7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47

General

Target

7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe
Size

121KB
MD5

3387e5bedea31eb564908498796c68f8
SHA1

7d150fa2c4fbc3923246a3c899c1a15c285efcbb
SHA256

7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47
SHA512

e3b1d8f125dc3e1fd359e0ef060047964f01df91f1653d4624a6169db5f1293847fc83426a6d46aa89bf49d4d41b8d434fdaec91eff74bfe15197b62affc94cc
SSDEEP

3072:zEH+GiEs2SMylNOjyFbxJm5eR6TvE3Jrtto4yLFA2nF:zsehzRF0TvE3RtsSE

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1952	K3BOSInstall.exe

Loads dropped DLL 4 IoCs

pid	Process
1364	7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe
1952	K3BOSInstall.exe
1952	K3BOSInstall.exe
1952	K3BOSInstall.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1952	K3BOSInstall.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1952	1364	7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe	26
PID 1364 wrote to memory of 1952	1364	7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe	26
PID 1364 wrote to memory of 1952	1364	7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe	26
PID 1364 wrote to memory of 1952	1364	7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe	26
PID 1364 wrote to memory of 1952	1364	7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe	26
PID 1364 wrote to memory of 1952	1364	7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe	26
PID 1364 wrote to memory of 1952	1364	7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe	26

C:\Users\Admin\AppData\Local\Temp\7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe
"C:\Users\Admin\AppData\Local\Temp\7c4594d34f33f5139386be168ce5269ea865ff781c857a2647070317f538ab47.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K3BOSInstall.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K3BOSInstall.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K3BOSInstall.exe

Filesize
160KB

MD5
a605d2713e19069a14455b9a15562765

SHA1
bc3a36912889313ca4970f3bd70ecc66daf525fa

SHA256
d7546d78cc7e4d8f8b9fb0347fed3c67e731a811ee9932c099a96b427b5adcb1

SHA512
e1ea3760e456605322747dd51c5b461e148b3950be42c51e64cd59e06879cccb66495edeae31df5deb93d171cec44dbdb859711e025afb26114b6dfbc60ae2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K3BOSInstall.exe

Filesize
160KB

MD5
a605d2713e19069a14455b9a15562765

SHA1
bc3a36912889313ca4970f3bd70ecc66daf525fa

SHA256
d7546d78cc7e4d8f8b9fb0347fed3c67e731a811ee9932c099a96b427b5adcb1

SHA512
e1ea3760e456605322747dd51c5b461e148b3950be42c51e64cd59e06879cccb66495edeae31df5deb93d171cec44dbdb859711e025afb26114b6dfbc60ae2e8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\K3BOSInstall.exe

Filesize
160KB

MD5
a605d2713e19069a14455b9a15562765

SHA1
bc3a36912889313ca4970f3bd70ecc66daf525fa

SHA256
d7546d78cc7e4d8f8b9fb0347fed3c67e731a811ee9932c099a96b427b5adcb1

SHA512
e1ea3760e456605322747dd51c5b461e148b3950be42c51e64cd59e06879cccb66495edeae31df5deb93d171cec44dbdb859711e025afb26114b6dfbc60ae2e8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\K3BOSInstall.exe

Filesize
160KB

MD5
a605d2713e19069a14455b9a15562765

SHA1
bc3a36912889313ca4970f3bd70ecc66daf525fa

SHA256
d7546d78cc7e4d8f8b9fb0347fed3c67e731a811ee9932c099a96b427b5adcb1

SHA512
e1ea3760e456605322747dd51c5b461e148b3950be42c51e64cd59e06879cccb66495edeae31df5deb93d171cec44dbdb859711e025afb26114b6dfbc60ae2e8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\K3BOSInstall.exe

Filesize
160KB

MD5
a605d2713e19069a14455b9a15562765

SHA1
bc3a36912889313ca4970f3bd70ecc66daf525fa

SHA256
d7546d78cc7e4d8f8b9fb0347fed3c67e731a811ee9932c099a96b427b5adcb1

SHA512
e1ea3760e456605322747dd51c5b461e148b3950be42c51e64cd59e06879cccb66495edeae31df5deb93d171cec44dbdb859711e025afb26114b6dfbc60ae2e8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\K3BOSInstall.exe

Filesize
160KB

MD5
a605d2713e19069a14455b9a15562765

SHA1
bc3a36912889313ca4970f3bd70ecc66daf525fa

SHA256
d7546d78cc7e4d8f8b9fb0347fed3c67e731a811ee9932c099a96b427b5adcb1

SHA512
e1ea3760e456605322747dd51c5b461e148b3950be42c51e64cd59e06879cccb66495edeae31df5deb93d171cec44dbdb859711e025afb26114b6dfbc60ae2e8

Download Submit
memory/1364-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing