Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 12:32
Static task
static1
Behavioral task
behavioral1
Sample
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
Resource
win7-20220812-en
General
-
Target
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
-
Size
861KB
-
MD5
9905a37faf38c17aead5bab3856a10f6
-
SHA1
04366e15e42148dca66e53bc96ef9fd7a8f18e44
-
SHA256
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3
-
SHA512
71cf500ef94368ef9c364edf3d9b760676138c17e01db91b9c8f63326a8e34ab47b3b2af8f2d846263bb8f218d06fc42604eceebb0baf721662b1b3c3de35e3c
-
SSDEEP
24576:dA78/eSlW1c98PkHJQ0hYt3fpQGRP3nNAA8MJw:dlPWL+7hYdxQOnaN
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
nkdv16c.exenkdcv16.exepid process 1568 nkdv16c.exe 1260 nkdcv16.exe -
Possible privilege escalation attempt 3 IoCs
Processes:
icacls.exetakeown.exeicacls.exepid process 796 icacls.exe 1900 takeown.exe 1416 icacls.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\nkdv16c.exe upx \Users\Admin\AppData\Roaming\nkdv16c.exe upx C:\Users\Admin\AppData\Roaming\nkdv16c.exe upx behavioral1/memory/1568-76-0x0000000000400000-0x00000000004E3000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exenkdv16c.execmd.exepid process 1000 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 1000 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 1568 nkdv16c.exe 580 cmd.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exetakeown.exeicacls.exepid process 796 icacls.exe 1900 takeown.exe 1416 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 1 IoCs
Processes:
icacls.exedescription ioc process File created C:\Windows\SysWOW64\fltLib.acl icacls.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exedescription pid process target process PID 2044 set thread context of 1000 2044 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}" 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}" 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Google" 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
WMIC.exetakeown.exedescription pid process Token: SeIncreaseQuotaPrivilege 1792 WMIC.exe Token: SeSecurityPrivilege 1792 WMIC.exe Token: SeTakeOwnershipPrivilege 1792 WMIC.exe Token: SeLoadDriverPrivilege 1792 WMIC.exe Token: SeSystemProfilePrivilege 1792 WMIC.exe Token: SeSystemtimePrivilege 1792 WMIC.exe Token: SeProfSingleProcessPrivilege 1792 WMIC.exe Token: SeIncBasePriorityPrivilege 1792 WMIC.exe Token: SeCreatePagefilePrivilege 1792 WMIC.exe Token: SeBackupPrivilege 1792 WMIC.exe Token: SeRestorePrivilege 1792 WMIC.exe Token: SeShutdownPrivilege 1792 WMIC.exe Token: SeDebugPrivilege 1792 WMIC.exe Token: SeSystemEnvironmentPrivilege 1792 WMIC.exe Token: SeRemoteShutdownPrivilege 1792 WMIC.exe Token: SeUndockPrivilege 1792 WMIC.exe Token: SeManageVolumePrivilege 1792 WMIC.exe Token: 33 1792 WMIC.exe Token: 34 1792 WMIC.exe Token: 35 1792 WMIC.exe Token: SeIncreaseQuotaPrivilege 1792 WMIC.exe Token: SeSecurityPrivilege 1792 WMIC.exe Token: SeTakeOwnershipPrivilege 1792 WMIC.exe Token: SeLoadDriverPrivilege 1792 WMIC.exe Token: SeSystemProfilePrivilege 1792 WMIC.exe Token: SeSystemtimePrivilege 1792 WMIC.exe Token: SeProfSingleProcessPrivilege 1792 WMIC.exe Token: SeIncBasePriorityPrivilege 1792 WMIC.exe Token: SeCreatePagefilePrivilege 1792 WMIC.exe Token: SeBackupPrivilege 1792 WMIC.exe Token: SeRestorePrivilege 1792 WMIC.exe Token: SeShutdownPrivilege 1792 WMIC.exe Token: SeDebugPrivilege 1792 WMIC.exe Token: SeSystemEnvironmentPrivilege 1792 WMIC.exe Token: SeRemoteShutdownPrivilege 1792 WMIC.exe Token: SeUndockPrivilege 1792 WMIC.exe Token: SeManageVolumePrivilege 1792 WMIC.exe Token: 33 1792 WMIC.exe Token: 34 1792 WMIC.exe Token: 35 1792 WMIC.exe Token: SeTakeOwnershipPrivilege 1900 takeown.