Overview

overview

10

Static

static

45887113e4...4f.exe

windows7-x64

10

45887113e4...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    172s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2022 09:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe

  • Size

    248KB

  • MD5

    470262381248382f217751e76c75e090

  • SHA1

    90110587e09f603d8fbd1608d9129a2cbe5559f9

  • SHA256

    45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f

  • SHA512

    2cd9fc979790535680ce1aa77547d4f28d6798c761d0725dab129ef33c56ccb5c2a0101090e023e054c2bc2801a53c4d2cc1ab6a4fc8b192347f43a96aaf7886

  • SSDEEP

    6144:kD0qA6Y0d/RCH3erL/sLAsLPfc/UDgKJ1s4EWqZA7Q/DxoI3sDP4QtNINHKbhFJc:DqAh0d/RCHOrL/sLAsLP9+AKtF3sDwnG

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe
    "C:\Users\Admin\AppData\Local\Temp\45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Users\Admin\kaaso.exe
      "C:\Users\Admin\kaaso.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2152

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\kaaso.exe
    Filesize

    248KB

    MD5

    8a1cb0d337816fb86cffde7ed44be0cb

    SHA1

    67a1eb4d883190d777ba6fbe464a5d523c832722

    SHA256

    5efd34d91c13385aa234ab47b1f6e30ad5c20fcee271b641489b0a8d3a2518dc

    SHA512

    70a4813cb46c7cfac596281f63ad926b68988aac381cf54b77fb03d9cb3f6e4bd3c52aa1d1854cfc215baef9f645575e2ff0729abf80b49a1e003d2764cda1aa

    Download Submit

  • C:\Users\Admin\kaaso.exe
    Filesize

    248KB

    MD5

    8a1cb0d337816fb86cffde7ed44be0cb

    SHA1

    67a1eb4d883190d777ba6fbe464a5d523c832722

    SHA256

    5efd34d91c13385aa234ab47b1f6e30ad5c20fcee271b641489b0a8d3a2518dc

    SHA512

    70a4813cb46c7cfac596281f63ad926b68988aac381cf54b77fb03d9cb3f6e4bd3c52aa1d1854cfc215baef9f645575e2ff0729abf80b49a1e003d2764cda1aa

    Download Submit