0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb

Analysis

max time kernel
198s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe
Size

244KB
MD5

69297373833a72e5a0b255292aba74f2
SHA1

3686d43dbc500f7e9498e3de24b232a42e38bcf5
SHA256

0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb
SHA512

aa1e06b88a67703fd9e4841860cbf32187bbcd09e6dda4d546f11d000567e16be555b9c4b3b85ec878f81c82122d248a73d6934efedd844fd3aec6d7d6fbebe2
SSDEEP

3072:bhPBdF9sROnFQWI5yIuSP9lqVinU3bp/PTm2moJ6BwA+GABMndgIq66:bhJdFjI7PnqVinU3bw2moJ6WAdgn7

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kjber.exe

Executes dropped EXE 1 IoCs

pid	Process
4164	kjber.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /s"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /a"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /f"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /w"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /z"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /x"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /c"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /l"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /e"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /m"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /u"	kjber.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /n"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /h"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /b"	kjber.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /y"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /p"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /d"	0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /i"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /v"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /q"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /g"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /k"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /d"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /j"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /r"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /o"	kjber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjber = "C:\\Users\\Admin\\kjber.exe /t"	kjber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe
1616	0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe
4164	kjber.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1616	0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe
4164	kjber.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 4164	1616	0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe	81
PID 1616 wrote to memory of 4164	1616	0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe	81
PID 1616 wrote to memory of 4164	1616	0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe	81

C:\Users\Admin\AppData\Local\Temp\0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe
"C:\Users\Admin\AppData\Local\Temp\0d5f3e1a7b6d9f2f4c468b1fb509093f7b0d89a91ab679e08d4e91cc0ee25fbb.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\kjber.exe
  "C:\Users\Admin\kjber.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\kjber.exe

Filesize
244KB

MD5
59997bf21da8b0c70fc16a2a62725c2f

SHA1
9b12928757186acb470f745999ceaeb1128049aa

SHA256
f125426f030a24e82d4243ad7eebb6fe58beb3df04bd045e058378f9df29f0c5

SHA512
d6c862289fc5f5c7f50e381171fa51f665a973773deebb673ca5b1b98dc76e6bcceacb900c6a80d1f59ff0628300daca18aa6fe4b1a6e2ddf66152243faf4a10

Download Submit
C:\Users\Admin\kjber.exe

Filesize
244KB

MD5
59997bf21da8b0c70fc16a2a62725c2f

SHA1
9b12928757186acb470f745999ceaeb1128049aa

SHA256
f125426f030a24e82d4243ad7eebb6fe58beb3df04bd045e058378f9df29f0c5

SHA512
d6c862289fc5f5c7f50e381171fa51f665a973773deebb673ca5b1b98dc76e6bcceacb900c6a80d1f59ff0628300daca18aa6fe4b1a6e2ddf66152243faf4a10

Download Submit
memory/4164-134-0x0000000000000000-mapping.dmp

Download