Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
12/10/2022, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
9f40a90db5c7da1cc2ced7e23df53ec3.com.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9f40a90db5c7da1cc2ced7e23df53ec3.com.exe
Resource
win10v2004-20220812-en
General
-
Target
9f40a90db5c7da1cc2ced7e23df53ec3.com.exe
-
Size
1.4MB
-
MD5
6c6d3758452aa4500bd4186d02a54bbd
-
SHA1
29a36ac35cdd13203b584e4f1176802a8bd999ef
-
SHA256
2e37d7372a97df9e3955837eeae856489541aab815dffabc00bbc72af6483e9b
-
SHA512
f6a1332f36948f2d2f593878a704f8d9de8dcb157c3727bdf21203ddf69512f4498faa1a34a86a2e91d5a4b8fc635fd058636a7b38c1cb2e1841efa44c4a18f2
-
SSDEEP
24576:0AOcZ2i7sBG5TH4AI8saogP5+OE8YqZWyqTr+Mo5pemHI0Yuyqgm:iQYAIoh+OE8Yq+xo5EmHWqZ
Malware Config
Extracted
vjw0rm
http://129.204.138.203:7974
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1332 WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 1372 kkuai.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfil.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfil.js WScript.exe -
Loads dropped DLL 1 IoCs
pid Process 1792 WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run kkuai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\4_87\\kkuai.exe 0\\4_87\\fwfinco.apb" kkuai.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1372 set thread context of 1468 1372 kkuai.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe 1372 kkuai.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1468 RegSvcs.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 1600 wrote to memory of 1332 1600 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 27 PID 1600 wrote to memory of 1332 1600 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 27 PID 1600 wrote to memory of 1332 1600 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 27 PID 1600 wrote to memory of 1332 1600 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 27 PID 1600 wrote to memory of 1792 1600 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 28 PID 1600 wrote to memory of 1792 1600 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 28 PID 1600 wrote to memory of 1792 1600 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 28 PID 1600 wrote to memory of 1792 1600 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 28 PID 1792 wrote to memory of 1372 1792 WScript.exe 30 PID 1792 wrote to memory of 1372 1792 WScript.exe 30 PID 1792 wrote to memory of 1372 1792 WScript.exe 30 PID 1792 wrote to memory of 1372 1792 WScript.exe 30 PID 1372 wrote to memory of 1096 1372 kkuai.exe 33 PID 1372 wrote to memory of 1096 1372 kkuai.exe 33 PID 1372 wrote to memory of 1096 1372 kkuai.exe 33 PID 1372 wrote to memory of 1096 1372 kkuai.exe 33 PID 1372 wrote to memory of 1360 1372 kkuai.exe 34 PID 1372 wrote to memory of 1360 1372 kkuai.exe 34 PID 1372 wrote to memory of 1360 1372 kkuai.exe 34 PID 1372 wrote to memory of 1360 1372 kkuai.exe 34 PID 1372 wrote to memory of 1536 1372 kkuai.exe 35 PID 1372 wrote to memory of 1536 1372 kkuai.exe 35 PID 1372 wrote to memory of 1536 1372 kkuai.exe 35 PID 1372 wrote to memory of 1536 1372 kkuai.exe 35 PID 1372 wrote to memory of 1820 1372 kkuai.exe 36 PID 1372 wrote to memory of 1820 1372 kkuai.exe 36 PID 1372 wrote to memory of 1820 1372 kkuai.exe 36 PID 1372 wrote to memory of 1820 1372 kkuai.exe 36 PID 1372 wrote to memory of 284 1372 kkuai.exe 37 PID 1372 wrote to memory of 284 1372 kkuai.exe 37 PID 1372 wrote to memory of 284 1372 kkuai.exe 37 PID 1372 wrote to memory of 284 1372 kkuai.exe 37 PID 1372 wrote to memory of 796 1372 kkuai.exe 38 PID 1372 wrote to memory of 796 1372 kkuai.exe 38 PID 1372 wrote to memory of 796 1372 kkuai.exe 38 PID 1372 wrote to