b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4

Analysis

max time kernel
111s
max time network
117s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4.exe
Size

128KB
MD5

2633eea9de70faa860627d1b958c0ed4
SHA1

9ce70de0b831e86e17fb7c04caeb016ccc6d8d5c
SHA256

b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4
SHA512

7297b09f6b06b729718a21284f5ff150d4cd1468c381086230d088e16992efe098c4676efad705dbb1766bf1b4c032b1cebd54ab14e2e6d4db675c3dc52dea65
SSDEEP

3072:65s9GHVQpP5fHIM6I49Zn4i+mGCvDhATG2IwY/6:lGHSpP5/IM6JXn4Qtr2+6

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1852	kavir.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1348	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kavir = "C:\\Windows\\kavir.exe"	b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kavir.exe	b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4.exe
File created	C:\Windows\nivavir.config	kavir.exe
File opened for modification	C:\Windows\nivavir.config	kavir.exe
File created	C:\Windows\kavir.exe	b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1852	1424	b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4.exe	26
PID 1424 wrote to memory of 1852	1424	b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4.exe	26
PID 1424 wrote to memory of 1852	1424	b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4.exe	26
PID 1424 wrote to memory of 1852	1424	b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4.exe	26
PID 1852 wrote to memory of 1348	1852	kavir.exe	27
PID 1852 wrote to memory of 1348	1852	kavir.exe	27
PID 1852 wrote to memory of 1348	1852	kavir.exe	27
PID 1852 wrote to memory of 1348	1852	kavir.exe	27
PID 1852 wrote to memory of 1328	1852	kavir.exe	29
PID 1852 wrote to memory of 1328	1852	kavir.exe	29
PID 1852 wrote to memory of 1328	1852	kavir.exe	29
PID 1852 wrote to memory of 1328	1852	kavir.exe	29
PID 1852 wrote to memory of 1476	1852	kavir.exe	30
PID 1852 wrote to memory of 1476	1852	kavir.exe	30
PID 1852 wrote to memory of 1476	1852	kavir.exe	30
PID 1852 wrote to memory of 1476	1852	kavir.exe	30
PID 1328 wrote to memory of 1736	1328	w32tm.exe	33
PID 1328 wrote to memory of 1736	1328	w32tm.exe	33
PID 1476 wrote to memory of 1976	1476	w32tm.exe	34
PID 1328 wrote to memory of 1736	1328	w32tm.exe	33
PID 1328 wrote to memory of 1736	1328	w32tm.exe	33
PID 1476 wrote to memory of 1976	1476	w32tm.exe	34
PID 1476 wrote to memory of 1976	1476	w32tm.exe	34
PID 1476 wrote to memory of 1976	1476	w32tm.exe	34

C:\Users\Admin\AppData\Local\Temp\b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4.exe
"C:\Users\Admin\AppData\Local\Temp\b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\kavir.exe
  "C:\Windows\kavir.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set allowedprogram "C:\Windows\kavir.exe" enable
    3⤵
    - Modifies Windows Firewall
    PID:1348
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
      4⤵
      PID:1736
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /update
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /update
      4⤵
      PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\kavir.exe

Filesize
128KB

MD5
2633eea9de70faa860627d1b958c0ed4

SHA1
9ce70de0b831e86e17fb7c04caeb016ccc6d8d5c

SHA256
b4543e2e2d6f7474d06cab0114daa3214c005bfc86eb9aa342a0242671f6d8f4

SHA512
7297b09f6b06b729718a21284f5ff150d4cd1468c381086230d088e16992efe098c4676efad705dbb1766bf1b4c032b1cebd54ab14e2e6d4db675c3dc52dea65

Download Submit
memory/1328-60-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1424-56-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download