Analysis
-
max time kernel
46s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 03:08
Static task
static1
Behavioral task
behavioral1
Sample
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe
Resource
win7-20220414-en
General
-
Target
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe
-
Size
2.6MB
-
MD5
df8ab716bb924036201db252dcfe5d21
-
SHA1
a511c8dd8c615fb485d58fb98746a18b95181412
-
SHA256
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f
-
SHA512
40b1b819135abe218f5a5759a6d3f57309f1a10de514eee554459f6c31e8d12550c1d9c1909cdcc727769b1cc2ba7cff683e8016aba618ec0258ba820d6f8a8e
Malware Config
Signatures
-
KPOT Core Executable 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1528-57-0x0000000000BF0000-0x0000000001287000-memory.dmp family_kpot behavioral1/memory/1528-58-0x0000000000BF0000-0x0000000001287000-memory.dmp family_kpot behavioral1/memory/1528-59-0x0000000000BF0000-0x0000000001287000-memory.dmp family_kpot behavioral1/memory/1528-61-0x0000000000BF0000-0x0000000001287000-memory.dmp family_kpot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 992 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/1528-55-0x0000000000BF0000-0x0000000001287000-memory.dmp themida behavioral1/memory/1528-56-0x0000000077910000-0x0000000077A90000-memory.dmp themida behavioral1/memory/1528-57-0x0000000000BF0000-0x0000000001287000-memory.dmp themida behavioral1/memory/1528-58-0x0000000000BF0000-0x0000000001287000-memory.dmp themida behavioral1/memory/1528-59-0x0000000000BF0000-0x0000000001287000-memory.dmp themida behavioral1/memory/1528-61-0x0000000000BF0000-0x0000000001287000-memory.dmp themida -
Processes:
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exepid process 1528 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.execmd.exedescription pid process target process PID 1528 wrote to memory of 992 1528 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe cmd.exe PID 1528 wrote to memory of 992 1528 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe cmd.exe PID 1528 wrote to memory of 992 1528 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe cmd.exe PID 1528 wrote to memory of 992 1528 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe cmd.exe PID 992 wrote to memory of 2012 992 cmd.exe PING.EXE PID 992 wrote to memory of 2012 992 cmd.exe PING.EXE PID 992 wrote to memory of 2012 992 cmd.exe PING.EXE PID 992 wrote to memory of 2012 992 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe"C:\Users\Admin\AppData\Local\Temp\77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/992-60-0x0000000000000000-mapping.dmp
-
memory/1528-54-0x0000000075391000-0x0000000075393000-memory.dmpFilesize
8KB
-
memory/1528-55-0x0000000000BF0000-0x0000000001287000-memory.dmpFilesize
6.6MB
-
memory/1528-56-0x0000000077910000-0x0000000077A90000-memory.dmpFilesize
1.5MB
-
memory/1528-57-0x0000000000BF0000-0x0000000001287000-memory.dmpFilesize
6.6MB
-
memory/1528-58-0x0000000000BF0000-0x0000000001287000-memory.dmpFilesize
6.6MB
-
memory/1528-59-0x0000000000BF0000-0x0000000001287000-memory.dmpFilesize
6.6MB
-
memory/1528-61-0x0000000000BF0000-0x0000000001287000-memory.dmpFilesize
6.6MB
-
memory/1528-63-0x0000000077910000-0x0000000077A90000-memory.dmpFilesize
1.5MB
-
memory/2012-62-0x0000000000000000-mapping.dmp