0960a80504822f3dbe14c40212d0ba110a706b142f5df5ebda59f1fc7d15e37f

General

Target

0960a80504822f3dbe14c40212d0ba110a706b142f5df5ebda59f1fc7d15e37f.exe
Size

1016KB
MD5

68ce5054142aadc3b4e12e529787f696
SHA1

2693f2c604931731594e3f2916c1743d392d7794
SHA256

0960a80504822f3dbe14c40212d0ba110a706b142f5df5ebda59f1fc7d15e37f
SHA512

333b30c48619b701c6511efe11a7dcc070be2c0bd51ae935b0c8099a9e12961da94f00eefd711fe770ae89a126997cb44ed78fe7ed58c128226718c74f1be0c8
SSDEEP

24576:XrlJ2fYs2x1YrDgwBbqpxpnmB0R5jqQxdimSU3jKSNVM2O1:blJ2fMY/2px5maRVq2jzDF

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4628	kira.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e5f-136.dat	upx
behavioral2/files/0x0006000000022e5f-137.dat	upx
behavioral2/memory/4628-138-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral2/memory/4628-139-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral2/memory/4628-141-0x0000000000400000-0x00000000004AA000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4628-141-0x0000000000400000-0x00000000004AA000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
3404	taskkill.exe
728	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	728	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4628	kira.exe
4628	kira.exe
4628	kira.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4628	kira.exe
4628	kira.exe
4628	kira.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2352	1728	0960a80504822f3dbe14c40212d0ba110a706b142f5df5ebda59f1fc7d15e37f.exe	81
PID 1728 wrote to memory of 2352	1728	0960a80504822f3dbe14c40212d0ba110a706b142f5df5ebda59f1fc7d15e37f.exe	81
PID 1728 wrote to memory of 2352	1728	0960a80504822f3dbe14c40212d0ba110a706b142f5df5ebda59f1fc7d15e37f.exe	81
PID 2352 wrote to memory of 3404	2352	cmd.exe	83
PID 2352 wrote to memory of 3404	2352	cmd.exe	83
PID 2352 wrote to memory of 3404	2352	cmd.exe	83
PID 2352 wrote to memory of 4628	2352	cmd.exe	84
PID 2352 wrote to memory of 4628	2352	cmd.exe	84
PID 2352 wrote to memory of 4628	2352	cmd.exe	84
PID 4628 wrote to memory of 2208	4628	kira.exe	86
PID 4628 wrote to memory of 2208	4628	kira.exe	86
PID 4628 wrote to memory of 2208	4628	kira.exe	86
PID 2208 wrote to memory of 728	2208	cmd.exe	88
PID 2208 wrote to memory of 728	2208	cmd.exe	88
PID 2208 wrote to memory of 728	2208	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\0960a80504822f3dbe14c40212d0ba110a706b142f5df5ebda59f1fc7d15e37f.exe
"C:\Users\Admin\AppData\Local\Temp\0960a80504822f3dbe14c40212d0ba110a706b142f5df5ebda59f1fc7d15e37f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~86F7.bat "C:\Users\Admin\AppData\Local\Temp\0960a80504822f3dbe14c40212d0ba110a706b142f5df5ebda59f1fc7d15e37f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "0960a80504822f3dbe14c40212d0ba110a706b142f5df5ebda59f1fc7d15e37f.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
- - C:\Users\Admin\AppData\Local\kira.exe
    "C:\Users\Admin\AppData\Local\kira.exe" "0960a80504822f3dbe14c40212d0ba110a706b142f5df5ebda59f1fc7d15e37f.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im kira.exe & del /f /q "C:\Users\Admin\AppData\Local\kira.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im kira.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~86F7.bat

Filesize
9KB

MD5
e7579263feb4923cfd088211ccd76c93

SHA1
5a40d68d8aa76f101486adf763b212e13ff596b4

SHA256
106189dab753bc90e28272bbd2eabe58d593eeefe6c55074d1e569297f2b2b5a

SHA512
c3f6b0518668063d189c9af4e35c7bc67306ba53bc5318a51916e3f2e26f19c74c69b07200a2b7c14c211a874bf9ce30acae4f4eb1e3b59ac7b804c0d3fb8c24

Download Submit
C:\Users\Admin\AppData\Local\kira.exe

Filesize
260KB

MD5
9f1f7abe751b46e7e61d41b8186e5399

SHA1
0d02745cd4cc4b3b409ad6cba0ee71786197ea6c

SHA256
cdcc44d4f519ee9cb4e2a993dc73cfedda88b8c61caf6217908282571c6db0ce

SHA512
94db18ea6a393d48c1d94a88088b2e9a74ed64c337615f45a21e592dc65824f93ee031a323d9a502bea916ff302da04b0e170ed7ba3fbf09bdbe8fdc224319ef

Download Submit
C:\Users\Admin\AppData\Local\kira.exe

Filesize
260KB

MD5
9f1f7abe751b46e7e61d41b8186e5399

SHA1
0d02745cd4cc4b3b409ad6cba0ee71786197ea6c

SHA256
cdcc44d4f519ee9cb4e2a993dc73cfedda88b8c61caf6217908282571c6db0ce

SHA512
94db18ea6a393d48c1d94a88088b2e9a74ed64c337615f45a21e592dc65824f93ee031a323d9a502bea916ff302da04b0e170ed7ba3fbf09bdbe8fdc224319ef

Download Submit
memory/728-142-0x0000000000000000-mapping.dmp

Download
memory/2208-140-0x0000000000000000-mapping.dmp

Download
memory/2352-132-0x0000000000000000-mapping.dmp

Download
memory/3404-134-0x0000000000000000-mapping.dmp

Download
memory/4628-135-0x0000000000000000-mapping.dmp

Download
memory/4628-138-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4628-139-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4628-141-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing