Analysis
-
max time kernel
39s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 03:14
Static task
static1
Behavioral task
behavioral1
Sample
8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe
Resource
win7-20220414-en
General
-
Target
8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe
-
Size
2.0MB
-
MD5
12b7b9665e3a32bda9155e0f486359cd
-
SHA1
5acf1375160eacfd2a77db61f1a31705a8ba035c
-
SHA256
8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f
-
SHA512
6ec801927336c96e0df56ab39e5834bb0c657a9798502c2b66e667587846c80b717925f716e760dc54ded0e4ee70da1cdf87c4daf145a40102c08dd1ec4d2e65
Malware Config
Signatures
-
KPOT Core Executable 7 IoCs
Processes:
resource yara_rule behavioral1/memory/288-55-0x00000000013E0000-0x0000000001CBB000-memory.dmp family_kpot behavioral1/memory/288-56-0x00000000013E0000-0x0000000001CBB000-memory.dmp family_kpot behavioral1/memory/288-57-0x00000000013E0000-0x0000000001CBB000-memory.dmp family_kpot behavioral1/memory/288-59-0x00000000013E0000-0x0000000001CBB000-memory.dmp family_kpot behavioral1/memory/288-58-0x00000000013E0000-0x0000000001CBB000-memory.dmp family_kpot behavioral1/memory/288-60-0x00000000013E0000-0x0000000001CBB000-memory.dmp family_kpot behavioral1/memory/288-63-0x00000000013E0000-0x0000000001CBB000-memory.dmp family_kpot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1804 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/288-55-0x00000000013E0000-0x0000000001CBB000-memory.dmp themida behavioral1/memory/288-56-0x00000000013E0000-0x0000000001CBB000-memory.dmp themida behavioral1/memory/288-57-0x00000000013E0000-0x0000000001CBB000-memory.dmp themida behavioral1/memory/288-59-0x00000000013E0000-0x0000000001CBB000-memory.dmp themida behavioral1/memory/288-58-0x00000000013E0000-0x0000000001CBB000-memory.dmp themida behavioral1/memory/288-60-0x00000000013E0000-0x0000000001CBB000-memory.dmp themida behavioral1/memory/288-63-0x00000000013E0000-0x0000000001CBB000-memory.dmp themida -
Processes:
8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exepid process 288 8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.execmd.exedescription pid process target process PID 288 wrote to memory of 1804 288 8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe cmd.exe PID 288 wrote to memory of 1804 288 8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe cmd.exe PID 288 wrote to memory of 1804 288 8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe cmd.exe PID 288 wrote to memory of 1804 288 8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe cmd.exe PID 1804 wrote to memory of 2020 1804 cmd.exe PING.EXE PID 1804 wrote to memory of 2020 1804 cmd.exe PING.EXE PID 1804 wrote to memory of 2020 1804 cmd.exe PING.EXE PID 1804 wrote to memory of 2020 1804 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe"C:\Users\Admin\AppData\Local\Temp\8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\8cec5674b6fde7977e8c65e5f8026b5c413851f1c0c00637c56ac111578e9a8f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/288-54-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/288-55-0x00000000013E0000-0x0000000001CBB000-memory.dmpFilesize
8.9MB
-
memory/288-56-0x00000000013E0000-0x0000000001CBB000-memory.dmpFilesize
8.9MB
-
memory/288-57-0x00000000013E0000-0x0000000001CBB000-memory.dmpFilesize
8.9MB
-
memory/288-59-0x00000000013E0000-0x0000000001CBB000-memory.dmpFilesize
8.9MB
-
memory/288-58-0x00000000013E0000-0x0000000001CBB000-memory.dmpFilesize
8.9MB
-
memory/288-60-0x00000000013E0000-0x0000000001CBB000-memory.dmpFilesize
8.9MB
-
memory/288-61-0x0000000077070000-0x00000000771F0000-memory.dmpFilesize
1.5MB
-
memory/288-63-0x00000000013E0000-0x0000000001CBB000-memory.dmpFilesize
8.9MB
-
memory/288-65-0x0000000077070000-0x00000000771F0000-memory.dmpFilesize
1.5MB
-
memory/1804-62-0x0000000000000000-mapping.dmp
-
memory/2020-64-0x0000000000000000-mapping.dmp