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exenkdv16c.execmd.execmd.exedescription pid process target process PID 2044 wrote to memory of 1000 2044 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 2044 wrote to memory of 1000 2044 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 2044 wrote to memory of 1000 2044 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 2044 wrote to memory of 1000 2044 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 2044 wrote to memory of 1000 2044 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 2044 wrote to memory of 1000 2044 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 2044 wrote to memory of 1000 2044 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 2044 wrote to memory of 1000 2044 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 2044 wrote to memory of 1000 2044 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 1000 wrote to memory of 1568 1000 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe nkdv16c.exe PID 1000 wrote to memory of 1568 1000 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe nkdv16c.exe PID 1000 wrote to memory of 1568 1000 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe nkdv16c.exe PID 1000 wrote to memory of 1568 1000 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe nkdv16c.exe PID 1568 wrote to memory of 580 1568 nkdv16c.exe cmd.exe PID 1568 wrote to memory of 580 1568 nkdv16c.exe cmd.exe PID 1568 wrote to memory of 580 1568 nkdv16c.exe cmd.exe PID 1568 wrote to memory of 580 1568 nkdv16c.exe cmd.exe PID 580 wrote to memory of 892 580 cmd.exe reg.exe PID 580 wrote to memory of 892 580 cmd.exe reg.exe PID 580 wrote to memory of 892 580 cmd.exe reg.exe PID 580 wrote to memory of 892 580 cmd.exe reg.exe PID 580 wrote to memory of 1964 580 cmd.exe reg.exe PID 580 wrote to memory of 1964 580 cmd.exe reg.exe PID 580 wrote to memory of 1964 580 cmd.exe reg.exe PID 580 wrote to memory of 1964 580 cmd.exe reg.exe PID 580 wrote to memory of 1020 580 cmd.exe cmd.exe PID 580 wrote to memory of 1020 580 cmd.exe cmd.exe PID 580 wrote to memory of 1020 580 cmd.exe cmd.exe PID 580 wrote to memory of 1020 580 cmd.exe cmd.exe PID 1020 wrote to memory of 1792 1020 cmd.exe WMIC.exe PID 1020 wrote to memory of 1792 1020 cmd.exe WMIC.exe PID 1020 wrote to memory of 1792 1020 cmd.exe WMIC.exe PID 1020 wrote to memory of 1792 1020 cmd.exe WMIC.exe PID 580 wrote to memory of 796 580 cmd.exe icacls.exe PID 580 wrote to memory of 796 580 cmd.exe icacls.exe PID 580 wrote to memory of 796 580 cmd.exe icacls.exe PID 580 wrote to memory of 796 580 cmd.exe icacls.exe PID 580 wrote to memory of 1900 580 cmd.exe takeown.exe PID 580 wrote to memory of 1900 580 cmd.exe takeown.exe PID 580 wrote to memory of 1900 580 cmd.exe takeown.exe PID 580 wrote to memory of 1900 580 cmd.exe takeown.exe PID 580 wrote to memory of 1416 580 cmd.exe icacls.exe PID 580 wrote to memory of 1416 580 cmd.exe icacls.exe PID 580 wrote to memory of 1416 580 cmd.exe icacls.exe PID 580 wrote to memory of 1416 580 cmd.exe icacls.exe PID 580 wrote to memory of 1260 580 cmd.exe nkdcv16.exe PID 580 wrote to memory of 1260 580 cmd.exe nkdcv16.exe PID 580 wrote to memory of 1260 580 cmd.exe nkdcv16.exe PID 580 wrote to memory of 1260 580 cmd.exe nkdcv16.exe PID 580 wrote to memory of 1260 580 cmd.exe nkdcv16.exe PID 580 wrote to memory of 1260 580 cmd.exe nkdcv16.exe PID 580 wrote to memory of 1260 580 cmd.exe nkdcv16.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe"C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exeC:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nkdv16c.exe"C:\Users\Admin\AppData\Roaming\nkdv16c.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BD4.tmp\nkdv16c.cmd""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SfcDisabled /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic Group Where SID="S-1-5-32-544" Get Name /Value5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic Group Where SID="S-1-5-32-544" Get Name /Value6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\fltLib.dll /save C:\Windows\System32\fltLib.acl /T5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\fltLib.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\fltLib.dll /grant Administrators:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\nkdcv16.exenkdcv16.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BD4.tmp\nkdv16c.cmdFilesize
