Analysis
-
max time kernel
160s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 05:42
Static task
static1
Behavioral task
behavioral1
Sample
df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe
Resource
win7-20220414-en
General
-
Target
df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe
-
Size
246KB
-
MD5
d1f2ab77ca6038dfb5d09fcf67ab1b12
-
SHA1
982d9cdb8320861c533986eb6d2c3ac789f4d676
-
SHA256
df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4
-
SHA512
69487443c457e8bb9f2ba8707c418b3f2a210d25014991d5a22e40a9b61824bc9f8395e1427d38843876f47236cb4dc74efc1494d25ecaad6e570ce6059ab166
Malware Config
Signatures
-
KPOT Core Executable 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5048-130-0x0000000000A20000-0x0000000000A3B000-memory.dmp family_kpot behavioral2/memory/5048-132-0x0000000002320000-0x000000000240C000-memory.dmp family_kpot -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 138.197.140.189 Destination IP 138.197.140.189 -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 18 https://api.opennicproject.org/geoip/?bare HTTP URL 38 https://api.opennicproject.org/geoip/?bare -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.execmd.exedescription pid process target process PID 5048 wrote to memory of 2928 5048 df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe cmd.exe PID 5048 wrote to memory of 2928 5048 df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe cmd.exe PID 5048 wrote to memory of 2928 5048 df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe cmd.exe PID 2928 wrote to memory of 3624 2928 cmd.exe PING.EXE PID 2928 wrote to memory of 3624 2928 cmd.exe PING.EXE PID 2928 wrote to memory of 3624 2928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe"C:\Users\Admin\AppData\Local\Temp\df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe