23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d

General

Target

23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe
Size

395KB
MD5

be6b8c427a4559058d53a5401392f746
SHA1

f3b6aa6e0e9d6ba1d708f1a1437ef39a99d6b80e
SHA256

23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d
SHA512

0ad548d5fbe1ad3a5bd2aaeb3598baa3861a49894b010fb914dee9d44e41ddfb2255e9cff5b87a31c3d58da23578787c065589ca69b8678c97f66e97743b04e5
SSDEEP

6144:K8R2Rkz3xBb+XflYP4ZJhjaYYXDMBL3cN8a0SF1TCqzeH+kL:zwg3zqlYPsJhjEMBLm8Adaek

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

kynxfron.exe

pid process

960 kynxfron.exe

pid	process
960	kynxfron.exe

Loads dropped DLL 2 IoCs

Processes:

23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe

pid	process
1552	23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe
1552	23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kynxfron.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QkU2QjhDNDI3QTQ1NTkwNT = "C:\\ProgramData\\kynxfron.exe"	kynxfron.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exekynxfron.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	kynxfron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	kynxfron.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exekynxfron.exe

description	pid	process
Token: SeDebugPrivilege	1552	23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe
Token: SeDebugPrivilege	960	kynxfron.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

576 DllHost.exe

pid	process
576	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe

description	pid	process	target process
PID 1552 wrote to memory of 960	1552	23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe	kynxfron.exe
PID 1552 wrote to memory of 960	1552	23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe	kynxfron.exe
PID 1552 wrote to memory of 960	1552	23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe	kynxfron.exe
PID 1552 wrote to memory of 960	1552	23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe	kynxfron.exe

C:\Users\Admin\AppData\Local\Temp\23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe
"C:\Users\Admin\AppData\Local\Temp\23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\ProgramData\kynxfron.exe
"C:\ProgramData\kynxfron.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kynxfron.exe

Filesize
395KB

MD5
be6b8c427a4559058d53a5401392f746

SHA1
f3b6aa6e0e9d6ba1d708f1a1437ef39a99d6b80e

SHA256
23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d

SHA512
0ad548d5fbe1ad3a5bd2aaeb3598baa3861a49894b010fb914dee9d44e41ddfb2255e9cff5b87a31c3d58da23578787c065589ca69b8678c97f66e97743b04e5

Download Submit
C:\ProgramData\kynxfron.exe

Filesize
395KB

MD5
be6b8c427a4559058d53a5401392f746

SHA1
f3b6aa6e0e9d6ba1d708f1a1437ef39a99d6b80e

SHA256
23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d

SHA512
0ad548d5fbe1ad3a5bd2aaeb3598baa3861a49894b010fb914dee9d44e41ddfb2255e9cff5b87a31c3d58da23578787c065589ca69b8678c97f66e97743b04e5

Download Submit
C:\Users\Admin\AppData\Roaming\1.JPG

Filesize
31KB

MD5
b215c2a2085a99d36e6b02f9b66f5e17

SHA1
826df4c253854e128cf6651664a1c99c68f70eae

SHA256
0a9c6274c284c4fa5787ce670690f398cefb4859103dd9abd327e2836ccf09d1

SHA512
bd5f7865937601d1bcdb063513d4873747bebfe88114a457404922c2f4cc3b6d903de24c4f94ae3b4f933112e5184fef9be8394ede720fcc83254f675c63f50a

Download Submit
\ProgramData\kynxfron.exe

Filesize
395KB

MD5
be6b8c427a4559058d53a5401392f746

SHA1
f3b6aa6e0e9d6ba1d708f1a1437ef39a99d6b80e

SHA256
23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d

SHA512
0ad548d5fbe1ad3a5bd2aaeb3598baa3861a49894b010fb914dee9d44e41ddfb2255e9cff5b87a31c3d58da23578787c065589ca69b8678c97f66e97743b04e5

Download Submit
\ProgramData\kynxfron.exe

Filesize
395KB

MD5
be6b8c427a4559058d53a5401392f746

SHA1
f3b6aa6e0e9d6ba1d708f1a1437ef39a99d6b80e

SHA256
23dca5183718b01edbd2a1e00e7b88ffd60c224f829c00850e3c2be0049ae54d

SHA512
0ad548d5fbe1ad3a5bd2aaeb3598baa3861a49894b010fb914dee9d44e41ddfb2255e9cff5b87a31c3d58da23578787c065589ca69b8678c97f66e97743b04e5

Download Submit
memory/960-61-0x0000000000000000-mapping.dmp

Download
memory/960-66-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/960-67-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1552-55-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-57-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-65-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads