836bde23efaee37bf62d5f53602031440ce58c9a99988b89edc6f50b6b3b2471

Analysis

max time kernel
45s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kobotv1/Project1.exe
Size

892KB
MD5

4f1b74dd94561adad98fd1d01d3377f5
SHA1

a096b8572ad7d5594718930ea1602362a5ac8b19
SHA256

001e3a5f374572aeb25eba1c8d63e598b632f656db6d206c77042e2bf1832180
SHA512

f42ebe083613f8920e84601f126e109373bb01377e7102a2edfa5024e6db8f46c52198fc729a7890ffcc673742e3b0e7e59c8eb28dd1f2fd7beae3f2f62c29c1
SSDEEP

24576:cOzOfWmQaxWRrWZOTx2SzT/lFnOREY9imH:c1mMOdbOREY91H

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1040	dllhost.exe
1056	Project1.exe

Loads dropped DLL 5 IoCs

pid	Process
1340	Project1.exe
1340	Project1.exe
1040	dllhost.exe
1340	Project1.exe
1340	Project1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLLHost = "\"C:\\Users\\Admin\\AppData\\Local\\dllhost.exe\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1964	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1340	Project1.exe
Token: SeDebugPrivilege	1056	Project1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1040	dllhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1768	1340	Project1.exe	27
PID 1340 wrote to memory of 1768	1340	Project1.exe	27
PID 1340 wrote to memory of 1768	1340	Project1.exe	27
PID 1340 wrote to memory of 1768	1340	Project1.exe	27
PID 1768 wrote to memory of 1680	1768	cmd.exe	29
PID 1768 wrote to memory of 1680	1768	cmd.exe	29
PID 1768 wrote to memory of 1680	1768	cmd.exe	29
PID 1768 wrote to memory of 1680	1768	cmd.exe	29
PID 1680 wrote to memory of 1964	1680	cmd.exe	30
PID 1680 wrote to memory of 1964	1680	cmd.exe	30
PID 1680 wrote to memory of 1964	1680	cmd.exe	30
PID 1680 wrote to memory of 1964	1680	cmd.exe	30
PID 1340 wrote to memory of 1040	1340	Project1.exe	31
PID 1340 wrote to memory of 1040	1340	Project1.exe	31
PID 1340 wrote to memory of 1040	1340	Project1.exe	31
PID 1340 wrote to memory of 1040	1340	Project1.exe	31
PID 1340 wrote to memory of 1056	1340	Project1.exe	32
PID 1340 wrote to memory of 1056	1340	Project1.exe	32
PID 1340 wrote to memory of 1056	1340	Project1.exe	32
PID 1340 wrote to memory of 1056	1340	Project1.exe	32

C:\Users\Admin\AppData\Local\Temp\Kobotv1\Project1.exe
"C:\Users\Admin\AppData\Local\Temp\Kobotv1\Project1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c system.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Local\dllhost.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Local\dllhost.exe\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:1964
- C:\Users\Admin\AppData\Local\dllhost.exe
  "C:\Users\Admin\AppData\Local\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1040
- C:\Users\Admin\AppData\Local\Project1.exe
  "C:\Users\Admin\AppData\Local\Project1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Project1.exe

Filesize
145KB

MD5
5f28dc2968972e7bfe69a8330da73ea9

SHA1
7bb71a74dcbcfeaf291b0450d88d7a0b2d3dd501

SHA256
7e4da6b8889be0c812ded5547ffc7a0eaadcdf32246c9b1e1c493b1eaaecfa09

SHA512
c51bf36a006319815c5f9acce5ef601af1c8b5643446cb5b1486db4434e10166be6a3cde63f9a1ced95fe9222396575421ddf44bdeb31229e24272b7390066b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kobotv1\system.bat

Filesize
147B

MD5
c4264953329c6d059abe32139da69ced

SHA1
15d5bbd88c09353d94ffadb50e6509361444c126

SHA256
592a6f742be69868b5253b6609ad809854add917509686c2a856c6f0023eda3f

SHA512
c55db54754b90eb7a818735250721d5d25960d4830ef7b62cfde716a35631c9ef46e235f672eb32922586d61ba270fe59b7ff585db6830cf072d648dd9e658fe

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe

Filesize
51KB

MD5
e61c5a183090ed1815db33f18a9d7446

SHA1
7a2a17387126ed881897e83b30e24a43c263aff1

SHA256
c695d51702db9b2163705615987dc1ca612a9acca3cf21f159226372ad027363

SHA512
3e952a3d8caed102f958bf8be65a8fea83bcc46e41f933b8e8b145fd0db7649638675261ad7a704b2e961b8a8aade527398f562acd804d97a66666f23c5f7cf7

Download Submit
C:\Users\Admin\AppData\Local\ntcheck.dll

Filesize
93KB

MD5
eb28b77b082f0c2a0d55b6a8d60fddbc

SHA1
61f1468f38791b200363e91649450369fd2e6553

SHA256
044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef

SHA512
6d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2

Download Submit
\Users\Admin\AppData\Local\Project1.exe

Filesize
145KB

MD5
5f28dc2968972e7bfe69a8330da73ea9

SHA1
7bb71a74dcbcfeaf291b0450d88d7a0b2d3dd501

SHA256
7e4da6b8889be0c812ded5547ffc7a0eaadcdf32246c9b1e1c493b1eaaecfa09

SHA512
c51bf36a006319815c5f9acce5ef601af1c8b5643446cb5b1486db4434e10166be6a3cde63f9a1ced95fe9222396575421ddf44bdeb31229e24272b7390066b8

Download Submit
\Users\Admin\AppData\Local\Project1.exe

Filesize
145KB

MD5
5f28dc2968972e7bfe69a8330da73ea9

SHA1
7bb71a74dcbcfeaf291b0450d88d7a0b2d3dd501

SHA256
7e4da6b8889be0c812ded5547ffc7a0eaadcdf32246c9b1e1c493b1eaaecfa09

SHA512
c51bf36a006319815c5f9acce5ef601af1c8b5643446cb5b1486db4434e10166be6a3cde63f9a1ced95fe9222396575421ddf44bdeb31229e24272b7390066b8

Download Submit
\Users\Admin\AppData\Local\dllhost.exe

Filesize
51KB

MD5
e61c5a183090ed1815db33f18a9d7446

SHA1
7a2a17387126ed881897e83b30e24a43c263aff1

SHA256
c695d51702db9b2163705615987dc1ca612a9acca3cf21f159226372ad027363

SHA512
3e952a3d8caed102f958bf8be65a8fea83bcc46e41f933b8e8b145fd0db7649638675261ad7a704b2e961b8a8aade527398f562acd804d97a66666f23c5f7cf7

Download Submit
\Users\Admin\AppData\Local\dllhost.exe

Filesize
51KB

MD5
e61c5a183090ed1815db33f18a9d7446

SHA1
7a2a17387126ed881897e83b30e24a43c263aff1

SHA256
c695d51702db9b2163705615987dc1ca612a9acca3cf21f159226372ad027363

SHA512
3e952a3d8caed102f958bf8be65a8fea83bcc46e41f933b8e8b145fd0db7649638675261ad7a704b2e961b8a8aade527398f562acd804d97a66666f23c5f7cf7

Download Submit
\Users\Admin\AppData\Local\ntcheck.dll

Filesize
93KB

MD5
eb28b77b082f0c2a0d55b6a8d60fddbc

SHA1
61f1468f38791b200363e91649450369fd2e6553

SHA256
044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef

SHA512
6d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2

Download Submit
memory/1040-66-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1340-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads