Analysis
-
max time kernel
159s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 15:29
Static task
static1
Behavioral task
behavioral1
Sample
0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe
Resource
win10v2004-20221111-en
General
-
Target
0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe
-
Size
4.3MB
-
MD5
b8092937a760b9f980ce16dd9ee3c30b
-
SHA1
38a791ed9f686be2f52af150068d559a0e20438c
-
SHA256
0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74
-
SHA512
5b108c82680f90bdb13302637121ead3dc695aa12cfe4601ebfe1fd22d1a7cfe5a8b115fbcc66c808b98533639153e2a344eb27f2c5b3cc539fab9d9c48fd07c
-
SSDEEP
98304:e2jdjPIfemO03apjas05xwgcTygnKyj/RFCpHkP:emytrsQbcu9yjpspE
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
KAJ.exeHack Boom V2.0.exepid process 3048 KAJ.exe 3320 Hack Boom V2.0.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exe upx C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exe upx behavioral2/memory/3320-142-0x0000000000400000-0x0000000000970000-memory.dmp upx behavioral2/memory/3320-153-0x0000000000400000-0x0000000000970000-memory.dmp upx behavioral2/memory/3320-154-0x0000000000400000-0x0000000000970000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe -
Loads dropped DLL 4 IoCs
Processes:
KAJ.exeHack Boom V2.0.exepid process 3048 KAJ.exe 3048 KAJ.exe 3320 Hack Boom V2.0.exe 3320 Hack Boom V2.0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
KAJ.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KAJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KAJ Start = "C:\\ProgramData\\YPNYTD\\KAJ.exe" KAJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
KAJ.exepid process 3048 KAJ.exe 3048 KAJ.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
KAJ.exepid process 3048 KAJ.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
KAJ.exepid process 3048 KAJ.exe 3048 KAJ.exe 3048 KAJ.exe 3048 KAJ.exe 3048 KAJ.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exedescription pid process target process PID 1668 wrote to memory of 3048 1668 0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe KAJ.exe PID 1668 wrote to memory of 3048 1668 0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe KAJ.exe PID 1668 wrote to memory of 3048 1668 0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe KAJ.exe PID 1668 wrote to memory of 3320 1668 0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe Hack Boom V2.0.exe PID 1668 wrote to memory of 3320 1668 0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe Hack Boom V2.0.exe PID 1668 wrote to memory of 3320 1668 0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe Hack Boom V2.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe"C:\Users\Admin\AppData\Local\Temp\0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\YPNYTD\KAJ.exe"C:\ProgramData\YPNYTD\KAJ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exe"C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\YPNYTD\KAJ.00Filesize
2KB
MD5fc09febf80d872e78f0e9f79a750c7a9
SHA15911097c41bd4d5ce571c3ea4b3bb420df9019e6
SHA256e3f249544a68f9b986f6699c004f8b83f0074e1459afc23b1729a6c541a395da
SHA5123744aaf763e07ce9ecb599137bf0a12641d8b6e606494a8a5fcd29b81f0389fb7bdc29eecd330a5717ab68c690c8070fa4226ec011c02206c01dd84402f95405
-
C:\ProgramData\YPNYTD\KAJ.01Filesize
80KB
MD5937a093149c51e37a784741bf2ee79d5
SHA181d553d04fd0069a5d7b6e1ee924830bda1cbf6f
SHA25665e993058050d1c65a9f6f4143e7b6eb9e8b6cfbad5092b358561810dc1a151e
SHA5122df0ddcf606906ea1f2caf48fd1a045e58c69b8cd3627096a1ecca86911b6aa97ed04f4ccc8a10d53dd497a5ff01a6a2db4791f21b56c0ba6db6e9477df0f51e
-
C:\ProgramData\YPNYTD\KAJ.01Filesize
80KB
MD5937a093149c51e37a784741bf2ee79d5
SHA181d553d04fd0069a5d7b6e1ee924830bda1cbf6f
