Analysis

  • max time kernel
    152s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 04:40

General

  • Target

    5d881eefc83037949f4b04978acc2d53e509a9e7271ea7775eb316e81c3f3dce.exe

  • Size

    201KB

  • MD5

    c1f8640b2eb12ee8b749266c6d18baf4

  • SHA1

    eeb108167d5f2361455e3fc1bf53e742eb662f9a

  • SHA256

    5d881eefc83037949f4b04978acc2d53e509a9e7271ea7775eb316e81c3f3dce

  • SHA512

    0181b786609cdd571fcccb864b3b61d090efe3d7943d3bd7687a87e69bec85f28f92ca202be1bb4d08a8be7933d8765369ddcf554ca326365241d6456832c8ee

  • SSDEEP

    6144:q73IMShLB/FuYYBJ0FgOPaPPOzYlndZzRGkvVZJ5:q7/uBNg0FD9MldZzRLn

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 6 IoCs
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d881eefc83037949f4b04978acc2d53e509a9e7271ea7775eb316e81c3f3dce.exe
    "C:\Users\Admin\AppData\Local\Temp\5d881eefc83037949f4b04978acc2d53e509a9e7271ea7775eb316e81c3f3dce.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s /c C:\Windows\system32\kakubi.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:4744
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Coor.bat
      2⤵
        PID:2776

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Coor.bat

            Filesize

            178B

            MD5

            b684b415dc1cdcf1680f25f97bcaf049

            SHA1

            df65baebdbb39df2b2bd2e49f926e0035fe31cf8

            SHA256

            78d6653890d20b50f4716fa6eb1f606c610e252d76d5ec2d964a4e9e33a52b57

            SHA512

            2c415d77d351c385c1a3a6e9e0ddbd35fc6248f57a03cf2580d3d3d650d786b09ead3e1cc5a81da5a57c7be1f75fd59b912f8b6efff8b96463bf604ec6756278

          • C:\Windows\SysWOW64\kakubi.dll

            Filesize

            196KB

            MD5

            6946c168062ed81bceec0ebde08342b5

            SHA1

            25d74656228cccf8fac34c41e58e680d0ee063e0

            SHA256

            993c8b31abfd268d5723b7f82d52a1ccff50d621dde8b5972b57c35b112b7539

            SHA512

            d27d92ac5d115d94206a57a90e84e38635d79f50a158ccfcb0ca840c8bbc1ceea93c8a7a42bff5108a9ff5b8aa26d52f77218fc593f2b2488cac04967ae0faee

          • C:\Windows\SysWOW64\kakubi.dll

            Filesize

            196KB

            MD5

            6946c168062ed81bceec0ebde08342b5

            SHA1

            25d74656228cccf8fac34c41e58e680d0ee063e0

            SHA256

            993c8b31abfd268d5723b7f82d52a1ccff50d621dde8b5972b57c35b112b7539

            SHA512

            d27d92ac5d115d94206a57a90e84e38635d79f50a158ccfcb0ca840c8bbc1ceea93c8a7a42bff5108a9ff5b8aa26d52f77218fc593f2b2488cac04967ae0faee

          • memory/4180-132-0x0000000000D20000-0x0000000000DA0000-memory.dmp

            Filesize

            512KB

          • memory/4180-133-0x0000000001000000-0x00000000010CD000-memory.dmp

            Filesize

            820KB

          • memory/4180-134-0x0000000000D20000-0x0000000000DA0000-memory.dmp

            Filesize

            512KB

          • memory/4180-135-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

            Filesize

            64KB

          • memory/4180-139-0x0000000001000000-0x00000000010CD000-memory.dmp

            Filesize

            820KB

          • memory/4180-141-0x0000000001000000-0x00000000010CD000-memory.dmp

            Filesize

            820KB