b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0

General

Target

b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe
Size

284KB
MD5

e31f18ab7098094ebe231b8610cc33fa
SHA1

845fb57ef5a08c181b78ef253f8fd29a1951fe51
SHA256

b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0
SHA512

7af11fbaaa919dd3edc89ef0f81ee72f064a3090bf5d0aac743ac6fc863639a51369811197e40f5a0af5051a1643ab2d4c38db6c4702e56677083c974f3063b8
SSDEEP

6144:4SrC1W7yNpCRcPMNeN+cP8L6v6z/7A012XbYkmq3X8sjcb:eGR+66v6z/Mekmqt

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

NTKernesl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Windows\\SysWOW64\\NT Kernels\\NTKernesl.exe\""	NTKernesl.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

NTKernesl.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NTKernesl.exe

Executes dropped EXE 1 IoCs

Processes:

NTKernesl.exe

pid process

540 NTKernesl.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NTKernesl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NTKernesl.exe\DisableExceptionChainValidation	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "nqij.exe"	NTKernesl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "nqij.exe"	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe	NTKernesl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	NTKernesl.exe

Loads dropped DLL 1 IoCs

Processes:

b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe

pid process

992 b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe

pid	process
992	b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe

Drops file in System32 directory 3 IoCs

Processes:

b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\NT Kernels\	b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe
File created	C:\Windows\SysWOW64\NT Kernels\NTKernesl.exe	b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe
File opened for modification	C:\Windows\SysWOW64\NT Kernels\NTKernesl.exe	b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

NTKernesl.exe

pid	process
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe
540	NTKernesl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NTKernesl.exe

pid process

540 NTKernesl.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe

pid process

992 b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NTKernesl.exe

description pid process

Token: SeDebugPrivilege 540 NTKernesl.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

NTKernesl.exe

pid process

540 NTKernesl.exe

pid	process
992	b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe

description	pid	process
Token: SeDebugPrivilege	540	NTKernesl.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe

description	pid	process	target process
PID 992 wrote to memory of 540	992	b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe	NTKernesl.exe
PID 992 wrote to memory of 540	992	b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe	NTKernesl.exe
PID 992 wrote to memory of 540	992	b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe	NTKernesl.exe
PID 992 wrote to memory of 540	992	b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe	NTKernesl.exe

C:\Users\Admin\AppData\Local\Temp\b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe
"C:\Users\Admin\AppData\Local\Temp\b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\SysWOW64\NT Kernels\NTKernesl.exe
  "C:\Windows\system32\NT Kernels\NTKernesl.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Sets file execution options in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NT Kernels\NTKernesl.exe

Filesize
284KB

MD5
e31f18ab7098094ebe231b8610cc33fa

SHA1
845fb57ef5a08c181b78ef253f8fd29a1951fe51

SHA256
b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0

SHA512
7af11fbaaa919dd3edc89ef0f81ee72f064a3090bf5d0aac743ac6fc863639a51369811197e40f5a0af5051a1643ab2d4c38db6c4702e56677083c974f3063b8

Download Submit
C:\Windows\SysWOW64\NT Kernels\NTKernesl.exe

Filesize
284KB

MD5
e31f18ab7098094ebe231b8610cc33fa

SHA1
845fb57ef5a08c181b78ef253f8fd29a1951fe51

SHA256
b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0

SHA512
7af11fbaaa919dd3edc89ef0f81ee72f064a3090bf5d0aac743ac6fc863639a51369811197e40f5a0af5051a1643ab2d4c38db6c4702e56677083c974f3063b8

Download Submit
\Windows\SysWOW64\NT Kernels\NTKernesl.exe

Filesize
284KB

MD5
e31f18ab7098094ebe231b8610cc33fa

SHA1
845fb57ef5a08c181b78ef253f8fd29a1951fe51

SHA256
b98e0eee223793ca9e7a64ea31f2244e5b0701520b35df4a36f64342f8d53da0

SHA512
7af11fbaaa919dd3edc89ef0f81ee72f064a3090bf5d0aac743ac6fc863639a51369811197e40f5a0af5051a1643ab2d4c38db6c4702e56677083c974f3063b8

Download Submit
memory/540-57-0x0000000000000000-mapping.dmp

Download
memory/540-61-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/540-63-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/992-54-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/992-55-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/992-62-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/992-64-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads