3671f50c59e91067f6161243ec3e701d87ebfe461dd0c3b8c520f50d8619598a

General

Target

ZZ.exe
Size

303KB
MD5

861d01503fd3f2258907539fe4f4984d
SHA1

f2f4a48bc9d48815b090525c4d49e3937a9f4a94
SHA256

3671f50c59e91067f6161243ec3e701d87ebfe461dd0c3b8c520f50d8619598a
SHA512

679f1f3ea7a47ab993b83b532b7670112cddd304c9713f7157be7110d4f5f54130c7576a768cb61b823a06f4459c8f081e18a79291aecc1a998894946ddab257
SSDEEP

6144:TYa6E9nxscxsV0m/GV95UqnZtTmQeJXfe32vEnZclbXnXTGnInit8y:TYi9nmQsFa5UTZqAEnGlbXKnV7

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

knvmiat.exeknvmiat.exe

pid process

4916 knvmiat.exe
2040 knvmiat.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4916	knvmiat.exe
2040	knvmiat.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

knvmiat.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	knvmiat.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	knvmiat.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	knvmiat.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 api.ipify.org
34 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

knvmiat.exe

description pid process target process

PID 4916 set thread context of 2040 4916 knvmiat.exe knvmiat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

knvmiat.exe

pid process

4916 knvmiat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

knvmiat.exe

description pid process

Token: SeDebugPrivilege 2040 knvmiat.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

knvmiat.exe

pid process

2040 knvmiat.exe

flow	ioc
33	api.ipify.org
34	api.ipify.org

description	pid	process	target process
PID 4916 set thread context of 2040	4916	knvmiat.exe	knvmiat.exe

pid	process
4916	knvmiat.exe

description	pid	process
Token: SeDebugPrivilege	2040	knvmiat.exe

pid	process
2040	knvmiat.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ZZ.exeknvmiat.exe

description	pid	process	target process
PID 1956 wrote to memory of 4916	1956	ZZ.exe	knvmiat.exe
PID 1956 wrote to memory of 4916	1956	ZZ.exe	knvmiat.exe
PID 1956 wrote to memory of 4916	1956	ZZ.exe	knvmiat.exe
PID 4916 wrote to memory of 2040	4916	knvmiat.exe	knvmiat.exe
PID 4916 wrote to memory of 2040	4916	knvmiat.exe	knvmiat.exe
PID 4916 wrote to memory of 2040	4916	knvmiat.exe	knvmiat.exe
PID 4916 wrote to memory of 2040	4916	knvmiat.exe	knvmiat.exe

outlook_office_path 1 IoCs

Processes:

knvmiat.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	knvmiat.exe

outlook_win_path 1 IoCs

Processes:

knvmiat.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	knvmiat.exe

C:\Users\Admin\AppData\Local\Temp\ZZ.exe
"C:\Users\Admin\AppData\Local\Temp\ZZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\knvmiat.exe
"C:\Users\Admin\AppData\Local\Temp\knvmiat.exe" C:\Users\Admin\AppData\Local\Temp\ngeiukxlq.rgo
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\knvmiat.exe
"C:\Users\Admin\AppData\Local\Temp\knvmiat.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\knvmiat.exe
Filesize
84KB

MD5
71f20b057e7cdcfa0052971862a0a4fc

SHA1
5168555af9de34f0a83372e89222621b79f34ab5

SHA256
6e590ad5a609a6a7eb8da1b1a04f40e28856358e82842c59a0b44204ef89f477

SHA512
9b96d32bc190cbeccfd2746601c99c125451807e1d5cd729887fa24b3e405cc61f5893ee698764b330bc4e98611bb648ec1552eeac10dbcebfc801b6ad9c3f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\knvmiat.exe
Filesize
84KB

MD5
71f20b057e7cdcfa0052971862a0a4fc

SHA1
5168555af9de34f0a83372e89222621b79f34ab5

SHA256
6e590ad5a609a6a7eb8da1b1a04f40e28856358e82842c59a0b44204ef89f477

SHA512
9b96d32bc190cbeccfd2746601c99c125451807e1d5cd729887fa24b3e405cc61f5893ee698764b330bc4e98611bb648ec1552eeac10dbcebfc801b6ad9c3f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\knvmiat.exe
Filesize
84KB

MD5
71f20b057e7cdcfa0052971862a0a4fc

SHA1
5168555af9de34f0a83372e89222621b79f34ab5

SHA256
6e590ad5a609a6a7eb8da1b1a04f40e28856358e82842c59a0b44204ef89f477

SHA512
9b96d32bc190cbeccfd2746601c99c125451807e1d5cd729887fa24b3e405cc61f5893ee698764b330bc4e98611bb648ec1552eeac10dbcebfc801b6ad9c3f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngeiukxlq.rgo
Filesize
5KB

MD5
7634251e3eba63ccac45c753c7409467

SHA1
a1642eb890e854921a6ac65675a63ea8a7d1db9b

SHA256
bf6ee916f1511e0a1e98324d4bc9ba8b2559e02fd1a6f69f559d006914c0c4e9

SHA512
8b0e60d94823f77fc2bdb3c5eecc66525a32e4482087efca78b41554b7a363504b35156f8851afe8cfcacb3ecf11dc7acaa5c5f6a098a79fb21104f865f7a0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdixyzov.ejq
Filesize
262KB

MD5
77d9c0b696fb89a24e1a7f859786246f

SHA1
3cf83297eb5824295d289b7d4f1722f2007b4953

SHA256
7a047922ad0d91a0616d4f5591f33efe47b77efdc18aaede93660f8831925d49

SHA512
b8ff6bf9acb5bd60911bb051efb03cb0d4abe549c35c19bae44e555c61aa38c1f713abea6a46a9552e143b73f09662d628edfd45a1e0f6e816f2edf27a74c3f7

Download Submit
memory/2040-137-0x0000000000000000-mapping.dmp

Download
memory/2040-139-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/2040-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2040-141-0x00000000049E0000-0x0000000004A46000-memory.dmp

Filesize
408KB

Download
memory/2040-142-0x0000000006170000-0x0000000006202000-memory.dmp

Filesize
584KB

Download
memory/2040-143-0x0000000006310000-0x000000000631A000-memory.dmp

Filesize
40KB

Download
memory/2040-144-0x0000000006460000-0x00000000064B0000-memory.dmp

Filesize
320KB

Download
memory/2040-145-0x00000000064B0000-0x0000000006672000-memory.dmp

Filesize
1.8MB

Download
memory/4916-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads