8337275001b9ac1733dd7b1f767da2f0ab03542e6f7c0f9e92a8c67e62e923e1

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8337275001b9ac1733dd7b1f767da2f0ab03542e6f7c0f9e92a8c67e62e923e1.exe
Size

461KB
MD5

74d2bf6d1fc3b9c4c84d9dca4c1358b2
SHA1

96912aedbc15219f67315d0b0604d824654a1f99
SHA256

8337275001b9ac1733dd7b1f767da2f0ab03542e6f7c0f9e92a8c67e62e923e1
SHA512

26544370e3095945552a018d6274f0d279209a0b927b46d9b796095ac99e77cb1c4b350a543dd905a3b261f030d78b9023d61ea9e68f591c79d8599c4db126c3
SSDEEP

12288:9W4tXwttnCbC5ALLTBwBCax1aV5hXtMONFE:9WGX1bCOLLTBwgvV5hyh

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1696	rinst.exe
4460	glider key.exe
392	kagas.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e0f-136.dat	upx
behavioral2/files/0x0006000000022e0f-138.dat	upx
behavioral2/memory/4460-153-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/4460-154-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	8337275001b9ac1733dd7b1f767da2f0ab03542e6f7c0f9e92a8c67e62e923e1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rinst.exe

Loads dropped DLL 4 IoCs

pid	Process
392	kagas.exe
4460	glider key.exe
4260	notepad.exe
5048	8337275001b9ac1733dd7b1f767da2f0ab03542e6f7c0f9e92a8c67e62e923e1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kagas = "C:\\Windows\\SysWOW64\\kagas.exe"	kagas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	kagas.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\kagas.exe	rinst.exe
File created	C:\Windows\SysWOW64\kagashk.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	kagas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
392	kagas.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4460	glider key.exe
4460	glider key.exe
392	kagas.exe
4460	glider key.exe
4460	glider key.exe
4460	glider key.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4460	glider key.exe
4460	glider key.exe
392	kagas.exe
392	kagas.exe
4460	glider key.exe
392	kagas.exe
4460	glider key.exe
392	kagas.exe
4460	glider key.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe
392	kagas.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 1696	5048	8337275001b9ac1733dd7b1f767da2f0ab03542e6f7c0f9e92a8c67e62e923e1.exe	81
PID 5048 wrote to memory of 1696	5048	8337275001b9ac1733dd7b1f767da2f0ab03542e6f7c0f9e92a8c67e62e923e1.exe	81
PID 5048 wrote to memory of 1696	5048	8337275001b9ac1733dd7b1f767da2f0ab03542e6f7c0f9e92a8c67e62e923e1.exe	81
PID 1696 wrote to memory of 4460	1696	rinst.exe	82
PID 1696 wrote to memory of 4460	1696	rinst.exe	82
PID 1696 wrote to memory of 4460	1696	rinst.exe	82
PID 1696 wrote to memory of 392	1696	rinst.exe	83
PID 1696 wrote to memory of 392	1696	rinst.exe	83
PID 1696 wrote to memory of 392	1696	rinst.exe	83
PID 4460 wrote to memory of 4260	4460	glider key.exe	84
PID 4460 wrote to memory of 4260	4460	glider key.exe	84
PID 4460 wrote to memory of 4260	4460	glider key.exe	84

C:\Users\Admin\AppData\Local\Temp\8337275001b9ac1733dd7b1f767da2f0ab03542e6f7c0f9e92a8c67e62e923e1.exe
"C:\Users\Admin\AppData\Local\Temp\8337275001b9ac1733dd7b1f767da2f0ab03542e6f7c0f9e92a8c67e62e923e1.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\glider key.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\glider key.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      Loads dropped DLL
      PID:4260
- - C:\Windows\SysWOW64\kagas.exe
    C:\Windows\system32\kagas.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\glider key.exe

Filesize
196KB

MD5
26df98a9e02fedbdc4eb644bf0a5c382

SHA1
ad0f7150fecab6a3da079c09a051bfde62bd713e

SHA256
568a2d2dc3460892dffb4543c207b4db5d4315f49d3d006de081addcdca9a805

SHA512
df7f1deb8318593887bf26f0ad16cf02867e47abdc81c8f591798ec87ccdb8a0fd830f780fb63241706eeb0a7b2682e488ec988f2c7072117a7bf13ae29da425

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\glider key.exe

Filesize
196KB

MD5
26df98a9e02fedbdc4eb644bf0a5c382

SHA1
ad0f7150fecab6a3da079c09a051bfde62bd713e

SHA256
568a2d2dc3460892dffb4543c207b4db5d4315f49d3d006de081addcdca9a805

SHA512
df7f1deb8318593887bf26f0ad16cf02867e47abdc81c8f591798ec87ccdb8a0fd830f780fb63241706eeb0a7b2682e488ec988f2c7072117a7bf13ae29da425

