836bde23efaee37bf62d5f53602031440ce58c9a99988b89edc6f50b6b3b2471

Analysis

max time kernel
25s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kobotv1/Project1.exe
Size

892KB
MD5

4f1b74dd94561adad98fd1d01d3377f5
SHA1

a096b8572ad7d5594718930ea1602362a5ac8b19
SHA256

001e3a5f374572aeb25eba1c8d63e598b632f656db6d206c77042e2bf1832180
SHA512

f42ebe083613f8920e84601f126e109373bb01377e7102a2edfa5024e6db8f46c52198fc729a7890ffcc673742e3b0e7e59c8eb28dd1f2fd7beae3f2f62c29c1
SSDEEP

24576:cOzOfWmQaxWRrWZOTx2SzT/lFnOREY9imH:c1mMOdbOREY91H

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3824	dllhost.exe
1668	Project1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Project1.exe

Loads dropped DLL 4 IoCs

pid	Process
3824	dllhost.exe
3824	dllhost.exe
1668	Project1.exe
1668	Project1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DLLHost = "\"C:\\Users\\Admin\\AppData\\Local\\dllhost.exe\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4224	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2064	Project1.exe
Token: SeDebugPrivilege	1668	Project1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3824	dllhost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2516	2064	Project1.exe	76
PID 2064 wrote to memory of 2516	2064	Project1.exe	76
PID 2064 wrote to memory of 2516	2064	Project1.exe	76
PID 2516 wrote to memory of 2744	2516	cmd.exe	78
PID 2516 wrote to memory of 2744	2516	cmd.exe	78
PID 2516 wrote to memory of 2744	2516	cmd.exe	78
PID 2744 wrote to memory of 4224	2744	cmd.exe	79
PID 2744 wrote to memory of 4224	2744	cmd.exe	79
PID 2744 wrote to memory of 4224	2744	cmd.exe	79
PID 2064 wrote to memory of 3824	2064	Project1.exe	80
PID 2064 wrote to memory of 3824	2064	Project1.exe	80
PID 2064 wrote to memory of 3824	2064	Project1.exe	80
PID 2064 wrote to memory of 1668	2064	Project1.exe	81
PID 2064 wrote to memory of 1668	2064	Project1.exe	81
PID 2064 wrote to memory of 1668	2064	Project1.exe	81

C:\Users\Admin\AppData\Local\Temp\Kobotv1\Project1.exe
"C:\Users\Admin\AppData\Local\Temp\Kobotv1\Project1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c system.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Local\dllhost.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DLLHost /D "\"C:\Users\Admin\AppData\Local\dllhost.exe\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4224
- C:\Users\Admin\AppData\Local\dllhost.exe
  "C:\Users\Admin\AppData\Local\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3824
- C:\Users\Admin\AppData\Local\Project1.exe
  "C:\Users\Admin\AppData\Local\Project1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Project1.exe

Filesize
145KB

MD5
5f28dc2968972e7bfe69a8330da73ea9

SHA1
7bb71a74dcbcfeaf291b0450d88d7a0b2d3dd501

SHA256
7e4da6b8889be0c812ded5547ffc7a0eaadcdf32246c9b1e1c493b1eaaecfa09

SHA512
c51bf36a006319815c5f9acce5ef601af1c8b5643446cb5b1486db4434e10166be6a3cde63f9a1ced95fe9222396575421ddf44bdeb31229e24272b7390066b8

Download Submit
C:\Users\Admin\AppData\Local\Project1.exe

Filesize
145KB

MD5
5f28dc2968972e7bfe69a8330da73ea9

SHA1
7bb71a74dcbcfeaf291b0450d88d7a0b2d3dd501

SHA256
7e4da6b8889be0c812ded5547ffc7a0eaadcdf32246c9b1e1c493b1eaaecfa09

SHA512
c51bf36a006319815c5f9acce5ef601af1c8b5643446cb5b1486db4434e10166be6a3cde63f9a1ced95fe9222396575421ddf44bdeb31229e24272b7390066b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kobotv1\system.bat

Filesize
147B

MD5
c4264953329c6d059abe32139da69ced

SHA1
15d5bbd88c09353d94ffadb50e6509361444c126

SHA256
592a6f742be69868b5253b6609ad809854add917509686c2a856c6f0023eda3f

SHA512
c55db54754b90eb7a818735250721d5d25960d4830ef7b62cfde716a35631c9ef46e235f672eb32922586d61ba270fe59b7ff585db6830cf072d648dd9e658fe

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe

Filesize
51KB

MD5
e61c5a183090ed1815db33f18a9d7446

SHA1
7a2a17387126ed881897e83b30e24a43c263aff1

SHA256
c695d51702db9b2163705615987dc1ca612a9acca3cf21f159226372ad027363

SHA512
3e952a3d8caed102f958bf8be65a8fea83bcc46e41f933b8e8b145fd0db7649638675261ad7a704b2e961b8a8aade527398f562acd804d97a66666f23c5f7cf7

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe

Filesize
51KB

MD5
e61c5a183090ed1815db33f18a9d7446

SHA1
7a2a17387126ed881897e83b30e24a43c263aff1

SHA256
c695d51702db9b2163705615987dc1ca612a9acca3cf21f159226372ad027363

SHA512
3e952a3d8caed102f958bf8be65a8fea83bcc46e41f933b8e8b145fd0db7649638675261ad7a704b2e961b8a8aade527398f562acd804d97a66666f23c5f7cf7

Download Submit
C:\Users\Admin\AppData\Local\ntcheck.dll

Filesize
93KB

MD5
eb28b77b082f0c2a0d55b6a8d60fddbc

SHA1
61f1468f38791b200363e91649450369fd2e6553

SHA256
044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef

SHA512
6d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2

Download Submit
C:\Users\Admin\AppData\Local\ntcheck.dll

Filesize
93KB

MD5
eb28b77b082f0c2a0d55b6a8d60fddbc

SHA1
61f1468f38791b200363e91649450369fd2e6553

SHA256
044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef

SHA512
6d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2

Download Submit
C:\Users\Admin\AppData\Local\ntcheck.dll

Filesize
93KB

MD5
eb28b77b082f0c2a0d55b6a8d60fddbc

SHA1
61f1468f38791b200363e91649450369fd2e6553

SHA256
044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef

SHA512
6d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2

Download Submit
C:\Users\Admin\AppData\Local\ntcheck.dll

Filesize
93KB

MD5
eb28b77b082f0c2a0d55b6a8d60fddbc

SHA1
61f1468f38791b200363e91649450369fd2e6553

SHA256
044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef

SHA512
6d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2

Download Submit
C:\Users\Admin\AppData\Local\ntcheck.dll

Filesize
93KB

MD5
eb28b77b082f0c2a0d55b6a8d60fddbc

SHA1
61f1468f38791b200363e91649450369fd2e6553

SHA256
044837c29db1ad362ddafc7d48c951cb96876e84ee0515bcddbdaf5804f545ef

SHA512
6d86f39c6f3690f7e728f5bcd900b56023860a421c5d305321187dff33db88eafa7222e60f16f6bb194924ddf257e058808f7ee71302e2f26b6b0baad1d3ccb2

Download Submit
memory/1668-148-0x0000000003B50000-0x0000000003B6C000-memory.dmp

Filesize
112KB

Download
memory/3824-142-0x0000000000860000-0x000000000087C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads