02da515cb00fbef5cc553480e55233122466a9c9f8e34d08fc0522da26087d44

General

Target

02da515cb00fbef5cc553480e55233122466a9c9f8e34d08fc0522da26087d44.exe
Size

304KB
MD5

9e89e5d5453e2c33d4c4a75003dc3f36
SHA1

aac32807ebaddca79086948c6ba92ff1318495c8
SHA256

02da515cb00fbef5cc553480e55233122466a9c9f8e34d08fc0522da26087d44
SHA512

b226e6f4cc74b33653acb56720046f6f038d3cf046e1b638e0a12be56d620edb5cfec79735039edc8db31f21fea00ab46beb3dd0cf969728e8ee351d5ec76697
SSDEEP

6144:0A0jRgn0w+/hcE3+uw0g1zJx/JS9slr9D5Tum0aFDvL:0zR20w+/hn+uwB/xS9wam0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1144	kmjqfukgj.exe

Deletes itself 1 IoCs

pid	Process
1400	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1400	cmd.exe
1400	cmd.exe
1144	kmjqfukgj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	02da515cb00fbef5cc553480e55233122466a9c9f8e34d08fc0522da26087d44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1736	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1688	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1144	kmjqfukgj.exe
1144	kmjqfukgj.exe
1144	kmjqfukgj.exe
1144	kmjqfukgj.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1144	kmjqfukgj.exe
1144	kmjqfukgj.exe
1144	kmjqfukgj.exe
1144	kmjqfukgj.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1400	956	02da515cb00fbef5cc553480e55233122466a9c9f8e34d08fc0522da26087d44.exe	27
PID 956 wrote to memory of 1400	956	02da515cb00fbef5cc553480e55233122466a9c9f8e34d08fc0522da26087d44.exe	27
PID 956 wrote to memory of 1400	956	02da515cb00fbef5cc553480e55233122466a9c9f8e34d08fc0522da26087d44.exe	27
PID 956 wrote to memory of 1400	956	02da515cb00fbef5cc553480e55233122466a9c9f8e34d08fc0522da26087d44.exe	27
PID 1400 wrote to memory of 1736	1400	cmd.exe	29
PID 1400 wrote to memory of 1736	1400	cmd.exe	29
PID 1400 wrote to memory of 1736	1400	cmd.exe	29
PID 1400 wrote to memory of 1736	1400	cmd.exe	29
PID 1400 wrote to memory of 1688	1400	cmd.exe	31
PID 1400 wrote to memory of 1688	1400	cmd.exe	31
PID 1400 wrote to memory of 1688	1400	cmd.exe	31
PID 1400 wrote to memory of 1688	1400	cmd.exe	31
PID 1400 wrote to memory of 1144	1400	cmd.exe	32
PID 1400 wrote to memory of 1144	1400	cmd.exe	32
PID 1400 wrote to memory of 1144	1400	cmd.exe	32
PID 1400 wrote to memory of 1144	1400	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\02da515cb00fbef5cc553480e55233122466a9c9f8e34d08fc0522da26087d44.exe
"C:\Users\Admin\AppData\Local\Temp\02da515cb00fbef5cc553480e55233122466a9c9f8e34d08fc0522da26087d44.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 956 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\02da515cb00fbef5cc553480e55233122466a9c9f8e34d08fc0522da26087d44.exe" & start C:\Users\Admin\AppData\Local\KMJQFU~1.EXE -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 956
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:1688
- - C:\Users\Admin\AppData\Local\kmjqfukgj.exe
    C:\Users\Admin\AppData\Local\KMJQFU~1.EXE -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\kmjqfukgj.exe

Filesize
101KB

MD5
93b65049dbb6d1e828b33601c098efa0

SHA1
2431823958df460e9c3f2856be14714d547438ee

SHA256
e843eaea20b7f094d8d7e21ee060bcdae78c2c191d83ab0ab16d34343c341472

SHA512
3cddee2985ad086c0b74cd4dfde1f2f67350625b72ded94a2638834a00bd0f945e4227970aece458c67fcc79044fc8b0594b4b350043ae486b04a726d262cf4b

Download Submit
C:\Users\Admin\AppData\Local\kmjqfukgj.exe

Filesize
47KB

MD5
f275357e53807c0220d634ceed55d465

SHA1
2718927654cc34bc08307680f96dcba707ed35e3

SHA256
4f59be555aec75a87aaf0d20576bb39b0f57e81cae9187331a58fa48f93910e7

SHA512
c387af72e374cacb2a1819b604d28be5c28ddb169bf5dc7e960bc9bf310b33d518033c322862a6eb0e239e823d196c6b8cde750f296d716a352ac4ca7586bf2e

Download Submit
\Users\Admin\AppData\Local\kmjqfukgj.exe

Filesize
13KB

MD5
b97880c852726577a9d8305c14f81829

SHA1
3b719bca583bfbbbf210fc98a6c7916518e2096e

SHA256
02952ff2b0a27b06bca4f4b4bbcbf4a505b21642ec5ae26f96deb607cad8c743

SHA512
3d1b244aa125d7d48698de44052a9695bb590c52ae6054217fd9f57aab893d7f613ea364acd7a1ee880b78bb18f34ae47269c35275a396e73dae65bc853c12f2

Download Submit
\Users\Admin\AppData\Local\kmjqfukgj.exe

Filesize
54KB

MD5
cdf69ebda51a847c42ab8d0128dff0eb

SHA1
79301981e21de5704754ff11f01b2fa50e691f73

SHA256
a08962df31ec7b70df43dcfcca40364f65aa3315f9a24908719f9412570e7db3

SHA512
ab65758aa76dcf42564960e53e224980a3d1b6ae7d4b871661a0d4837589ead3c374e1d4b0cbfea6b06eafabc2d0a114291b670cc58b9b213648a6a0a513f68a

Download Submit
\Users\Admin\AppData\Local\kmjqfukgj.exe

Filesize
85KB

MD5
24ca8fc854f33753df7809350b94f699

SHA1
915b26be3ff99f67065b621c950dcaddf0425524

SHA256
563603c611d6914f68cb41c42c79def18ddc6f5bf4c28aa772b0c0dfc0d642b8

SHA512
a6f76efefcffeb6d4ffb6a08429170733ec2fe2800ab27d317505651ba07a1f5769c9318ec49f3029a3fc4bffc4032b27ef0d4615e42756798d3018d28390780

Download Submit
memory/956-59-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/956-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/956-56-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/956-55-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1144-69-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1144-70-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing