Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-07-2022 13:07
Static task
static1
Behavioral task
behavioral1
Sample
kura.exe
Resource
win7-20220414-en
General
-
Target
kura.exe
-
Size
5.4MB
-
MD5
267b0895407346eedf5a755a2fcea505
-
SHA1
06acec975dfec0fa6447c429b1a3d8e5c6748ea2
-
SHA256
69e5ba03fcf8c3400542066d8acb6c5738e31bb7057db124757accee742c9836
-
SHA512
1c0ae6b81ffa3baba7bb25d6291177a1e235c40f7970e399f23e9f8361c28eaa6af4398e9f572ea1094e1cfe16ab659e198035e8478d2df6741be776c6f25a0b
Malware Config
Signatures
-
Detect Blackmoon payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe family_blackmoon C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe family_blackmoon \??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp family_blackmoon C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp family_blackmoon C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp family_blackmoon -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
kura.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ kura.exe -
Executes dropped EXE 3 IoCs
Processes:
._cache_kura.exeSynaptics.exekura.exepid process 2748 ._cache_kura.exe 3412 Synaptics.exe 3192 kura.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
._cache_kura.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\Remote.hlp" ._cache_kura.exe -
Processes:
resource yara_rule behavioral2/memory/3356-149-0x0000000001650000-0x000000000165B000-memory.dmp upx behavioral2/memory/3356-152-0x0000000001650000-0x000000000165B000-memory.dmp upx behavioral2/memory/1768-154-0x0000000000640000-0x000000000064B000-memory.dmp upx behavioral2/memory/1768-155-0x0000000000640000-0x000000000064B000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
kura.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kura.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kura.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
kura.exe._cache_kura.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation kura.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ._cache_kura.exe -
Loads dropped DLL 2 IoCs
Processes:
svchost.exerundll32.exepid process 3356 svchost.exe 1768 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\kura.exe themida C:\Users\Admin\AppData\Roaming\kura.exe themida behavioral2/memory/3192-142-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp themida behavioral2/memory/3192-144-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp themida behavioral2/memory/3192-145-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp themida behavioral2/memory/3192-156-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp themida behavioral2/memory/3192-158-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kura.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" kura.exe -
Processes:
kura.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kura.exe -
Drops file in System32 directory 1 IoCs
Processes:
._cache_kura.exedescription ioc process File created C:\Windows\SysWOW64\Delete00.bat ._cache_kura.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
kura.exepid process 3192 kura.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 2356 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
kura.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ kura.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
._cache_kura.exesvchost.exerundll32.exepid process 2748 ._cache_kura.exe 2748 ._cache_kura.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 1768 rundll32.exe 1768 rundll32.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe 3356 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
._cache_kura.exesvchost.exerundll32.exedescription pid process Token: SeDebugPrivilege 2748 ._cache_kura.exe Token: SeDebugPrivilege 3356 svchost.exe Token: SeDebugPrivilege 1768 rundll32.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
kura.exe._cache_kura.execmd.exesvchost.exekura.exedescription pid process target process PID 2596 wrote to memory of 2748 2596 kura.exe ._cache_kura.exe PID 2596 wrote to memory of 2748 2596 kura.exe ._cache_kura.exe PID 2596 wrote to memory of 2748 2596 kura.exe ._cache_kura.exe PID 2596 wrote to memory of 3412 2596 kura.exe Synaptics.exe PID 2596 wrote to memory of 3412 2596 kura.exe Synaptics.exe PID 2596 wrote to memory of 3412 2596 kura.exe Synaptics.exe PID 2748 wrote to memory of 3192 2748 ._cache_kura.exe kura.exe PID 2748 wrote to memory of 3192 2748 ._cache_kura.exe kura.exe PID 2748 wrote to memory of 2356 2748 ._cache_kura.exe sc.exe PID 2748 wrote to memory of 2356 2748 ._cache_kura.exe sc.exe PID 2748 wrote to memory of 2356 2748 ._cache_kura.exe sc.exe PID 2748 wrote to memory of 1624 2748 ._cache_kura.exe cmd.exe PID 2748 wrote to memory of 1624 2748 ._cache_kura.exe cmd.exe PID 2748 wrote to memory of 1624 2748 ._cache_kura.exe cmd.exe PID 1624 wrote to memory of 2624 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 2624 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 2624 1624 cmd.exe PING.EXE PID 3356 wrote to memory of 788 3356 svchost.exe rundll32.exe PID 3356 wrote to memory of 788 3356 svchost.exe rundll32.exe PID 3356 wrote to memory of 788 3356 svchost.exe rundll32.exe PID 3356 wrote to memory of 1768 3356 svchost.exe rundll32.exe PID 3356 wrote to memory of 1768 3356 svchost.exe rundll32.exe PID 3356 wrote to memory of 1768 3356 svchost.exe rundll32.exe PID 3192 wrote to memory of 2012 3192 kura.exe cmd.exe PID 3192 wrote to memory of 2012 3192 kura.