2KB
MD5a18077e8ca8217c7ac84ac9cadcafb7e
SHA11d212d0c6bd6da0c8da8869419711e197a7125f7
SHA256c7f92ce8222b40a1b9c934809ddcb467354cabbe0fcba3af6a155a808683e2b5
SHA512352ac2b3c6a6768566296e5fb4186b0e55345717f5422ac2ae656a85f0a4e29ac98d8e63a81a064775cac8bc349f96ccf34b06bddc405fd02e51412d8f7264e6
-
C:\Users\Admin\AppData\Local\Temp\nkdcv16.exeFilesize
823KB
MD52c182a7c31678076fc7ace093b2d842b
SHA121146f56c76193cdc790f40e63432e9a440d1f7b
SHA25688f7d722eb65f7aa4b5ec18672eee3042d4db23f574b0057141599ba4205fbfd
SHA512470503ce01696ca90273647366a7d90b17a14b6bbbd0ec6a32e1061e89252b9e7a53c3ec03bbcbf7d9f7cf182997085383719188d68e842f6ad5760bb00f5caf
-
C:\Users\Admin\AppData\Local\Temp\nkdcv16.exeFilesize
823KB
MD52c182a7c31678076fc7ace093b2d842b
SHA121146f56c76193cdc790f40e63432e9a440d1f7b
SHA25688f7d722eb65f7aa4b5ec18672eee3042d4db23f574b0057141599ba4205fbfd
SHA512470503ce01696ca90273647366a7d90b17a14b6bbbd0ec6a32e1061e89252b9e7a53c3ec03bbcbf7d9f7cf182997085383719188d68e842f6ad5760bb00f5caf
-
C:\Users\Admin\AppData\Roaming\nkdv16c.exeFilesize
529KB
MD5d9977aa232ade22471469a6487b30f99
SHA1f1c5529d749a6e48c7d13395c92a6eb1c0c9a518
SHA2562394f0d3bec63a501f9bbcb618ac2981b22d49911fa7a3fdba0766d95dd15e62
SHA512a430fed6f5434550b36a596d175efbfcc83e52ca4d678781c44d73f1ed2bdaad8e5712cd2c09b790f9eb10b4562afff3ea8f41aebf4d2fddb104df24eacf6995
-
\Users\Admin\AppData\Local\Temp\BD4.tmp\b2e.dllFilesize
31KB
MD57b860f28be19d4aef761fb991134a556
SHA10658a7456d0234dcca598b6ee599fe134d0ecd61
SHA25657a2586d73188a694944c7da60c78380f82fac46452ed1a31c818ceb93e660bc
SHA512a0685a25cbc3fff74aa4ad538ade5282242980f07fe1171e01644e0fa98e1ec6adc87b943290983f6fb5070d26fc15d697ae31a1f570e83e504ae1e4508aefa5
-
\Users\Admin\AppData\Local\Temp\nkdcv16.exeFilesize
823KB
MD52c182a7c31678076fc7ace093b2d842b
SHA121146f56c76193cdc790f40e63432e9a440d1f7b
SHA25688f7d722eb65f7aa4b5ec18672eee3042d4db23f574b0057141599ba4205fbfd
SHA512470503ce01696ca90273647366a7d90b17a14b6bbbd0ec6a32e1061e89252b9e7a53c3ec03bbcbf7d9f7cf182997085383719188d68e842f6ad5760bb00f5caf
-
\Users\Admin\AppData\Roaming\nkdv16c.exeFilesize
529KB
MD5d9977aa232ade22471469a6487b30f99
SHA1f1c5529d749a6e48c7d13395c92a6eb1c0c9a518
SHA2562394f0d3bec63a501f9bbcb618ac2981b22d49911fa7a3fdba0766d95dd15e62
SHA512a430fed6f5434550b36a596d175efbfcc83e52ca4d678781c44d73f1ed2bdaad8e5712cd2c09b790f9eb10b4562afff3ea8f41aebf4d2fddb104df24eacf6995
-
\Users\Admin\AppData\Roaming\nkdv16c.exeFilesize
529KB
MD5d9977aa232ade22471469a6487b30f99
SHA1f1c5529d749a6e48c7d13395c92a6eb1c0c9a518
SHA2562394f0d3bec63a501f9bbcb618ac2981b22d49911fa7a3fdba0766d95dd15e62
SHA512a430fed6f5434550b36a596d175efbfcc83e52ca4d678781c44d73f1ed2bdaad8e5712cd2c09b790f9eb10b4562afff3ea8f41aebf4d2fddb104df24eacf6995
-
memory/580-77-0x0000000000000000-mapping.dmp
-
memory/796-84-0x0000000000000000-mapping.dmp
-
memory/892-79-0x0000000000000000-mapping.dmp
-
memory/1000-74-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/1000-61-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/1000-66-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/1000-54-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/1000-75-0x0000000002730000-0x0000000002813000-memory.dmpFilesize
908KB
-
memory/1000-55-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/1000-67-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/1000-63-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/1000-64-0x0000000000441175-mapping.dmp
-
memory/1000-80-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/1000-57-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/1000-59-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/1020-82-0x0000000000000000-mapping.dmp
-
memory/1260-89-0x0000000000000000-mapping.dmp
-
memory/1416-86-0x0000000000000000-mapping.dmp
-
memory/1568-70-0x0000000000000000-mapping.dmp
-
memory/1568-76-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/1792-83-0x0000000000000000-mapping.dmp
-
memory/1900-85-0x0000000000000000-mapping.dmp
-
memory/1964-81-0x0000000000000000-mapping.dmp