ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989

Analysis

max time kernel
62s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe
Size

477KB
MD5

12ab1e4f289b90d9898768f9370f392c
SHA1

4940b25e32c4210b94dce806fba276272892a683
SHA256

ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989
SHA512

d2a973294823cb025c8f4c3813a7877779ff43d9ed3a90132daed949fa5dc124cae160201366f34977da013433af6febb45dc4758a47f54cc95452e1644214fd
SSDEEP

12288:FsvU983wtVMtkaMjY6r+kRkBb63vd1Mp8upU5ks4FW:FF2wAOt+w2Y1Mp8ul4

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

T3K9ZAW7.exewot.exexot.exelpmey.exe

pid process

1280 T3K9ZAW7.exe
3444 wot.exe
4548 xot.exe
4148 lpmey.exe

pid	process
1280	T3K9ZAW7.exe
3444	wot.exe
4548	xot.exe
4148	lpmey.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

T3K9ZAW7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	T3K9ZAW7.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4224 rundll32.exe
2628 rundll32.exe

pid	process
4224	rundll32.exe
2628	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qridazu = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\KBDAUF.dll\",Startup"	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

wot.exe

description ioc process

File opened for modification \??\physicaldrive0 wot.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

T3K9ZAW7.exerundll32.exe

pid process

1280 T3K9ZAW7.exe
1280 T3K9ZAW7.exe
4224 rundll32.exe
4224 rundll32.exe
1280 T3K9ZAW7.exe
1280 T3K9ZAW7.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wot.exe

description pid process

Token: SeShutdownPrivilege 3444 wot.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

T3K9ZAW7.exe

pid process

1280 T3K9ZAW7.exe

description	ioc	process
File opened for modification	\??\physicaldrive0	wot.exe

pid	process
1280	T3K9ZAW7.exe
1280	T3K9ZAW7.exe
4224	rundll32.exe
4224	rundll32.exe
1280	T3K9ZAW7.exe
1280	T3K9ZAW7.exe

description	pid	process
Token: SeShutdownPrivilege	3444	wot.exe

pid	process
1280	T3K9ZAW7.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exexot.exerundll32.exe

description	pid	process	target process
PID 4624 wrote to memory of 1280	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	T3K9ZAW7.exe
PID 4624 wrote to memory of 1280	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	T3K9ZAW7.exe
PID 4624 wrote to memory of 1280	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	T3K9ZAW7.exe
PID 4624 wrote to memory of 3444	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	wot.exe
PID 4624 wrote to memory of 3444	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	wot.exe
PID 4624 wrote to memory of 3444	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	wot.exe
PID 4624 wrote to memory of 4548	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	xot.exe
PID 4624 wrote to memory of 4548	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	xot.exe
PID 4624 wrote to memory of 4548	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	xot.exe
PID 4624 wrote to memory of 3204	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	cmd.exe
PID 4624 wrote to memory of 3204	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	cmd.exe
PID 4624 wrote to memory of 3204	4624	ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe	cmd.exe
PID 4548 wrote to memory of 4224	4548	xot.exe	rundll32.exe
PID 4548 wrote to memory of 4224	4548	xot.exe	rundll32.exe
PID 4548 wrote to memory of 4224	4548	xot.exe	rundll32.exe
PID 4224 wrote to memory of 2628	4224	rundll32.exe	rundll32.exe
PID 4224 wrote to memory of 2628	4224	rundll32.exe	rundll32.exe
PID 4224 wrote to memory of 2628	4224	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe
"C:\Users\Admin\AppData\Local\Temp\ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\T3K9ZAW7.exe
  T3K9ZAW7.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1280
- - C:\Users\Admin\lpmey.exe
    "C:\Users\Admin\lpmey.exe"
    3⤵
    - Executes dropped EXE
    PID:4148
- C:\Users\Admin\wot.exe
  wot.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:3444
- C:\Users\Admin\xot.exe
  xot.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\KBDAUF.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\KBDAUF.dll",iep
      4⤵
      Loads dropped DLL
      PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del ae0665acff6dbc3b259e9baef24d10094880f32e7a4e354741561fcb3a2ac989.exe
  2⤵
  PID:3204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KBDAUF.dll

Filesize
103KB

MD5
b830953856e06807f6419663f6d05cc6

SHA1
1985aa83dbcaad52a6098a7bffcd8688f0d203aa

SHA256
ed89baf97368e00ae45aa798fda02ed521557898bd6c9c50b2b98a035dceb81e

SHA512
6553f322de9e87e3bff14a08c500b69aa2ce3a0946e25bf9464c7d7dca22d96ef2da2fe00ed86e2d687a9f8f4345ab5189130a7c95606275df19d2f9169b354b

Download Submit
C:\Users\Admin\AppData\Local\KBDAUF.dll

Filesize
103KB

MD5
b830953856e06807f6419663f6d05cc6

SHA1
1985aa83dbcaad52a6098a7bffcd8688f0d203aa

SHA256
ed89baf97368e00ae45aa798fda02ed521557898bd6c9c50b2b98a035dceb81e

SHA512
6553f322de9e87e3bff14a08c500b69aa2ce3a0946e25bf9464c7d7dca22d96ef2da2fe00ed86e2d687a9f8f4345ab5189130a7c95606275df19d2f9169b354b

