Resubmissions
03-01-2022 15:51
220103-tagh5sbdh2 10Analysis
-
max time kernel
152s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
03-01-2022 15:51
Static task
static1
Behavioral task
behavioral1
Sample
kr.exe
Resource
win7-en-20211208
General
-
Target
kr.exe
-
Size
786KB
-
MD5
899dc9cc6e7516536bf5e816e8cecf55
-
SHA1
6c07fc00ed2202798194749aa8037bb0ad38bb00
-
SHA256
5f84ad4413ad6dcdea0cb3aa206cc4df29e1bad9d9598912c323c931d568ac90
-
SHA512
445016f0e37ee3ecec319b73713d083711608c044f855e16268f89c88d460e95d85b79d375534ac6b7a4a0e869c49470d49b7e325ff0507c550107d593ae688c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GetX64BTIT.exepid process 1476 GetX64BTIT.exe -
Drops startup file 1 IoCs
Processes:
kr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ultrasearch.lnk kr.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 api.ipify.org 24 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
kr.exepid process 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe 3116 kr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
kr.exepid process 3116 kr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
kr.exedescription pid process target process PID 3116 wrote to memory of 1476 3116 kr.exe GetX64BTIT.exe PID 3116 wrote to memory of 1476 3116 kr.exe GetX64BTIT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kr.exe"C:\Users\Admin\AppData\Local\Temp\kr.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
fa1b6f3c3c15af0d9d955a6499c16066
SHA10814709ac8ed192ca1de6c4047791310c732002d
SHA25699f7dbecfd817b9213ff87337630c22ea3b8f0bd8b5cd573d565f60e88423e14
SHA51214a6a8726133747c6b42b5c89117da963c8827c836b17214413679de34cff050e3cbc1c314114ce9182756aadf684b37b32754d334c2ec2cc7fd5edb8eaf5c25
-
memory/1476-118-0x0000000000000000-mapping.dmp
-
memory/3116-115-0x00000000008B0000-0x000000000097A000-memory.dmpFilesize
808KB
-
memory/3116-116-0x00000000034A0000-0x00000000034E1000-memory.dmpFilesize
260KB
-
memory/3116-117-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB