Analysis
-
max time kernel
25s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 16:14
Static task
static1
Behavioral task
behavioral1
Sample
Kobotv1/Project1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Kobotv1/Project1.exe
Resource
win10v2004-20220812-en
General
-
Target
Kobotv1/Project1.exe
-
Size
892KB
-
MD5
4f1b74dd94561adad98fd1d01d3377f5
-
SHA1
a096b8572ad7d5594718930ea1602362a5ac8b19
-
SHA256
001e3a5f374572aeb25eba1c8d63e598b632f656db6d206c77042e2bf1832180
-
SHA512
f42ebe083613f8920e84601f126e109373bb01377e7102a2edfa5024e6db8f46c52198fc729a7890ffcc673742e3b0e7e59c8eb28dd1f2fd7beae3f2f62c29c1
-
SSDEEP
24576:cOzOfWmQaxWRrWZOTx2SzT/lFnOREY9imH:c1mMOdbOREY91H
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3824 dllhost.exe 1668 Project1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Project1.exe -
Loads dropped DLL 4 IoCs
pid Process 3824 dllhost.exe 3824 dllhost.exe 1668 Project1.exe 1668 Project1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DLLHost = "\"C:\\Users\\Admin\\AppData\\Local\\dllhost.exe\"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 4224 reg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2064 Project1.exe Token: SeDebugPrivilege 1668 Project1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3824 dllhost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2516 2064 Project1.exe 76 PID 2064 wrote to memory of 2516 2064 Project1.exe 76 PID 2064 wrote to memory of 2516 2064 Project1.exe 76 PID 2516 wrote to memory of 2744 2516 cmd.exe 78 PID 2516 wrote to memory of 2744 2516 cmd.exe 78 PID 2516 wrote to memory of 2744 2516 cmd.exe 78 PID 2744 wrote to memory of 4224 2744 cmd.exe 79 PID 2744 wrote to memory of 4224 2744 cmd.exe 79 PID 2744 wrote to memory of 4224 2744 cmd.exe 79 PID 2064 wrote to memory of 3824 2064 Project1.exe 80 PID 2064 wrote to memory of 3824 2064 Project1.exe 80 PID 2064 wrote to memory of 3824 2064 Project1.exe 80 PID 2064 wrote to memory of 1668 2064 Project1.exe 81 PID 2064 wrote to memory of 1668 2064 Project1.exe 81 PID 2064 wrote to memory of 1668 2064 Project1.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kobotv1\Project1.exe"C:\Users\Admin\AppData\Local\Temp\Kobotv1\Project1.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c system.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Local\dllhost.exe\"" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Local\dllhost.exe\"" /f4⤵
- Adds Run key to start application
- Modifies registry key
PID:4224
-
-
-
-
C:\Users\Admin\AppData\Local\dllhost.exe"C:\Users\Admin\AppData\Local\dllhost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3824
-
-
C:\Users\Admin\AppData\Local\Project1.exe"C:\Users\Admin\AppData\Local\Project1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145KB
MD55f28dc2968972e7bfe69a8330da73ea9
SHA17bb71a74dcbcfeaf291b0450d88d7a0b2d3dd501
SHA2567e4da6b8889be0c812ded5547ffc7a0eaadcdf32246c9b1e1c493b1eaaecfa09
SHA512c51bf36a006319815c5f9acce5ef601af1c8b5643446cb5b1486db4434e10166be6a3cde63f9a1ced95fe9222396575421ddf44bdeb31229e24272b7390066b8
-
Filesize
145KB
MD55f28dc2968972e7bfe69a8330da73ea9
SHA17bb71a74dcbcfeaf291b0450d88d7a0b2d3dd501
SHA2567e4da6b8889be0c812ded5547ffc7a0eaadcdf32246c9b1e1c493b1eaaecfa09
SHA512c51bf36a006319815c5f9acce5ef601af1c8b5643446cb5b1486db4434e10166be6a3cde63f9a1ced95fe9222396575421ddf44bdeb31229e24272b7390066b8
-
Filesize
147B
MD5c4264953329c6d059abe32139da69ced
SHA115d5bbd88c09353d94ffadb50e6509361444c126
SHA256592a6f742be69868b5253b6609ad809854add917509686c2a856c6f0023eda3f
SHA512c55db54754b90eb7a818735250721d5d25960d4830ef7b62cfde716a35631c9ef46e235f672eb32922586d61ba270fe59b7ff585db6830cf072d648dd9e658fe
-
Filesize
51KB
MD5e61c5a183090ed1815db33f18a9d7446
SHA17a2a17387126ed881897e83b30e24a43c263aff1
SHA256c695d51702db9b2163705615987dc1ca612a9acca3cf21f159226372ad027363
SHA5123e952a3d8caed102f958bf8be65a8fea83bcc46e41f933b8e8b145fd0db7649638675261ad7a704b2e961b8a8aade527398f562acd804d97a66666f23c5f7cf7
-
Filesize
51KB
MD5e61c5a183090ed1815db33f18a9d7446
SHA17a2a17387126ed881897e83b30e24a43c263aff1
SHA256c695d51702db9b2163705615987dc1ca612a9acca3cf21f159226372ad027363
SHA5123e952a3d8caed102f958bf8be65a8fea83bcc46e41f933b8e8b145fd0db7649638675261ad7a704b2e961b8a8aade527398f562acd804d97a66666f23c5f7cf7
-
Filesize
93KB
MD5eb28b77b082f0c2a0d55b6a8d60fddbc
SHA161f1468f38791b200363e91649450369fd2e6553
SHA256044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef
SHA5126d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2
-
Filesize
93KB
MD5eb28b77b082f0c2a0d55b6a8d60fddbc
SHA161f1468f38791b200363e91649450369fd2e6553
SHA256044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef
SHA5126d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2
-
Filesize
93KB
MD5eb28b77b082f0c2a0d55b6a8d60fddbc
SHA161f1468f38791b200363e91649450369fd2e6553
SHA256044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef
SHA5126d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2
-
Filesize
93KB
MD5eb28b77b082f0c2a0d55b6a8d60fddbc
SHA161f1468f38791b200363e91649450369fd2e6553
SHA256044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef
SHA5126d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2
-
Filesize
93KB
MD5eb28b77b082f0c2a0d55b6a8d60fddbc
SHA161f1468f38791b200363e91649450369fd2e6553
SHA256044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef
SHA5126d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2