Resubmissions
03-01-2022 15:51
220103-tagh5sbdh2 10Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
03-01-2022 15:51
Static task
static1
Behavioral task
behavioral1
Sample
kr.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
kr.exe
-
Size
786KB
-
MD5
899dc9cc6e7516536bf5e816e8cecf55
-
SHA1
6c07fc00ed2202798194749aa8037bb0ad38bb00
-
SHA256
5f84ad4413ad6dcdea0cb3aa206cc4df29e1bad9d9598912c323c931d568ac90
-
SHA512
445016f0e37ee3ecec319b73713d083711608c044f855e16268f89c88d460e95d85b79d375534ac6b7a4a0e869c49470d49b7e325ff0507c550107d593ae688c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 112 GetX64BTIT.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ultrasearch.lnk kr.exe -
Loads dropped DLL 1 IoCs
pid Process 1672 kr.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe 1672 kr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1672 kr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1672 wrote to memory of 112 1672 kr.exe 27 PID 1672 wrote to memory of 112 1672 kr.exe 27 PID 1672 wrote to memory of 112 1672 kr.exe 27 PID 1672 wrote to memory of 112 1672 kr.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\kr.exe"C:\Users\Admin\AppData\Local\Temp\kr.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:112
-