e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97

Analysis

max time kernel
124s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97.exe
Size

70KB
MD5

6948b8ff739e5e316663b739de57927b
SHA1

d190d96480cd7bf4b0978b8227bd751ab192166e
SHA256

e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97
SHA512

00df7a1d58abe45e864547b56e56b669d82878325ccc188ecb341877336c37f56024a0c1cb7ebd5a06a32f5dd09ddf93b4103db90561eae6a4b0fe67cfdc61e7
SSDEEP

768:UsizDPjHibDEYIYWtnPWYwQ4ouhG+dKYFf9Ql5UVeTVBxVmVjGHdZwWM53evki:9oFH9/w22rN2tVBx8pf53mb

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeX.lnk	e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kas_kill.bat	e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97.exe
File opened for modification	C:\Windows\SysWOW64\kas_kill.bat	e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_7111633	e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1764	shutdown.exe
Token: SeRemoteShutdownPrivilege	1764	shutdown.exe
Token: SeShutdownPrivilege	324	shutdown.exe
Token: SeRemoteShutdownPrivilege	324	shutdown.exe
Token: SeShutdownPrivilege	432	shutdown.exe
Token: SeRemoteShutdownPrivilege	432	shutdown.exe
Token: SeShutdownPrivilege	1008	shutdown.exe
Token: SeRemoteShutdownPrivilege	1008	shutdown.exe
Token: SeShutdownPrivilege	1288	shutdown.exe
Token: SeRemoteShutdownPrivilege	1288	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1264	976	e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97.exe	28
PID 976 wrote to memory of 1264	976	e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97.exe	28
PID 976 wrote to memory of 1264	976	e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97.exe	28
PID 976 wrote to memory of 1264	976	e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97.exe	28
PID 1264 wrote to memory of 1424	1264	cmd.exe	30
PID 1264 wrote to memory of 1424	1264	cmd.exe	30
PID 1264 wrote to memory of 1424	1264	cmd.exe	30
PID 1264 wrote to memory of 1424	1264	cmd.exe	30
PID 1264 wrote to memory of 1764	1264	cmd.exe	31
PID 1264 wrote to memory of 1764	1264	cmd.exe	31
PID 1264 wrote to memory of 1764	1264	cmd.exe	31
PID 1264 wrote to memory of 1764	1264	cmd.exe	31
PID 1264 wrote to memory of 2004	1264	cmd.exe	33
PID 1264 wrote to memory of 2004	1264	cmd.exe	33
PID 1264 wrote to memory of 2004	1264	cmd.exe	33
PID 1264 wrote to memory of 2004	1264	cmd.exe	33
PID 2004 wrote to memory of 964	2004	cmd.exe	35
PID 2004 wrote to memory of 964	2004	cmd.exe	35
PID 2004 wrote to memory of 964	2004	cmd.exe	35
PID 2004 wrote to memory of 964	2004	cmd.exe	35
PID 2004 wrote to memory of 324	2004	cmd.exe	36
PID 2004 wrote to memory of 324	2004	cmd.exe	36
PID 2004 wrote to memory of 324	2004	cmd.exe	36
PID 2004 wrote to memory of 324	2004	cmd.exe	36
PID 2004 wrote to memory of 268	2004	cmd.exe	37
PID 2004 wrote to memory of 268	2004	cmd.exe	37
PID 2004 wrote to memory of 268	2004	cmd.exe	37
PID 2004 wrote to memory of 268	2004	cmd.exe	37
PID 268 wrote to memory of 944	268	cmd.exe	39
PID 268 wrote to memory of 944	268	cmd.exe	39
PID 268 wrote to memory of 944	268	cmd.exe	39
PID 268 wrote to memory of 944	268	cmd.exe	39
PID 268 wrote to memory of 432	268	cmd.exe	40
PID 268 wrote to memory of 432	268	cmd.exe	40
PID 268 wrote to memory of 432	268	cmd.exe	40
PID 268 wrote to memory of 432	268	cmd.exe	40
PID 268 wrote to memory of 652	268	cmd.exe	41
PID 268 wrote to memory of 652	268	cmd.exe	41
PID 268 wrote to memory of 652	268	cmd.exe	41
PID 268 wrote to memory of 652	268	cmd.exe	41
