Overview

overview

10

Static

static

2cc601515f...2b.exe

windows7-x64

10

2cc601515f...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    196s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2cc601515f340fc32b557a2f009e5ad47ff9bc4e4436060c9f6b0a75b0543b2b.exe

  • Size

    140KB

  • MD5

    43d864e644fceba34c844320f72e446e

  • SHA1

    48e69f0441fca99a81c380253b3a55a5d14d3cad

  • SHA256

    2cc601515f340fc32b557a2f009e5ad47ff9bc4e4436060c9f6b0a75b0543b2b

  • SHA512

    3d7e069451232de9658b217a26a1ee28d456555852e861106b432660a522f39a8e4d0c5abbd1e68869f5dfe215ebedf7183a2651ac1cec7777427061b1518da1

  • SSDEEP

    768:zCzMyyt4pd04q0zik+vhy7g0EM/LinbQO55yU:WveEn3+pCg0EUGQO+U

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 50 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2cc601515f340fc32b557a2f009e5ad47ff9bc4e4436060c9f6b0a75b0543b2b.exe
    "C:\Users\Admin\AppData\Local\Temp\2cc601515f340fc32b557a2f009e5ad47ff9bc4e4436060c9f6b0a75b0543b2b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\kaolio.exe
      "C:\Users\Admin\kaolio.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\kaolio.exe
    Filesize

    140KB

    MD5

    ff0a220ea57bdfd46b801c935a9f4eb7

    SHA1

    e4348470b56c4896fe8b740d69d2828cf047a2ec

    SHA256

    8b894e71ae5c6e145876a02fde2b9e88b9af0803333e72a5976a785f0562212f

    SHA512

    8f3d731034cf5231814f83c727aeecfe08f65d9882456772e2466b7542a51cd4c841645b3d6dce8998fcabf35ecd283ea28698fb712ba2d0e9f4cbf2bbff024b

    Download Submit

  • C:\Users\Admin\kaolio.exe
    Filesize

    140KB

    MD5

    ff0a220ea57bdfd46b801c935a9f4eb7

    SHA1

    e4348470b56c4896fe8b740d69d2828cf047a2ec

    SHA256

    8b894e71ae5c6e145876a02fde2b9e88b9af0803333e72a5976a785f0562212f

    SHA512

    8f3d731034cf5231814f83c727aeecfe08f65d9882456772e2466b7542a51cd4c841645b3d6dce8998fcabf35ecd283ea28698fb712ba2d0e9f4cbf2bbff024b

    Download Submit