Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 03:21
Static task
static1
Behavioral task
behavioral1
Sample
5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe
Resource
win7-20220718-en
windows7-x64
4 signatures
150 seconds
General
-
Target
5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe
-
Size
548KB
-
MD5
740c32cefac30c905f5fea06b473d412
-
SHA1
2a03f94397e8d063f9bfd45c56516242c72c71dd
-
SHA256
5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64
-
SHA512
3467cfa7bdb29c9dd74e64b659fbd384e2ad4df918b465153e77bb0420150b70199b8b99cb95e8484021301c3cbb82a539f1d778bc6c1252a14eb4297cebab6e
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2072-131-0x0000000000400000-0x000000000048E000-memory.dmp family_kpot -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exepid process 2072 5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe 2072 5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exepid process 2072 5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.execmd.exedescription pid process target process PID 2072 wrote to memory of 3584 2072 5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe cmd.exe PID 2072 wrote to memory of 3584 2072 5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe cmd.exe PID 2072 wrote to memory of 3584 2072 5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe cmd.exe PID 3584 wrote to memory of 3300 3584 cmd.exe PING.EXE PID 3584 wrote to memory of 3300 3584 cmd.exe PING.EXE PID 3584 wrote to memory of 3300 3584 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe"C:\Users\Admin\AppData\Local\Temp\5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\5a8089cb7519c8667b31517b57432905472c262bd9277b05593e55a2b6517e64.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe