Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 17:17
Static task
static1
Behavioral task
behavioral1
Sample
57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe
Resource
win10v2004-20220812-en
General
-
Target
57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe
-
Size
296KB
-
MD5
07a692f6972743eca5edc3871fa76a78
-
SHA1
ab50745a40e8bdcce585f4a5f60ea0b590ceb6de
-
SHA256
57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337
-
SHA512
da0c550baf382d269ef5044cbaaf0c6f85738fef7650e3e3dbfc5fc7042443bc2bd21c13c00fb44aa038aaf89f93ed079b207b4dc83fe390739cb491e69f993f
-
SSDEEP
6144:EzM2xFRGhqb7IT4pO6JK/fObT/bGiWtBcMf1YUQiCgfAJDq2ijxLzOwhd:6DxFRp7IT4pO6JK/fObT/bGiWt/YUQif
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exekitip.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kitip.exe -
Executes dropped EXE 1 IoCs
Processes:
kitip.exepid process 4824 kitip.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe -
Adds Run key to start application 2 TTPs 55 IoCs
Processes:
kitip.exe57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /E" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /R" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /B" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /b" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /Q" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /X" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /j" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /V" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /n" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /I" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /P" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /N" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /W" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /C" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /S" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /w" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /M" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /d" 57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /h" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /Z" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /H" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /g" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /l" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /A" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /v" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /L" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /s" kitip.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /a" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /D" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /d" kitip.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /f" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /e" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /O" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /c" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /T" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /U" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /i" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /p" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /J" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /Y" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /x" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /G" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /u" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /r" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /t" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /K" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /m" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /y" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /o" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /z" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /k" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /F" kitip.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kitip = "C:\\Users\\Admin\\kitip.exe /q" kitip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exekitip.exepid process 336 57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe 336 57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe 4824 kitip.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exekitip.exepid process 336 57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe 4824 kitip.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exedescription pid process target process PID 336 wrote to memory of 4824 336 57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe kitip.exe PID 336 wrote to memory of 4824 336 57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe kitip.exe PID 336 wrote to memory of 4824 336 57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe kitip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe"C:\Users\Admin\AppData\Local\Temp\57b90b1a21bb89a34eb784dd926e56d08e4d7d73bca4f83610fc2e5dbb1f8337.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\kitip.exe"C:\Users\Admin\kitip.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\kitip.exeFilesize
296KB
MD5c6039a894146800bf041f967ffd00987
SHA1010cbe709bfb34e9478cc356b2fd802b9c55d7f5
SHA256275a962bd74ffbb66f80e090383cfd5c260e80bed91b47257ad3035afceafd08
SHA5129afce4a47a7bd94596cc26ca8e32b44d50c80c53e4991588acd8d2d605a7c716504397b1303072040baefe89e51ab1f1af77d324bf604a9b7f90fd87f4c4c202
-
C:\Users\Admin\kitip.exeFilesize
296KB
MD5c6039a894146800bf041f967ffd00987
SHA1010cbe709bfb34e9478cc356b2fd802b9c55d7f5
SHA256275a962bd74ffbb66f80e090383cfd5c260e80bed91b47257ad3035afceafd08
SHA5129afce4a47a7bd94596cc26ca8e32b44d50c80c53e4991588acd8d2d605a7c716504397b1303072040baefe89e51ab1f1af77d324bf604a9b7f90fd87f4c4c202
-
memory/4824-134-0x0000000000000000-mapping.dmp