PID 652 wrote to memory of 616	652	cmd.exe	43
PID 652 wrote to memory of 616	652	cmd.exe	43
PID 652 wrote to memory of 616	652	cmd.exe	43
PID 652 wrote to memory of 616	652	cmd.exe	43
PID 652 wrote to memory of 1008	652	cmd.exe	44
PID 652 wrote to memory of 1008	652	cmd.exe	44
PID 652 wrote to memory of 1008	652	cmd.exe	44
PID 652 wrote to memory of 1008	652	cmd.exe	44
PID 652 wrote to memory of 1364	652	cmd.exe	45
PID 652 wrote to memory of 1364	652	cmd.exe	45
PID 652 wrote to memory of 1364	652	cmd.exe	45
PID 652 wrote to memory of 1364	652	cmd.exe	45
PID 1364 wrote to memory of 1940	1364	cmd.exe	47
PID 1364 wrote to memory of 1940	1364	cmd.exe	47
PID 1364 wrote to memory of 1940	1364	cmd.exe	47
PID 1364 wrote to memory of 1940	1364	cmd.exe	47
PID 1364 wrote to memory of 1288	1364	cmd.exe	48
PID 1364 wrote to memory of 1288	1364	cmd.exe	48
PID 1364 wrote to memory of 1288	1364	cmd.exe	48
PID 1364 wrote to memory of 1288	1364	cmd.exe	48
PID 1364 wrote to memory of 1092	1364	cmd.exe	49
PID 1364 wrote to memory of 1092	1364	cmd.exe	49
PID 1364 wrote to memory of 1092	1364	cmd.exe	49
PID 1364 wrote to memory of 1092	1364	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97.exe
"C:\Users\Admin\AppData\Local\Temp\e0281ef7feeab53c9bb54790d814955cd30d1807e12253266646c7e469b30c97.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\system32\kas_kill.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /y /r /q C:\Windows\system32\
    3⤵
    - Enumerates system info in registry
    PID:1424
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 333 -c "Kas_Kil_Win_Uz"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Windows\system32\kas_kill.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy /y /r /q C:\Windows\system32\
      4⤵
      Enumerates system info in registry
      PID:964
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 333 -c "Kas_Kil_Win_Uz"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Windows\system32\kas_kill.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /r /q C:\Windows\system32\
        5⤵
        Enumerates system info in registry
        
        PID:944
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown -r -t 333 -c "Kas_Kil_Win_Uz"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Windows\system32\kas_kill.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:652
      - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /r /q C:\Windows\system32\
        6⤵
        Enumerates system info in registry
        
        PID:616
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown -r -t 333 -c "Kas_Kil_Win_Uz"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Windows\system32\kas_kill.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /r /q C:\Windows\system32\
        7⤵
        Enumerates system info in registry
        
        PID:1940
        
        C:\Windows\SysWOW64\shutdown.exe
        
        shutdown -r -t 333 -c "Kas_Kil_Win_Uz"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Windows\system32\kas_kill.bat
        7⤵
        
        PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\kas_kill.bat

Filesize
252B

MD5
276f4c3a8e95181d4cfb744fd3d75515

SHA1
703d957fa8575d3299d286d72c9be9d14efa7044

SHA256
f7690fc85f5286f728af897723c50d67186c83d1fa986fd85f2c3f6cb3fc3215

SHA512
2db045a3af6e14f3b929f783d09ebaa70c286c11af28f93878f22ab9c6fa44c97f3aa1550a7d07dfda8d52f532f66ff79d6ef2c62a18982a32e8d76a04eaa0eb

Download Submit
memory/976-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download