SHA25665e993058050d1c65a9f6f4143e7b6eb9e8b6cfbad5092b358561810dc1a151e
SHA5122df0ddcf606906ea1f2caf48fd1a045e58c69b8cd3627096a1ecca86911b6aa97ed04f4ccc8a10d53dd497a5ff01a6a2db4791f21b56c0ba6db6e9477df0f51e
-
C:\ProgramData\YPNYTD\KAJ.01Filesize
80KB
MD5937a093149c51e37a784741bf2ee79d5
SHA181d553d04fd0069a5d7b6e1ee924830bda1cbf6f
SHA25665e993058050d1c65a9f6f4143e7b6eb9e8b6cfbad5092b358561810dc1a151e
SHA5122df0ddcf606906ea1f2caf48fd1a045e58c69b8cd3627096a1ecca86911b6aa97ed04f4ccc8a10d53dd497a5ff01a6a2db4791f21b56c0ba6db6e9477df0f51e
-
C:\ProgramData\YPNYTD\KAJ.01Filesize
80KB
MD5937a093149c51e37a784741bf2ee79d5
SHA181d553d04fd0069a5d7b6e1ee924830bda1cbf6f
SHA25665e993058050d1c65a9f6f4143e7b6eb9e8b6cfbad5092b358561810dc1a151e
SHA5122df0ddcf606906ea1f2caf48fd1a045e58c69b8cd3627096a1ecca86911b6aa97ed04f4ccc8a10d53dd497a5ff01a6a2db4791f21b56c0ba6db6e9477df0f51e
-
C:\ProgramData\YPNYTD\KAJ.01Filesize
80KB
MD5937a093149c51e37a784741bf2ee79d5
SHA181d553d04fd0069a5d7b6e1ee924830bda1cbf6f
SHA25665e993058050d1c65a9f6f4143e7b6eb9e8b6cfbad5092b358561810dc1a151e
SHA5122df0ddcf606906ea1f2caf48fd1a045e58c69b8cd3627096a1ecca86911b6aa97ed04f4ccc8a10d53dd497a5ff01a6a2db4791f21b56c0ba6db6e9477df0f51e
-
C:\ProgramData\YPNYTD\KAJ.exeFilesize
2.4MB
MD58369917bdbb08ed9084c0ee018084963
SHA14052f231e820dc7018326f0ad8022d549d0e73d5
SHA2565f4928a65de5e4c9cd706074113a33a5f4a64d1888d8174acd228b2c349a46a5
SHA51255b0307dae954c397ee3c11721715195a200205dc7e9593b13044502ba5618198b37327d57847e33cea17cf1d61cf8f961031fa13914f3fcc57c4b0ab887ea78
-
C:\ProgramData\YPNYTD\KAJ.exeFilesize
2.4MB
MD58369917bdbb08ed9084c0ee018084963
SHA14052f231e820dc7018326f0ad8022d549d0e73d5
SHA2565f4928a65de5e4c9cd706074113a33a5f4a64d1888d8174acd228b2c349a46a5
SHA51255b0307dae954c397ee3c11721715195a200205dc7e9593b13044502ba5618198b37327d57847e33cea17cf1d61cf8f961031fa13914f3fcc57c4b0ab887ea78
-
C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exeFilesize
2.0MB
MD57acb82ab3168ec3b696e3ad360b0d260
SHA1fa52cbbb7fb5df5b18e43aa5440fd351705c484f
SHA2561411c9fbad2d5efb025188cfd025b874612b8acf1c4247f25c2dd4c0d8443e0f
SHA512352fc5d308c5568922171d4e2a880509aff4185753ad14484f5164ae799c44faa9f63ede7366a4a5931cf3f16902ee2a4b06c725c4253ad88af4ec64b13fe419
-
C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exeFilesize
2.0MB
MD57acb82ab3168ec3b696e3ad360b0d260
SHA1fa52cbbb7fb5df5b18e43aa5440fd351705c484f
SHA2561411c9fbad2d5efb025188cfd025b874612b8acf1c4247f25c2dd4c0d8443e0f
SHA512352fc5d308c5568922171d4e2a880509aff4185753ad14484f5164ae799c44faa9f63ede7366a4a5931cf3f16902ee2a4b06c725c4253ad88af4ec64b13fe419
-
memory/1668-132-0x00000000002A0000-0x00000000006FD000-memory.dmpFilesize
4.4MB
-
memory/1668-140-0x00000000002A0000-0x00000000006FD000-memory.dmpFilesize
4.4MB
-
memory/3048-151-0x0000000000DA0000-0x0000000000DB9000-memory.dmpFilesize
100KB
-
memory/3048-133-0x0000000000000000-mapping.dmp
-
memory/3048-146-0x0000000000DA1000-0x0000000000DB0000-memory.dmpFilesize
60KB
-
memory/3048-145-0x0000000000DA0000-0x0000000000DB9000-memory.dmpFilesize
100KB
-
memory/3320-149-0x00000000010E0000-0x00000000010F9000-memory.dmpFilesize
100KB
-
memory/3320-142-0x0000000000400000-0x0000000000970000-memory.dmpFilesize
5.4MB
-
memory/3320-150-0x00000000010E1000-0x00000000010F0000-memory.dmpFilesize
60KB
-
memory/3320-136-0x0000000000000000-mapping.dmp
-
memory/3320-152-0x00000000010E0000-0x00000000010F9000-memory.dmpFilesize
100KB
-
memory/3320-153-0x0000000000400000-0x0000000000970000-memory.dmpFilesize
5.4MB
-
memory/3320-154-0x0000000000400000-0x0000000000970000-memory.dmpFilesize
5.4MB
-
memory/3320-155-0x00000000010E0000-0x00000000010F9000-memory.dmpFilesize
100KB