Analysis
-
max time kernel
153s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe
-
Size
88KB
-
MD5
4528509d5eab9090be6d3c850fe74862
-
SHA1
7e5841415572c88ed88ef0f22b6389943b6556b4
-
SHA256
b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4
-
SHA512
9cfc9ef280b119682edda30ad6373c1f6b250455f8016960e4372714e1e78b34cb8881c8c1acfb51ca3fac40f93a386025bf111c7bd5f4166b0a2baa67195ce3
-
SSDEEP
1536:LdRFH+4Kd/EsUzUVACD1LGLULKLdLaL7gW8ENVk4Lbka:D5+n/EsUAtNV9Z
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" koefiw.exe -
Executes dropped EXE 1 IoCs
pid Process 948 koefiw.exe -
Loads dropped DLL 2 IoCs
pid Process 1956 b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe 1956 b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe -
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /J" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /i" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /M" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /R" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /u" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /W" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /I" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /L" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /b" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /E" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /U" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /t" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /Z" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /q" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /F" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /j" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /x" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /B" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /X" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /A" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /G" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /m" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /w" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /O" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /o" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /V" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /P" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /a" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /Y" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /C" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /s" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /y" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /l" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /T" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /D" koefiw.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /Q" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /g" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /p" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /c" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /v" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /N" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /z" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /h" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /K" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /d" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /n" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /f" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /k" koefiw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\koefiw = "C:\\Users\\Admin\\koefiw.exe /r" koefiw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe 948 koefiw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1956 b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe 948 koefiw.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1956 wrote to memory of 948 1956 b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe 28 PID 1956 wrote to memory of 948 1956 b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe 28 PID 1956 wrote to memory of 948 1956 b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe 28 PID 1956 wrote to memory of 948 1956 b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe"C:\Users\Admin\AppData\Local\Temp\b3ffae1300a871f65ffbb5793a65c397926c83efcfa84418387276d9803478d4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\koefiw.exe"C:\Users\Admin\koefiw.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:948
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD542ea457af2813336fe8246b83fc6cafd
SHA1639bb6465fab06790eb111b465b4f3edc7762f08
SHA256cf51042ba43f6c914568b3fbd886cdbac360bca9854b0b320bd142037d3f1767
SHA512f76e4be37fc683b6aaaa0982bf8db0f3006d43ca586b935718995dbc3fedbd85a5e419ff61d205d97676905445f9a989386c099af16303a8025da7d80718e4b6
-
Filesize
88KB
MD542ea457af2813336fe8246b83fc6cafd
SHA1639bb6465fab06790eb111b465b4f3edc7762f08
SHA256cf51042ba43f6c914568b3fbd886cdbac360bca9854b0b320bd142037d3f1767
SHA512f76e4be37fc683b6aaaa0982bf8db0f3006d43ca586b935718995dbc3fedbd85a5e419ff61d205d97676905445f9a989386c099af16303a8025da7d80718e4b6
-
Filesize
88KB
MD542ea457af2813336fe8246b83fc6cafd
SHA1639bb6465fab06790eb111b465b4f3edc7762f08
SHA256cf51042ba43f6c914568b3fbd886cdbac360bca9854b0b320bd142037d3f1767
SHA512f76e4be37fc683b6aaaa0982bf8db0f3006d43ca586b935718995dbc3fedbd85a5e419ff61d205d97676905445f9a989386c099af16303a8025da7d80718e4b6
-
Filesize
88KB
MD542ea457af2813336fe8246b83fc6cafd
SHA1639bb6465fab06790eb111b465b4f3edc7762f08
SHA256cf51042ba43f6c914568b3fbd886cdbac360bca9854b0b320bd142037d3f1767
SHA512f76e4be37fc683b6aaaa0982bf8db0f3006d43ca586b935718995dbc3fedbd85a5e419ff61d205d97676905445f9a989386c099af16303a8025da7d80718e4b6