Analysis
-
max time kernel
107s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 11:49
Static task
static1
Behavioral task
behavioral1
Sample
ZZ.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ZZ.exe
Resource
win10v2004-20221111-en
General
-
Target
ZZ.exe
-
Size
303KB
-
MD5
861d01503fd3f2258907539fe4f4984d
-
SHA1
f2f4a48bc9d48815b090525c4d49e3937a9f4a94
-
SHA256
3671f50c59e91067f6161243ec3e701d87ebfe461dd0c3b8c520f50d8619598a
-
SHA512
679f1f3ea7a47ab993b83b532b7670112cddd304c9713f7157be7110d4f5f54130c7576a768cb61b823a06f4459c8f081e18a79291aecc1a998894946ddab257
-
SSDEEP
6144:TYa6E9nxscxsV0m/GV95UqnZtTmQeJXfe32vEnZclbXnXTGnInit8y:TYi9nmQsFa5UTZqAEnGlbXKnV7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
knvmiat.exeknvmiat.exepid process 4916 knvmiat.exe 2040 knvmiat.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
knvmiat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 knvmiat.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 knvmiat.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 knvmiat.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 api.ipify.org 34 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
knvmiat.exedescription pid process target process PID 4916 set thread context of 2040 4916 knvmiat.exe knvmiat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
knvmiat.exepid process 4916 knvmiat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
knvmiat.exedescription pid process Token: SeDebugPrivilege 2040 knvmiat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
knvmiat.exepid process 2040 knvmiat.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
ZZ.exeknvmiat.exedescription pid process target process PID 1956 wrote to memory of 4916 1956 ZZ.exe knvmiat.exe PID 1956 wrote to memory of 4916 1956 ZZ.exe knvmiat.exe PID 1956 wrote to memory of 4916 1956 ZZ.exe knvmiat.exe PID 4916 wrote to memory of 2040 4916 knvmiat.exe knvmiat.exe PID 4916 wrote to memory of 2040 4916 knvmiat.exe knvmiat.exe PID 4916 wrote to memory of 2040 4916 knvmiat.exe knvmiat.exe PID 4916 wrote to memory of 2040 4916 knvmiat.exe knvmiat.exe -
outlook_office_path 1 IoCs
Processes:
knvmiat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 knvmiat.exe -
outlook_win_path 1 IoCs
Processes:
knvmiat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 knvmiat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZZ.exe"C:\Users\Admin\AppData\Local\Temp\ZZ.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\knvmiat.exe"C:\Users\Admin\AppData\Local\Temp\knvmiat.exe" C:\Users\Admin\AppData\Local\Temp\ngeiukxlq.rgo2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\knvmiat.exe"C:\Users\Admin\AppData\Local\Temp\knvmiat.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\knvmiat.exeFilesize
84KB
MD571f20b057e7cdcfa0052971862a0a4fc
SHA15168555af9de34f0a83372e89222621b79f34ab5
SHA2566e590ad5a609a6a7eb8da1b1a04f40e28856358e82842c59a0b44204ef89f477
SHA5129b96d32bc190cbeccfd2746601c99c125451807e1d5cd729887fa24b3e405cc61f5893ee698764b330bc4e98611bb648ec1552eeac10dbcebfc801b6ad9c3f0f
-
C:\Users\Admin\AppData\Local\Temp\knvmiat.exeFilesize
84KB
MD571f20b057e7cdcfa0052971862a0a4fc
SHA15168555af9de34f0a83372e89222621b79f34ab5
SHA2566e590ad5a609a6a7eb8da1b1a04f40e28856358e82842c59a0b44204ef89f477
SHA5129b96d32bc190cbeccfd2746601c99c125451807e1d5cd729887fa24b3e405cc61f5893ee698764b330bc4e98611bb648ec1552eeac10dbcebfc801b6ad9c3f0f
-
C:\Users\Admin\AppData\Local\Temp\knvmiat.exeFilesize
84KB
MD571f20b057e7cdcfa0052971862a0a4fc
SHA15168555af9de34f0a83372e89222621b79f34ab5
SHA2566e590ad5a609a6a7eb8da1b1a04f40e28856358e82842c59a0b44204ef89f477
SHA5129b96d32bc190cbeccfd2746601c99c125451807e1d5cd729887fa24b3e405cc61f5893ee698764b330bc4e98611bb648ec1552eeac10dbcebfc801b6ad9c3f0f
-
C:\Users\Admin\AppData\Local\Temp\ngeiukxlq.rgoFilesize
5KB
MD57634251e3eba63ccac45c753c7409467
SHA1a1642eb890e854921a6ac65675a63ea8a7d1db9b
SHA256bf6ee916f1511e0a1e98324d4bc9ba8b2559e02fd1a6f69f559d006914c0c4e9
SHA5128b0e60d94823f77fc2bdb3c5eecc66525a32e4482087efca78b41554b7a363504b35156f8851afe8cfcacb3ecf11dc7acaa5c5f6a098a79fb21104f865f7a0c8
-
C:\Users\Admin\AppData\Local\Temp\sdixyzov.ejqFilesize
262KB
MD577d9c0b696fb89a24e1a7f859786246f
SHA13cf83297eb5824295d289b7d4f1722f2007b4953
SHA2567a047922ad0d91a0616d4f5591f33efe47b77efdc18aaede93660f8831925d49
SHA512b8ff6bf9acb5bd60911bb051efb03cb0d4abe549c35c19bae44e555c61aa38c1f713abea6a46a9552e143b73f09662d628edfd45a1e0f6e816f2edf27a74c3f7
-
memory/2040-137-0x0000000000000000-mapping.dmp
-
memory/2040-139-0x0000000004A80000-0x0000000005024000-memory.dmpFilesize
5.6MB
-
memory/2040-140-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2040-141-0x00000000049E0000-0x0000000004A46000-memory.dmpFilesize
408KB
-
memory/2040-142-0x0000000006170000-0x0000000006202000-memory.dmpFilesize
584KB
-
memory/2040-143-0x0000000006310000-0x000000000631A000-memory.dmpFilesize
40KB
-
memory/2040-144-0x0000000006460000-0x00000000064B0000-memory.dmpFilesize
320KB
-
memory/2040-145-0x00000000064B0000-0x0000000006672000-memory.dmpFilesize
1.8MB
-
memory/4916-132-0x0000000000000000-mapping.dmp