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
1KB

MD5
570c281a2ca4de36dfdf3f61ee737757

SHA1
bc14a54383c104fd2f061bfabff0e0f6acf7a87b

SHA256
401cc9a595aadadc8d8f0d0db28dd3828ef6c84fb1120450645ae6e08a652a4c

SHA512
6ead4583e7e553cdc9123e123bb268d48aa93566cb205b0ee89c7df1c448d6f13c7e14b1bd1453bbbb703f0c79f38a83f5dafbede4a92c1465bd52a57f743c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kagas.exe

Filesize
408KB

MD5
8764df70edc54e925c9c13c1330b005b

SHA1
535815ab7f00959dd2fafa3a156dd2f44b38c28a

SHA256
d87aaed3abf9ee3d6f79a2f70e5857e7893b078b2ffeb3bc34255705b9941a48

SHA512
414cdb26655d9ea6df960542a66cadffe5037ceda84584da4099fdd0b5629462cfe6bf35819ba0a0e080d995bdfd1e1e5ce6b26706175a37b18081afd75188a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kagashk.dll

Filesize
21KB

MD5
8e2c4fe6ebd9b74ea28ed845e761b0f8

SHA1
b10abdfcd5739e5df6685381c16bc165b63f5407

SHA256
96a5fac01a67e87f431a9861d4fdf8f7e353f0de660da5a23f85414ef5c36a99

SHA512
f8bd0cf3a3237ace1e06dbf797d54a8bf366d49dd61f185943bf74bcd25314292f0ab546a6e9a7b61ac8e975f0bbf44777fc3f80464ff3658934d5df458fa165

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
7KB

MD5
2ef4bdf8734e5da9372f46c8bb0b42b1

SHA1
ceeb6fbef73c0464b6cab2876723884e3ef68fbb

SHA256
29dcf5e3e89381480988352818f6b8d3d76417157ae1d02e3afe004983739df5

SHA512
ec8deb49ea8ebf4808e2c5a9ef3c25c7f29f854c30cda7e44bacdeab271a8c55c42185201a21a27f81f5b5e513bcfcd75b31e2e1447d43fcd7e9f715500725a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
C:\Windows\SysWOW64\inst.dat

Filesize
1KB

MD5
570c281a2ca4de36dfdf3f61ee737757

SHA1
bc14a54383c104fd2f061bfabff0e0f6acf7a87b

SHA256
401cc9a595aadadc8d8f0d0db28dd3828ef6c84fb1120450645ae6e08a652a4c

SHA512
6ead4583e7e553cdc9123e123bb268d48aa93566cb205b0ee89c7df1c448d6f13c7e14b1bd1453bbbb703f0c79f38a83f5dafbede4a92c1465bd52a57f743c1e

Download Submit
C:\Windows\SysWOW64\kagas.exe

Filesize
408KB

MD5
00f04e5eac2603967ff1bc14a3f21a86

SHA1
70c1d04e56748df5d89888ffbe708e61cef7e08c

SHA256
295eaadc9ce9b2907f193916d08e310015eaabb0ecd6e68564018c7555b3dbed

SHA512
411cb5be5411a24aafe52a50cf165990e8131ed34cf5df122fd7b6056848787d7615ae5d4cba2774a640dcb02ca48f6ffaca7839f245588ee425996c8f914702

Download Submit
C:\Windows\SysWOW64\kagas.exe

Filesize
408KB

MD5
00f04e5eac2603967ff1bc14a3f21a86

SHA1
70c1d04e56748df5d89888ffbe708e61cef7e08c

SHA256
295eaadc9ce9b2907f193916d08e310015eaabb0ecd6e68564018c7555b3dbed

SHA512
411cb5be5411a24aafe52a50cf165990e8131ed34cf5df122fd7b6056848787d7615ae5d4cba2774a640dcb02ca48f6ffaca7839f245588ee425996c8f914702

Download Submit
C:\Windows\SysWOW64\kagashk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\kagashk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\kagashk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\kagashk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\kagashk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
7KB

MD5
8564a81489e974ca17d5f8fa01db5791

SHA1
13222dcf470cafb9b867fc766677087afcc974c3

SHA256
87274177b8c73ef4364efe7334b9650ae17b455a6b558cf81a2e53482a75cbda

SHA512
bc184bb74828530dbd24dfad85cb7633901af32face5868cdc96437a09f4533df94a5e97f6a9fe9bf29a92a00e6b325d1ef02e9545980d15faf66d188978a426

Download Submit
C:\Windows\SysWOW64\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
memory/4460-153-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4460-154-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download