Download Submit
C:\Users\Admin\AppData\Local\KBDAUF.dll

Filesize
103KB

MD5
b830953856e06807f6419663f6d05cc6

SHA1
1985aa83dbcaad52a6098a7bffcd8688f0d203aa

SHA256
ed89baf97368e00ae45aa798fda02ed521557898bd6c9c50b2b98a035dceb81e

SHA512
6553f322de9e87e3bff14a08c500b69aa2ce3a0946e25bf9464c7d7dca22d96ef2da2fe00ed86e2d687a9f8f4345ab5189130a7c95606275df19d2f9169b354b

Download Submit
C:\Users\Admin\T3K9ZAW7.exe

Filesize
140KB

MD5
13af4de26b3ee9d02e8dd721f6b81fe9

SHA1
6036d52a71cc9a5f176db6d40cdea0e8d1b023ce

SHA256
10301813c139bbb2f2cbc5a47a8b78989c37cf56bfcdf8cbb2fd324057a799e3

SHA512
05c69348ac57578fdf81c035350ee6856ee17a72c1c1359013d5ec50430804c781753eb995870262157ba557c102285a4b012c2e53a73971213d9fdb269faa66

Download Submit
C:\Users\Admin\T3K9ZAW7.exe

Filesize
140KB

MD5
13af4de26b3ee9d02e8dd721f6b81fe9

SHA1
6036d52a71cc9a5f176db6d40cdea0e8d1b023ce

SHA256
10301813c139bbb2f2cbc5a47a8b78989c37cf56bfcdf8cbb2fd324057a799e3

SHA512
05c69348ac57578fdf81c035350ee6856ee17a72c1c1359013d5ec50430804c781753eb995870262157ba557c102285a4b012c2e53a73971213d9fdb269faa66

Download Submit
C:\Users\Admin\lpmey.exe

Filesize
140KB

MD5
970b2ed3a118823db1251281d8fe5174

SHA1
1dfeb26c359b334023542617b04d0090ab5f3a0e

SHA256
a0e6664b4e23f3c0c1f5e113269b038b865dafbab01951a965234f47e3f8f6f8

SHA512
5783db0445f5439330bc091836f82b027b217e98852c41e7a67dc7ab725b0925fbe5d9275d23e9a06e9b92855b93304f0d9fee2cb68a90006b48cbb833b8fddb

Download Submit
C:\Users\Admin\wot.exe

Filesize
175KB

MD5
c9b7e9a83250faf3135bb70343030c16

SHA1
f738cf9018d564ec802b684e38b54ecdf0a679f6

SHA256
26d3130abf8d1f0d234e7be1f28de877d7ae871ec96f179f9d49d8156c20c1ea

SHA512
2c574af59c9131a2917024f644176ca6311e6433be53d9602e4db873d01da16f9e1f4dc7952b9b667a4f8fac346037e30d5337db5cd895c13b51635c44a024c4

Download Submit
C:\Users\Admin\wot.exe

Filesize
175KB

MD5
c9b7e9a83250faf3135bb70343030c16

SHA1
f738cf9018d564ec802b684e38b54ecdf0a679f6

SHA256
26d3130abf8d1f0d234e7be1f28de877d7ae871ec96f179f9d49d8156c20c1ea

SHA512
2c574af59c9131a2917024f644176ca6311e6433be53d9602e4db873d01da16f9e1f4dc7952b9b667a4f8fac346037e30d5337db5cd895c13b51635c44a024c4

Download Submit
C:\Users\Admin\xot.exe

Filesize
103KB

MD5
b47a4d45ef404a997dcd2f98fe4a1420

SHA1
e55a876e4098a705be35e1a9c78c65a97ae5f27d

SHA256
9863f46ae1d3e2f835b713e2fb32c831e27941b4cdbb11663780e2101df6289b

SHA512
1f83decef10da3e7537dde84cebfd4ec2ca7dab05e3fb72237ad2d627f544d493d501822bf0927bc3cc061442cbe779cf054b87da1decc77a3b9eb6fa07ebd20

Download Submit
C:\Users\Admin\xot.exe

Filesize
103KB

MD5
b47a4d45ef404a997dcd2f98fe4a1420

SHA1
e55a876e4098a705be35e1a9c78c65a97ae5f27d

SHA256
9863f46ae1d3e2f835b713e2fb32c831e27941b4cdbb11663780e2101df6289b

SHA512
1f83decef10da3e7537dde84cebfd4ec2ca7dab05e3fb72237ad2d627f544d493d501822bf0927bc3cc061442cbe779cf054b87da1decc77a3b9eb6fa07ebd20

Download Submit
memory/1280-132-0x0000000000000000-mapping.dmp

Download
memory/2628-159-0x0000000002931000-0x000000000293F000-memory.dmp

Filesize
56KB

Download
memory/2628-156-0x0000000000000000-mapping.dmp

Download
memory/3204-142-0x0000000000000000-mapping.dmp

Download
memory/3444-141-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3444-147-0x0000000002160000-0x00000000021B7000-memory.dmp

Filesize
348KB

Download
memory/3444-155-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3444-135-0x0000000000000000-mapping.dmp

Download
memory/3444-149-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3444-152-0x0000000002160000-0x00000000021B7000-memory.dmp

Filesize
348KB

Download
memory/4224-146-0x0000000000000000-mapping.dmp

Download
memory/4224-154-0x0000000002C61000-0x0000000002C6F000-memory.dmp

Filesize
56KB

Download
memory/4224-153-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4548-148-0x00000000023C1000-0x00000000023CF000-memory.dmp

Filesize
56KB

Download
memory/4548-143-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4548-138-0x0000000000000000-mapping.dmp

Download