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kura.exe"C:\Users\Admin\AppData\Local\Temp\kura.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe"C:\Users\Admin\AppData\Local\Temp\._cache_kura.exe"2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\kura.exe"C:\Users\Admin\AppData\Roaming\kura.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\SysWOW64\sc.exesc failure Remote reset= 86400 actions= restart/10003⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\\Delete00.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp,init default |33562⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp,init default |33562⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlpFilesize
928KB
MD5131bf7836fa24a3e155ecc1e0434caab
SHA1ae1793905e4f21f395a9f785cef101de4b12d454
SHA25641bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7
SHA512b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035
-
C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlpFilesize
928KB
MD5131bf7836fa24a3e155ecc1e0434caab
SHA1ae1793905e4f21f395a9f785cef101de4b12d454
SHA25641bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7
SHA512b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
754KB
MD5f9eb220b1ce902c3c8a7d13192132801
SHA1f40ae4e3ceb6b424300831b09344b28d56f8725f
SHA2565829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676
SHA512e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
754KB
MD5f9eb220b1ce902c3c8a7d13192132801
SHA1f40ae4e3ceb6b424300831b09344b28d56f8725f
SHA2565829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676
SHA512e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6
-
C:\Users\Admin\AppData\Local\Temp\._cache_kura.exeFilesize
4.6MB
MD51ab275b9d8f04e2475adf271aed2d083
SHA18138da003a24d92bad64fc631f1b5b12068f8c3a
SHA256513c825c66ad8d21ed1a9cf4bf79ba356219b534b4ac0b4f411ccff31343ec51
SHA51249089c2dfc0af39f7fe5b23178146f1dec38b9c3ef36914485b159d03e737c8b4f6b67401205bd2bb931d9bf37f5987e76bf118dc15d2c956d6e2e9397382d74
-
C:\Users\Admin\AppData\Local\Temp\._cache_kura.exeFilesize
4.6MB
MD51ab275b9d8f04e2475adf271aed2d083
SHA18138da003a24d92bad64fc631f1b5b12068f8c3a
SHA256513c825c66ad8d21ed1a9cf4bf79ba356219b534b4ac0b4f411ccff31343ec51
SHA51249089c2dfc0af39f7fe5b23178146f1dec38b9c3ef36914485b159d03e737c8b4f6b67401205bd2bb931d9bf37f5987e76bf118dc15d2c956d6e2e9397382d74
-
C:\Users\Admin\AppData\Roaming\kura.exeFilesize
3.3MB
MD5208a92b2100ef3dc268b709e7a9aa3e2
SHA12825a5777445dd584289fe35e41c836f8743dbcb
SHA2565e8394b44ba1373b36214d09b16a43ada6d001e55509de72c1f85928481422b0
SHA512fa64f5ab44d63ee3963dfbc4c49f089fb9395c55a4847096c7791935876bfdb91af6653dc27db6a012cfba02ef97b7e5ac278a5145f1ad3b80fa735f1d86699a
-
C:\Users\Admin\AppData\Roaming\kura.exeFilesize
3.3MB
MD5208a92b2100ef3dc268b709e7a9aa3e2
SHA12825a5777445dd584289fe35e41c836f8743dbcb
SHA2565e8394b44ba1373b36214d09b16a43ada6d001e55509de72c1f85928481422b0
SHA512fa64f5ab44d63ee3963dfbc4c49f089fb9395c55a4847096c7791935876bfdb91af6653dc27db6a012cfba02ef97b7e5ac278a5145f1ad3b80fa735f1d86699a
-
C:\Windows\SysWOW64\Delete00.batFilesize
113B
MD50451282afa533054b497d0b6c4a93f5b
SHA1b57a3c4e6655ca44d884860af0cf05386b1a72ef
SHA2564825b3349123c01edc3e6b278f7360a845264fd192fb1613a55cb8f8881c8731
SHA512d4e02414bc05b17399b7c8bf8eb5ab620dbe5a8c4f6a407517bec72b0523b97d70ab665a555d845b2c1eb92eb11e3dc7fbcb092009065770dc90cb0f8e3f9379
-
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlpFilesize
928KB
MD5131bf7836fa24a3e155ecc1e0434caab
SHA1ae1793905e4f21f395a9f785cef101de4b12d454
SHA25641bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7
SHA512b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035
-
memory/788-150-0x0000000000000000-mapping.dmp
-
memory/1624-141-0x0000000000000000-mapping.dmp
-
memory/1768-154-0x0000000000640000-0x000000000064B000-memory.dmpFilesize
44KB
-
memory/1768-155-0x0000000000640000-0x000000000064B000-memory.dmpFilesize
44KB
-
memory/1768-151-0x0000000000000000-mapping.dmp
-
memory/2012-157-0x0000000000000000-mapping.dmp
-
memory/2356-138-0x0000000000000000-mapping.dmp
-
memory/2624-148-0x0000000000000000-mapping.dmp
-
memory/2748-130-0x0000000000000000-mapping.dmp
-
memory/3192-142-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmpFilesize
9.0MB
-
memory/3192-144-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmpFilesize
9.0MB
-
memory/3192-143-0x00007FF809FD0000-0x00007FF80A1C5000-memory.dmpFilesize
2.0MB
-
memory/3192-145-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmpFilesize
9.0MB
-
memory/3192-136-0x0000000000000000-mapping.dmp
-
memory/3192-156-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmpFilesize
9.0MB
-
memory/3192-158-0x00007FF745EA0000-0x00007FF7467A4000-memory.dmpFilesize
9.0MB
-
memory/3192-159-0x00007FF809FD0000-0x00007FF80A1C5000-memory.dmpFilesize
2.0MB
-
memory/3356-152-0x0000000001650000-0x000000000165B000-memory.dmpFilesize
44KB
-
memory/3356-149-0x0000000001650000-0x000000000165B000-memory.dmpFilesize
44KB
-
memory/3412-133-0x0000000000000000-mapping.dmp