Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2022, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
9f40a90db5c7da1cc2ced7e23df53ec3.com.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9f40a90db5c7da1cc2ced7e23df53ec3.com.exe
Resource
win10v2004-20220812-en
General
-
Target
9f40a90db5c7da1cc2ced7e23df53ec3.com.exe
-
Size
1.4MB
-
MD5
6c6d3758452aa4500bd4186d02a54bbd
-
SHA1
29a36ac35cdd13203b584e4f1176802a8bd999ef
-
SHA256
2e37d7372a97df9e3955837eeae856489541aab815dffabc00bbc72af6483e9b
-
SHA512
f6a1332f36948f2d2f593878a704f8d9de8dcb157c3727bdf21203ddf69512f4498faa1a34a86a2e91d5a4b8fc635fd058636a7b38c1cb2e1841efa44c4a18f2
-
SSDEEP
24576:0AOcZ2i7sBG5TH4AI8saogP5+OE8YqZWyqTr+Mo5pemHI0Yuyqgm:iQYAIoh+OE8Yq+xo5EmHWqZ
Malware Config
Extracted
vjw0rm
http://129.204.138.203:7974
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 4436 WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 4904 kkuai.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation kkuai.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfil.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfil.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kkuai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\4_87\\kkuai.exe 0\\4_87\\fwfinco.apb" kkuai.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4904 set thread context of 4824 4904 kkuai.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe 4904 kkuai.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4824 RegSvcs.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2200 wrote to memory of 4436 2200 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 82 PID 2200 wrote to memory of 4436 2200 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 82 PID 2200 wrote to memory of 4436 2200 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 82 PID 2200 wrote to memory of 2184 2200 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 83 PID 2200 wrote to memory of 2184 2200 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 83 PID 2200 wrote to memory of 2184 2200 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe 83 PID 2184 wrote to memory of 4904 2184 WScript.exe 84 PID 2184 wrote to memory of 4904 2184 WScript.exe 84 PID 2184 wrote to memory of 4904 2184 WScript.exe 84 PID 4904 wrote to memory of 2256 4904 kkuai.exe 85 PID 4904 wrote to memory of 2256 4904 kkuai.exe 85 PID 4904 wrote to memory of 2256 4904 kkuai.exe 85 PID 4904 wrote to memory of 1332 4904 kkuai.exe 89 PID 4904 wrote to memory of 1332 4904 kkuai.exe 89 PID 4904 wrote to memory of 1332 4904 kkuai.exe 89 PID 4904 wrote to memory of 4776 4904 kkuai.exe 93 PID 4904 wrote to memory of 4776 4904 kkuai.exe 93 PID 4904 wrote to memory of 4776 4904 kkuai.exe 93 PID 4904 wrote to memory of 2300 4904 kkuai.exe 94 PID 4904 wrote to memory of 2300 4904 kkuai.exe 94 PID 4904 wrote to memory of 2300 4904 kkuai.exe 94 PID 4904 wrote to memory of 3916 4904 kkuai.exe 96 PID 4904 wrote to memory of 3916 4904 kkuai.exe 96 PID 4904 wrote to memory of 3916 4904 kkuai.exe 96 PID 4904 wrote to memory of 2000 4904 kkuai.exe 97 PID 4904 wrote to memory of 2000 4904 kkuai.exe 97 PID 4904 wrote to memory of 2000 4904 kkuai.exe 97 PID 4904 wrote to memory of 380 4904 kkuai.exe 98 PID 4904 wrote to memory of 380 4904 kkuai.exe 98 PID 4904 wrote to memory of 380 4904 kkuai.exe 98 PID 4904 wrote to memory of 4500 4904 kkuai.exe 99 PID 4904 wrote to memory of 4500 4904 kkuai.exe 99 PID 4904 wrote to memory of 4500 4904 kkuai.exe 99 PID 4904 wrote to memory of 4824 4904 kkuai.exe 100 PID 4904 wrote to memory of 4824 4904 kkuai.exe 100 PID 4904 wrote to memory of 4824 4904 kkuai.exe 100 PID 4904 wrote to memory of 4824 4904 kkuai.exe 100 PID 4904 wrote to memory of 4824 4904 kkuai.exe 100 PID 4904 wrote to memory of 4824 4904 kkuai.exe 100 PID 4904 wrote to memory of 4824 4904 kkuai.exe 100 PID 4904 wrote to memory of 4824 4904 kkuai.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe"C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_87\rfil.js" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4436
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_87\xrqxkro.vbe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe"C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe" fwfinco.apb3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:2256
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:1332
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:4776
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:2300
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:3916
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:2000
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵PID:380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:4500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:4824
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
832KB
MD5097b77b3288ee474492dc94a6cb43a15
SHA1742d0e529289b837f512055a4e448fb17cad7656
SHA256db326b548a3e1a2a05539881a054b6f9c0ba302d945480564df3cf77fe96ebb1
SHA512e738ca448b7e83e822803b5bd22ae222584ae46ee67e7ac60189a23af36c42515c1122d5e10b7145db6aee97b110d4882794ee6877a43eb502239d68fa076dab
-
Filesize
124.2MB
MD587bbebf030409ffb724c09365e4d094c
SHA1dcec2d7a6ff6de98f1760454b1c1c67abeac0da3
SHA25629808fb1137203fc1b0a840e60876da3d8c3ddf9b21869310b2caa221e64ba24
SHA5121a5005e44bf12b4e83e77ee5479a413643813ac0aef3ee906693d08c1a4439949931270be996beda5052fc5c2d01a22852224e19b00462cb086b361082a08f6a
-
Filesize
61KB
MD56eab883507b80a10c54c5c90706826c8
SHA1fd9813bfd24992485b5133d5d68025dd3d0cdf46
SHA256907be50f2e3548c8ac9f4945c05ce4e74ea8f246c51378e097e10837d0331b43
SHA51288bfda7bebe18d4c2faeeedf366c781259e1537f74d7f5d0251f9364807fd945faadff2c56dbeffd5dec8b89723cba736a5538eeaeaee8b511bfd3d5b93ee2c1
-
Filesize
1.0MB
MD5b153044cf36a027e19eb94b06003f09c
SHA19c5137654c78d249b318d7612a4d3dd2710c3aea
SHA256cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550
SHA512ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96
-
Filesize
1.0MB
MD5b153044cf36a027e19eb94b06003f09c
SHA19c5137654c78d249b318d7612a4d3dd2710c3aea
SHA256cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550
SHA512ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96
-
Filesize
3KB
MD56c705c7ee0ce269b3e6eb770b797e808
SHA1e8c6540e4dbb6a464e1f0c2c59cab161f44a8705
SHA256dbd1b9421d8634cc2af6ae9c4fe72891bd3139527730185d2e28afe0447b4e2e
SHA5120999401d3218986eac63b8e449a572cdd5aec382fac11a6aa86b6a4035107b75343f6f005d506322c0a0e853c7566cf49078991d93cadfab1e80fad8ed1d93e2
-
Filesize
23KB
MD571e60ffa129c1759de7d21cda151dc4e
SHA17a727197a54b055d06180b398ce1a196ffd5ffe6
SHA25626a2dee2267cbd8d019524d2045dda3f0cec89e73d56ba3d2cf2fef9187cb55a
SHA512bf9ca1b82cbff005357fba82b97c4d0494f4b268b1751639f486a936297e5fa49707d545e3471ef61c4153f6cdd796c344d564f6251de87ac8f499b1002ed3e0