Analysis
-
max time kernel
168s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 03:08
Static task
static1
Behavioral task
behavioral1
Sample
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe
Resource
win7-20220414-en
General
-
Target
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe
-
Size
2.6MB
-
MD5
df8ab716bb924036201db252dcfe5d21
-
SHA1
a511c8dd8c615fb485d58fb98746a18b95181412
-
SHA256
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f
-
SHA512
40b1b819135abe218f5a5759a6d3f57309f1a10de514eee554459f6c31e8d12550c1d9c1909cdcc727769b1cc2ba7cff683e8016aba618ec0258ba820d6f8a8e
Malware Config
Signatures
-
KPOT Core Executable 4 IoCs
Processes:
resource yara_rule behavioral2/memory/5052-132-0x00000000008D0000-0x0000000000F67000-memory.dmp family_kpot behavioral2/memory/5052-133-0x00000000008D0000-0x0000000000F67000-memory.dmp family_kpot behavioral2/memory/5052-134-0x00000000008D0000-0x0000000000F67000-memory.dmp family_kpot behavioral2/memory/5052-138-0x00000000008D0000-0x0000000000F67000-memory.dmp family_kpot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe -
Processes:
resource yara_rule behavioral2/memory/5052-130-0x00000000008D0000-0x0000000000F67000-memory.dmp themida behavioral2/memory/5052-132-0x00000000008D0000-0x0000000000F67000-memory.dmp themida behavioral2/memory/5052-133-0x00000000008D0000-0x0000000000F67000-memory.dmp themida behavioral2/memory/5052-134-0x00000000008D0000-0x0000000000F67000-memory.dmp themida behavioral2/memory/5052-138-0x00000000008D0000-0x0000000000F67000-memory.dmp themida -
Processes:
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exepid process 5052 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.execmd.exedescription pid process target process PID 5052 wrote to memory of 4072 5052 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe cmd.exe PID 5052 wrote to memory of 4072 5052 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe cmd.exe PID 5052 wrote to memory of 4072 5052 77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe cmd.exe PID 4072 wrote to memory of 3136 4072 cmd.exe PING.EXE PID 4072 wrote to memory of 3136 4072 cmd.exe PING.EXE PID 4072 wrote to memory of 3136 4072 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe"C:\Users\Admin\AppData\Local\Temp\77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\77c3107fbeb08e09ebb0ef9da00e8a2f0ec51f40934df44ed24f965191c9011f.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3136-137-0x0000000000000000-mapping.dmp
-
memory/4072-135-0x0000000000000000-mapping.dmp
-
memory/5052-130-0x00000000008D0000-0x0000000000F67000-memory.dmpFilesize
6.6MB
-
memory/5052-131-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/5052-132-0x00000000008D0000-0x0000000000F67000-memory.dmpFilesize
6.6MB
-
memory/5052-133-0x00000000008D0000-0x0000000000F67000-memory.dmpFilesize
6.6MB
-
memory/5052-134-0x00000000008D0000-0x0000000000F67000-memory.dmpFilesize
6.6MB
-
memory/5052-136-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/5052-138-0x00000000008D0000-0x0000000000F67000-memory.dmpFilesize
6.6MB