8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa

Analysis

max time kernel
188s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
Size

360KB
MD5

732cdf0b27a32489411c9362859f7632
SHA1

2e72e9cd2782328ab35315c0875ff44947f53652
SHA256

8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa
SHA512

428accb2ad6b1c73b60d26dadbf6c399b5a2744eab1e45cebfd2d392a2d718449a25ca012a83ecc7c0f350819a7a42649b2b0e27ff55edc167d9ed85ec06a86d
SSDEEP

6144:Kl8ibNjFefg+sDYwXNlckN7CgJzOGsqB6cd1:4bjFTtGqCgJKfe1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4320	ntkrnlpa.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\H:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\M:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\U:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\W:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\Y:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\K:	ntkrnlpa.exe
File opened (read-only)	\??\U:	ntkrnlpa.exe
File opened (read-only)	\??\Q:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\S:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\I:	ntkrnlpa.exe
File opened (read-only)	\??\N:	ntkrnlpa.exe
File opened (read-only)	\??\S:	ntkrnlpa.exe
File opened (read-only)	\??\V:	ntkrnlpa.exe
File opened (read-only)	\??\O:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\R:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\T:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\X:	ntkrnlpa.exe
File opened (read-only)	\??\Y:	ntkrnlpa.exe
File opened (read-only)	\??\F:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\I:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\K:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\P:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\F:	ntkrnlpa.exe
File opened (read-only)	\??\P:	ntkrnlpa.exe
File opened (read-only)	\??\Q:	ntkrnlpa.exe
File opened (read-only)	\??\T:	ntkrnlpa.exe
File opened (read-only)	\??\B:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\J:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\V:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\A:	ntkrnlpa.exe
File opened (read-only)	\??\E:	ntkrnlpa.exe
File opened (read-only)	\??\H:	ntkrnlpa.exe
File opened (read-only)	\??\J:	ntkrnlpa.exe
File opened (read-only)	\??\M:	ntkrnlpa.exe
File opened (read-only)	\??\O:	ntkrnlpa.exe
File opened (read-only)	\??\R:	ntkrnlpa.exe
File opened (read-only)	\??\W:	ntkrnlpa.exe
File opened (read-only)	\??\G:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\L:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\N:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\L:	ntkrnlpa.exe
File opened (read-only)	\??\Z:	ntkrnlpa.exe
File opened (read-only)	\??\A:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\X:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\Z:	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened (read-only)	\??\B:	ntkrnlpa.exe
File opened (read-only)	\??\G:	ntkrnlpa.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ntkrnlpa.exe	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
File opened for modification	C:\Windows\KBankStar_2022_12_11.log	ntkrnlpa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
Token: SeCreatePagefilePrivilege	1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
Token: SeShutdownPrivilege	4320	ntkrnlpa.exe
Token: SeCreatePagefilePrivilege	4320	ntkrnlpa.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
4320	ntkrnlpa.exe
4320	ntkrnlpa.exe
4320	ntkrnlpa.exe
4320	ntkrnlpa.exe
4320	ntkrnlpa.exe
4320	ntkrnlpa.exe
4320	ntkrnlpa.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 4320	1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe	84
PID 1612 wrote to memory of 4320	1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe	84
PID 1612 wrote to memory of 4320	1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe	84
PID 1612 wrote to memory of 1180	1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe	85
PID 1612 wrote to memory of 1180	1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe	85
PID 1612 wrote to memory of 1180	1612	8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe	85

C:\Users\Admin\AppData\Local\Temp\8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
"C:\Users\Admin\AppData\Local\Temp\8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\ntkrnlpa.exe
  C:\Windows\ntkrnlpa.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsrv.bat" "
  2⤵
  PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tsrv.bat

Filesize
252B

MD5
b7ca6bf706fa6b946260f8adc36c5ce4

SHA1
d0db6693a7b8011cea8c02668b2dd5575bd08a80

SHA256
441a832e064c3eb8eed3fded52f7f7f5c3014180244fcadd2698594760c9a48d

SHA512
351d313d00ef791d33eb16d1e0c36f0d553fabd7b079f177de0131a63c2e08adb81644965ec86316b3fe1511f50d0c9887081d5487c581ade719d161606d53d5

Download Submit
C:\Windows\ntkrnlpa.exe

Filesize
360KB

MD5
732cdf0b27a32489411c9362859f7632

SHA1
2e72e9cd2782328ab35315c0875ff44947f53652

SHA256
8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa

SHA512
428accb2ad6b1c73b60d26dadbf6c399b5a2744eab1e45cebfd2d392a2d718449a25ca012a83ecc7c0f350819a7a42649b2b0e27ff55edc167d9ed85ec06a86d

Download Submit
C:\Windows\ntkrnlpa.exe

Filesize
360KB

MD5
732cdf0b27a32489411c9362859f7632

SHA1
2e72e9cd2782328ab35315c0875ff44947f53652

SHA256
8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa

SHA512
428accb2ad6b1c73b60d26dadbf6c399b5a2744eab1e45cebfd2d392a2d718449a25ca012a83ecc7c0f350819a7a42649b2b0e27ff55edc167d9ed85ec06a86d

Download Submit
memory/1180-135-0x0000000000000000-mapping.dmp

Download
memory/4320-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads