memory/688-124-0x0000000000000000-mapping.dmp
-
memory/688-157-0x00000000029B4000-0x00000000029B5000-memory.dmpFilesize
4KB
-
memory/688-137-0x00000000029B0000-0x00000000029B2000-memory.dmpFilesize
8KB
-
memory/1032-167-0x0000000002160000-0x0000000002162000-memory.dmpFilesize
8KB
-
memory/1032-162-0x0000000002164000-0x0000000002165000-memory.dmpFilesize
4KB
-
memory/1032-132-0x0000000000000000-mapping.dmp
-
memory/1164-152-0x0000000002390000-0x0000000002392000-memory.dmpFilesize
8KB
-
memory/1164-166-0x0000000002394000-0x0000000002395000-memory.dmpFilesize
4KB
-
memory/1164-129-0x0000000000000000-mapping.dmp
-
memory/1508-160-0x0000000000000000-mapping.dmp
-
memory/1508-196-0x0000000002514000-0x0000000002515000-memory.dmpFilesize
4KB
-
memory/1508-164-0x0000000002510000-0x0000000002512000-memory.dmpFilesize
8KB
-
memory/1876-156-0x0000000001404000-0x0000000001405000-memory.dmpFilesize
4KB
-
memory/1876-143-0x0000000001400000-0x0000000001402000-memory.dmpFilesize
8KB
-
memory/1876-126-0x0000000000000000-mapping.dmp
-
memory/2000-146-0x0000000000000000-mapping.dmp
-
memory/2000-149-0x00000000017F0000-0x00000000017F2000-memory.dmpFilesize
8KB
-
memory/2000-177-0x00000000017F4000-0x00000000017F5000-memory.dmpFilesize
4KB
-
memory/2208-179-0x0000000001600000-0x0000000001602000-memory.dmpFilesize
8KB
-
memory/2208-175-0x0000000000000000-mapping.dmp
-
memory/2304-139-0x0000000000000000-mapping.dmp
-
memory/2304-176-0x0000000001144000-0x0000000001145000-memory.dmpFilesize
4KB
-
memory/2304-145-0x0000000001140000-0x0000000001142000-memory.dmpFilesize
8KB
-
memory/2320-171-0x0000000000BD4000-0x0000000000BD5000-memory.dmpFilesize
4KB
-
memory/2320-140-0x0000000000BD0000-0x0000000000BD2000-memory.dmpFilesize
8KB
-
memory/2320-133-0x0000000000000000-mapping.dmp
-
memory/2384-120-0x0000000002DB5000-0x0000000002DB7000-memory.dmpFilesize
8KB
-
memory/2384-119-0x0000000002DB4000-0x0000000002DB5000-memory.dmpFilesize
4KB
-
memory/2384-118-0x0000000002DB0000-0x0000000002DB2000-memory.dmpFilesize
8KB
-
memory/2432-169-0x0000000002330000-0x0000000002332000-memory.dmpFilesize
8KB
-
memory/2432-165-0x0000000000000000-mapping.dmp
-
memory/2432-193-0x0000000002334000-0x0000000002335000-memory.dmpFilesize
4KB
-
memory/2536-154-0x0000000002120000-0x0000000002122000-memory.dmpFilesize
8KB
-
memory/2536-150-0x0000000000000000-mapping.dmp
-
memory/2536-185-0x0000000002124000-0x0000000002125000-memory.dmpFilesize
4KB
-
memory/2624-182-0x0000000000000000-mapping.dmp
-
memory/2624-191-0x0000000002CB0000-0x0000000002CB2000-memory.dmpFilesize
8KB
-
memory/3480-184-0x0000000000000000-mapping.dmp
-
memory/3480-190-0x00000000009E0000-0x00000000009E2000-memory.dmpFilesize
8KB
-
memory/3500-159-0x0000000001280000-0x0000000001282000-memory.dmpFilesize
8KB
-
memory/3500-155-0x0000000000000000-mapping.dmp
-
memory/3500-188-0x0000000001284000-0x0000000001285000-memory.dmpFilesize
4KB
-
memory/3632-195-0x0000000000000000-mapping.dmp
-
memory/3776-180-0x0000000000000000-mapping.dmp
-
memory/3776-186-0x0000000000F40000-0x0000000000F42000-memory.dmpFilesize
8KB
-
memory/3912-128-0x0000000000000000-mapping.dmp
-
memory/3912-161-0x0000000000E14000-0x0000000000E15000-memory.dmpFilesize
4KB
-
memory/3912-147-0x0000000000E10000-0x0000000000E12000-memory.dmpFilesize
8KB
-
memory/3940-142-0x0000000001430000-0x0000000001432000-memory.dmpFilesize
8KB
-
memory/3940-172-0x0000000001434000-0x0000000001435000-memory.dmpFilesize
4KB
-
memory/3940-138-0x0000000000000000-mapping.dmp
-
memory/4060-170-0x0000000000000000-mapping.dmp
-
memory/4060-174-0x0000000000FF0000-0x0000000000FF2000-memory.dmpFilesize
8KB