memory of 796 1372 kkuai.exe 38 PID 1372 wrote to memory of 908 1372 kkuai.exe 39 PID 1372 wrote to memory of 908 1372 kkuai.exe 39 PID 1372 wrote to memory of 908 1372 kkuai.exe 39 PID 1372 wrote to memory of 908 1372 kkuai.exe 39 PID 1372 wrote to memory of 916 1372 kkuai.exe 40 PID 1372 wrote to memory of 916 1372 kkuai.exe 40 PID 1372 wrote to memory of 916 1372 kkuai.exe 40 PID 1372 wrote to memory of 916 1372 kkuai.exe 40 PID 1372 wrote to memory of 916 1372 kkuai.exe 40 PID 1372 wrote to memory of 916 1372 kkuai.exe 40 PID 1372 wrote to memory of 916 1372 kkuai.exe 40 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41 PID 1372 wrote to memory of 1468 1372 kkuai.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe"C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_87\rfil.js" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1332
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_87\xrqxkro.vbe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe"C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe" fwfinco.apb3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:1096
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:1360
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:1536
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:1820
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:284
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:796
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1468
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
832KB
MD5097b77b3288ee474492dc94a6cb43a15
SHA1742d0e529289b837f512055a4e448fb17cad7656
SHA256db326b548a3e1a2a05539881a054b6f9c0ba302d945480564df3cf77fe96ebb1
SHA512e738ca448b7e83e822803b5bd22ae222584ae46ee67e7ac60189a23af36c42515c1122d5e10b7145db6aee97b110d4882794ee6877a43eb502239d68fa076dab
-
Filesize
124.2MB
MD587bbebf030409ffb724c09365e4d094c
SHA1dcec2d7a6ff6de98f1760454b1c1c67abeac0da3
SHA25629808fb1137203fc1b0a840e60876da3d8c3ddf9b21869310b2caa221e64ba24
SHA5121a5005e44bf12b4e83e77ee5479a413643813ac0aef3ee906693d08c1a4439949931270be996beda5052fc5c2d01a22852224e19b00462cb086b361082a08f6a
-
Filesize
61KB
MD56eab883507b80a10c54c5c90706826c8
SHA1fd9813bfd24992485b5133d5d68025dd3d0cdf46
SHA256907be50f2e3548c8ac9f4945c05ce4e74ea8f246c51378e097e10837d0331b43
SHA51288bfda7bebe18d4c2faeeedf366c781259e1537f74d7f5d0251f9364807fd945faadff2c56dbeffd5dec8b89723cba736a5538eeaeaee8b511bfd3d5b93ee2c1
-
Filesize
1.0MB
MD5b153044cf36a027e19eb94b06003f09c
SHA19c5137654c78d249b318d7612a4d3dd2710c3aea
SHA256cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550
SHA512ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96
-
Filesize
1.0MB
MD5b153044cf36a027e19eb94b06003f09c
SHA19c5137654c78d249b318d7612a4d3dd2710c3aea
SHA256cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550
SHA512ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96
-
Filesize
3KB
MD56c705c7ee0ce269b3e6eb770b797e808
SHA1e8c6540e4dbb6a464e1f0c2c59cab161f44a8705
SHA256dbd1b9421d8634cc2af6ae9c4fe72891bd3139527730185d2e28afe0447b4e2e
SHA5120999401d3218986eac63b8e449a572cdd5aec382fac11a6aa86b6a4035107b75343f6f005d506322c0a0e853c7566cf49078991d93cadfab1e80fad8ed1d93e2
-
Filesize
23KB
MD571e60ffa129c1759de7d21cda151dc4e
SHA17a727197a54b055d06180b398ce1a196ffd5ffe6
SHA25626a2dee2267cbd8d019524d2045dda3f0cec89e73d56ba3d2cf2fef9187cb55a
SHA512bf9ca1b82cbff005357fba82b97c4d0494f4b268b1751639f486a936297e5fa49707d545e3471ef61c4153f6cdd796c344d564f6251de87ac8f499b1002ed3e0
-
Filesize
1.0MB
MD5b153044cf36a027e19eb94b06003f09c
SHA19c5137654c78d249b318d7612a4d3dd2710c3aea
SHA256cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550
SHA512ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96