Analysis
-
max time kernel
152s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
09-12-2022 21:20
Static task
static1
Behavioral task
behavioral1
Sample
Scan_Invoice_12-09#54.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Scan_Invoice_12-09#54.msi
Resource
win10v2004-20220812-en
General
-
Target
Scan_Invoice_12-09#54.msi
-
Size
824KB
-
MD5
7c0c7922a082101215c998a4ecf15481
-
SHA1
5543faef6b9261087bad28e3274addd9823682b5
-
SHA256
ea43a6d99b567d1dbc7339ff43e489ef22657fcd6bd9e36b69aea8b14fde8cd5
-
SHA512
d689a1f9973e9996075bf1e5db2fb4326caef004e55b4f0bddb197535c179eb2bddb420c5ee68b23c842a423a9475eff98bb3bf2962a665304dafc684d97a4a1
-
SSDEEP
24576:yHL009mTn3Tp9Lolu0aID/kJAHCcWPXoPcTPbgrQlRNKIg8gx:yr00a3ku0ocWPXoPcTPbgrQlRNKIg8g
Malware Config
Extracted
icedid
1178326404
broskabrwaf.com
Signatures
-
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 828 MsiExec.exe 944 rundll32.exe 796 rundll32.exe 796 rundll32.exe 796 rundll32.exe 796 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
DrvInst.exerundll32.exemsiexec.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI92C2.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI92C2.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\6e80a7.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI90BC.tmp msiexec.exe File opened for modification C:\Windows\Installer\6e80a6.msi msiexec.exe File opened for modification C:\Windows\Installer\6e80a7.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI92C2.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\6e80a6.msi msiexec.exe File created C:\Windows\Installer\6e80a9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI92C2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI92C2.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1740 msiexec.exe 1740 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 832 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 832 msiexec.exe Token: SeIncreaseQuotaPrivilege 832 msiexec.exe Token: SeRestorePrivilege 1740 msiexec.exe Token: SeTakeOwnershipPrivilege 1740 msiexec.exe Token: SeSecurityPrivilege 1740 msiexec.exe Token: SeCreateTokenPrivilege 832 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 832 msiexec.exe Token: SeLockMemoryPrivilege 832 msiexec.exe Token: SeIncreaseQuotaPrivilege 832 msiexec.exe Token: SeMachineAccountPrivilege 832 msiexec.exe Token: SeTcbPrivilege 832 msiexec.exe Token: SeSecurityPrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeLoadDriverPrivilege 832 msiexec.exe Token: SeSystemProfilePrivilege 832 msiexec.exe Token: SeSystemtimePrivilege 832 msiexec.exe Token: SeProfSingleProcessPrivilege 832 msiexec.exe Token: SeIncBasePriorityPrivilege 832 msiexec.exe Token: SeCreatePagefilePrivilege 832 msiexec.exe Token: SeCreatePermanentPrivilege 832 msiexec.exe Token: SeBackupPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeShutdownPrivilege 832 msiexec.exe Token: SeDebugPrivilege 832 msiexec.exe Token: SeAuditPrivilege 832 msiexec.exe Token: SeSystemEnvironmentPrivilege 832 msiexec.exe Token: SeChangeNotifyPrivilege 832 msiexec.exe Token: SeRemoteShutdownPrivilege 832 msiexec.exe Token: SeUndockPrivilege 832 msiexec.exe Token: SeSyncAgentPrivilege 832 msiexec.exe Token: SeEnableDelegationPrivilege 832 msiexec.exe Token: SeManageVolumePrivilege 832 msiexec.exe Token: SeImpersonatePrivilege 832 msiexec.exe Token: SeCreateGlobalPrivilege 832 msiexec.exe Token: SeBackupPrivilege 1148 vssvc.exe Token: SeRestorePrivilege 1148 vssvc.exe Token: SeAuditPrivilege 1148 vssvc.exe Token: SeBackupPrivilege 1740 msiexec.exe Token: SeRestorePrivilege 1740 msiexec.exe Token: SeRestorePrivilege 1540 DrvInst.exe Token: SeRestorePrivilege 1540 DrvInst.exe Token: SeRestorePrivilege 1540 DrvInst.exe Token: SeRestorePrivilege 1540 DrvInst.exe Token: SeRestorePrivilege 1540 DrvInst.exe Token: SeRestorePrivilege 1540 DrvInst.exe Token: SeRestorePrivilege 1540 DrvInst.exe Token: SeLoadDriverPrivilege 1540 DrvInst.exe Token: SeLoadDriverPrivilege 1540 DrvInst.exe Token: SeLoadDriverPrivilege 1540 DrvInst.exe Token: SeRestorePrivilege 1740 msiexec.exe Token: SeTakeOwnershipPrivilege 1740 msiexec.exe Token: SeRestorePrivilege 1740 msiexec.exe Token: SeTakeOwnershipPrivilege 1740 msiexec.exe Token: SeRestorePrivilege 1740 msiexec.exe Token: SeTakeOwnershipPrivilege 