Overview

overview

10

Static

static

81afd25a71...5a.exe

windows7-x64

10

81afd25a71...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2022 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a.exe

  • Size

    227KB

  • MD5

    51e5a087d3ef2140a2b4b921cec3de42

  • SHA1

    2b4bc51bc96cf3cbf50ffe03b5819fb812a34c19

  • SHA256

    81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a

  • SHA512

    9a23fe082db3896cc1a268fde0fefb16d495a563708171cb475afd4148f56877ee777bf2edf8bd9a9f630322d4bebd2be5518166c7d47a9d823f78a4498f4f1f

  • SSDEEP

    3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmRuq:ZR5IuMQoseGk7RZBGxAycKpSPX2Fq

Score
10/10
evasionpersistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a.exe
    "C:\Users\Admin\AppData\Local\Temp\81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe
      "C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4212
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /tn Admin /tr "\"C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe\" arguments" /sc MINUTE /mo 1
        3⤵
        • Creates scheduled task(s)
        PID:4916
      • \??\c:\windows\microsoft.net\framework\v2.0.50727\InstallUtil.exe
        "c:\windows\microsoft.net\framework\v2.0.50727\\InstallUtil.exe" C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4448
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      2⤵
        PID:5096
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 && del "C:\Users\Admin\AppData\Local\Temp\81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a.exe" && del "C:\Users\Admin\AppData\Local\Temp\81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a.exe.config"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1548
        • C:\Windows\system32\timeout.exe
          timeout /t 5
          3⤵
          • Delays execution with timeout.exe
          PID:440
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:1124
      • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe
        C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe arguments
        1⤵
        • Executes dropped EXE
        PID:772
      • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe
        C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe arguments
        1⤵
        • Executes dropped EXE
        PID:2036

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\KBDCHERP32.exe.log
        Filesize

        595B

        MD5

        5446caf843683ea0aab610c729c40ab1

        SHA1

        6df96e9c6c90843766b0fde8cec5e3a955291e74

        SHA256

        f7dbd089564c22c13483b867392a7bd1f9b49f8e0b089e2cc7bd7bfbf62c6329

        SHA512

        488e2b8750ff820e3fbdcbb9201abddfc6c8ccc3e7cc29962a05c2313ea862eddbf4e0a49ab6a5029aa4d9c137daf2623f1b34e4dcb896269e6edae8276148ff

        Download Submit

      • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe
        Filesize

        227KB

        MD5

        84dd61e52b121026079785c7c902841d

        SHA1

        6c0caeee49338c8b499bdb252da3059505023715

        SHA256

        71826bb753cb523ed15363c8875d2cdf5356862b86725c9284e32b41881a265f

        SHA512

        95ffbbb4c3833f8fc0f1224734c873a9ecca74847a9296d0d0a5623f5a765f34500d03d0da121c6d3c58241434382f7bd15492711f0d0182de67bd58186480a1

        Download Submit

      • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe
        Filesize

        227KB

        MD5

        84dd61e52b121026079785c7c902841d

        SHA1

        6c0caeee49338c8b499bdb252da3059505023715

        SHA256

        71826bb753cb523ed15363c8875d2cdf5356862b86725c9284e32b41881a265f

        SHA512

        95ffbbb4c3833f8fc0f1224734c873a9ecca74847a9296d0d0a5623f5a765f34500d03d0da121c6d3c58241434382f7bd15492711f0d0182de67bd58186480a1

        Download Submit

      • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe
        Filesize

        227KB

        MD5

        84dd61e52b121026079785c7c902841d

        SHA1

        6c0caeee49338c8b499bdb252da3059505023715

        SHA256

        71826bb753cb523ed15363c8875d2cdf5356862b86725c9284e32b41881a265f

        SHA512

        95ffbbb4c3833f8fc0f1224734c873a9ecca74847a9296d0d0a5623f5a765f34500d03d0da121c6d3c58241434382f7bd15492711f0d0182de67bd58186480a1

        Download Submit

      • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe
        Filesize

        227KB

        MD5

        84dd61e52b121026079785c7c902841d

        SHA1

        6c0caeee49338c8b499bdb252da3059505023715

        SHA256

        71826bb753cb523ed15363c8875d2cdf5356862b86725c9284e32b41881a265f

        SHA512

        95ffbbb4c3833f8fc0f1224734c873a9ecca74847a9296d0d0a5623f5a765f34500d03d0da121c6d3c58241434382f7bd15492711f0d0182de67bd58186480a1

        Download Submit

      • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\KBDCHERP32.exe.config
        Filesize

        1KB

        MD5

        dd3d04c365984b4ec57a80503f81fddf

        SHA1

        c55fbcb61818e47dac9aae465faff91f0805bd7c

        SHA256

        40a59ca9744dc3d4647f246b2dc553f37f8095418c1b48a9bd94cdb5c03dbc5c

        SHA512

        0dd459def2abe9e3f0d1251049a0755c63f7dd3d85e91dba272c3f479f2578e3f3f2379e1cd6913190f7f596af721201eb5d9423ab28aed72bde5cd3cac7f785

        Download Submit

      • memory/440-140-0x0000000000000000-mapping.dmp

        Download

      • memory/772-155-0x00007FF85CE20000-0x00007FF85D856000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/1548-139-0x0000000000000000-mapping.dmp

        Download

      • memory/2036-160-0x00007FF85CE20000-0x00007FF85D856000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/4212-146-0x000000001DB30000-0x000000001DB34000-memory.dmp

        Filesize

        16KB

        Download

      • memory/4212-151-0x000000001DB30000-0x000000001DB34000-memory.dmp

        Filesize

        16KB

        Download

      • memory/4212-144-0x0000000000C0A000-0x0000000000C0F000-memory.dmp

        Filesize

        20KB

        Download

      • memory/4212-133-0x0000000000000000-mapping.dmp

        Download

      • memory/4212-138-0x00007FF85CE20000-0x00007FF85D856000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/4212-147-0x0000000000C0A000-0x0000000000C0F000-memory.dmp

        Filesize

        20KB

        Download

      • memory/4212-148-0x000000001DB34000-0x000000001DB37000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4212-149-0x000000001DB37000-0x000000001DB3A000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4212-157-0x000000001DB3A000-0x000000001DB3F000-memory.dmp

        Filesize

        20KB

        Download

      • memory/4212-156-0x000000001DB3A000-0x000000001DB3F000-memory.dmp

        Filesize

        20KB

        Download

      • memory/4212-152-0x000000001DB34000-0x000000001DB37000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4212-153-0x000000001DB37000-0x000000001DB3A000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4280-132-0x00007FF85CE20000-0x00007FF85D856000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/4448-142-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4448-143-0x000000000040334E-mapping.dmp

        Download

      • memory/4448-150-0x0000000075240000-0x00000000757F1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4448-145-0x0000000075240000-0x00000000757F1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4916-141-0x0000000000000000-mapping.dmp

        Download

      • memory/5096-137-0x0000000000000000-mapping.dmp

        Download