Resubmissions
03-01-2022 15:51
220103-tagh5sbdh2 10Analysis
-
max time kernel
152s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
03-01-2022 15:51
Static task
static1
Behavioral task
behavioral1
Sample
kr.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
kr.exe
-
Size
786KB
-
MD5
899dc9cc6e7516536bf5e816e8cecf55
-
SHA1
6c07fc00ed2202798194749aa8037bb0ad38bb00
-
SHA256
5f84ad4413ad6dcdea0cb3aa206cc4df29e1bad9d9598912c323c931d568ac90
-
SHA512
445016f0e37ee3ecec319b73713d083711608c044f855e16268f89c88d460e95d85b79d375534ac6b7a4a0e869c49470d49b7e325ff0507c550107d593ae688c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1476 GetX64BTIT.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ultrasearch.lnk kr.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 api.ipify.org 24 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3116 kr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3116 wrote to memory of 1476 3116 kr.exe 69 PID 3116 wrote to memory of 1476 3116 kr.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\kr.exe"C:\Users\Admin\AppData\Local\Temp\kr.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:1476
-