Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 00:08
Static task
static1
Behavioral task
behavioral1
Sample
04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe
-
Size
232KB
-
MD5
a2e57c7b925ecbabe9e88e5a79acdec7
-
SHA1
a306bfe3fcaea2f5810a2f5d101127c50a0c7b85
-
SHA256
04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb
-
SHA512
7738ba30b166db3c379d8d112aab018593efd05dd4a30685c60e857efa56ce7e3cf2934a7bb672f675f8cb3939903ea7899acbcc7608897da4dd4bddd4bdd770
-
SSDEEP
6144:GK3PFKs7STL6eEqxF6snji81RUinKn3Kt+dNFcSG:pPhPDFc/
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kiiviip.exe -
Executes dropped EXE 1 IoCs
pid Process 2140 kiiviip.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe -
Adds Run key to start application 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /n" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /i" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /o" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /f" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /c" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /r" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /w" kiiviip.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /t" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /x" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /d" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /p" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /q" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /l" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /z" kiiviip.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /m" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /y" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /g" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /s" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /u" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /a" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /b" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /v" kiiviip.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kiiviip = "C:\\Users\\Admin\\kiiviip.exe /m" 04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5068 04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe 5068 04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe 2140 kiiviip.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5068 04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe 2140 kiiviip.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5068 wrote to memory of 2140 5068 04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe 92 PID 5068 wrote to memory of 2140 5068 04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe 92 PID 5068 wrote to memory of 2140 5068 04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe"C:\Users\Admin\AppData\Local\Temp\04f42a483d6333d8d2eb91d07086ec6e39adf44336ab399234ffae8a48f554eb.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\kiiviip.exe"C:\Users\Admin\kiiviip.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2140
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD53f9553975cc3092c632dd0918d4a09fe
SHA12b6602c082229ef78d6b56e32408e2a4c18abf4f
SHA256ce7613791092c4d4d527c1412a2c3302792d11fa672392a91ab487b029a568c5
SHA5129b11bebcc2a67b2c91b02d8a10122b1672db21a1391248408daf7af3d1212cc5db6c502605078db1b00716bec63652aeb81560610afb9d5b48eead71209ba310
-
Filesize
232KB
MD53f9553975cc3092c632dd0918d4a09fe
SHA12b6602c082229ef78d6b56e32408e2a4c18abf4f
SHA256ce7613791092c4d4d527c1412a2c3302792d11fa672392a91ab487b029a568c5
SHA5129b11bebcc2a67b2c91b02d8a10122b1672db21a1391248408daf7af3d1212cc5db6c502605078db1b00716bec63652aeb81560610afb9d5b48eead71209ba310