1740 msiexec.exe Token: SeRestorePrivilege 1740 msiexec.exe Token: SeTakeOwnershipPrivilege 1740 msiexec.exe Token: SeRestorePrivilege 1740 msiexec.exe Token: SeTakeOwnershipPrivilege 1740 msiexec.exe Token: SeRestorePrivilege 1740 msiexec.exe Token: SeTakeOwnershipPrivilege 1740 msiexec.exe Token: SeRestorePrivilege 1740 msiexec.exe Token: SeTakeOwnershipPrivilege 1740 msiexec.exe Token: SeRestorePrivilege 1740 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 832 msiexec.exe 832 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 1740 wrote to memory of 828 1740 msiexec.exe MsiExec.exe PID 1740 wrote to memory of 828 1740 msiexec.exe MsiExec.exe PID 1740 wrote to memory of 828 1740 msiexec.exe MsiExec.exe PID 1740 wrote to memory of 828 1740 msiexec.exe MsiExec.exe PID 1740 wrote to memory of 828 1740 msiexec.exe MsiExec.exe PID 828 wrote to memory of 944 828 MsiExec.exe rundll32.exe PID 828 wrote to memory of 944 828 MsiExec.exe rundll32.exe PID 828 wrote to memory of 944 828 MsiExec.exe rundll32.exe PID 944 wrote to memory of 796 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 796 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 796 944 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Scan_Invoice_12-09#54.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 532043F447DD896AD4C01B767D635EA52⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI92C2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7246667 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp9FC9.dll",init4⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003CC" "00000000000004A0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9FC9.dllFilesize
374KB
MD5c50ce45b8e89a5b97442a167494a7540
SHA11101785b3bc90769c48e8c3567bf260c2477c39c
SHA25638867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3
SHA512469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b
-
C:\Windows\Installer\MSI92C2.tmpFilesize
413KB
MD550139f9ecf5281f618512e8b5f03415d
SHA1a976d06ad9758b646aee5fe50e1d2f61f92e765e
SHA256f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff
SHA512f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992
-
\Users\Admin\AppData\Local\Temp\tmp9FC9.dllFilesize
374KB
MD5c50ce45b8e89a5b97442a167494a7540
SHA11101785b3bc90769c48e8c3567bf260c2477c39c
SHA25638867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3
SHA512469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b
-
\Users\Admin\AppData\Local\Temp\tmp9FC9.dllFilesize
374KB
MD5c50ce45b8e89a5b97442a167494a7540
SHA11101785b3bc90769c48e8c3567bf260c2477c39c
SHA25638867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3
SHA512469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b
-
\Users\Admin\AppData\Local\Temp\tmp9FC9.dllFilesize
374KB
MD5c50ce45b8e89a5b97442a167494a7540
SHA11101785b3bc90769c48e8c3567bf260c2477c39c
SHA25638867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3
SHA512469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b
-
\Users\Admin\AppData\Local\Temp\tmp9FC9.dllFilesize
374KB
MD5c50ce45b8e89a5b97442a167494a7540
SHA11101785b3bc90769c48e8c3567bf260c2477c39c
SHA25638867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3
SHA512469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b
-
\Windows\Installer\MSI92C2.tmpFilesize
413KB
MD550139f9ecf5281f618512e8b5f03415d
SHA1a976d06ad9758b646aee5fe50e1d2f61f92e765e
SHA256f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff
SHA512f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992
-
\Windows\Installer\MSI92C2.tmpFilesize
413KB
MD550139f9ecf5281f618512e8b5f03415d
SHA1a976d06ad9758b646aee5fe50e1d2f61f92e765e
SHA256f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff
SHA512f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992
-
memory/796-72-0x00000000001A0000-0x00000000001A9000-memory.dmpFilesize
36KB
-
memory/796-66-0x0000000000000000-mapping.dmp
-
memory/828-56-0x0000000000000000-mapping.dmp
-
memory/832-54-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmpFilesize
8KB
-
memory/944-60-0x0000000000000000-mapping.dmp
-
memory/944-64-0x000000001A420000-0x000000001A490000-memory.dmpFilesize
448KB
-
memory/944-63-0x0000000000650000-0x000000000065A000-memory.dmpFilesize
40KB
-
memory/944-62-0x0000000000610000-0x000000000063E000-memory.dmpFilesize
184KB