9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3

General

Target

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
Size

861KB
MD5

9905a37faf38c17aead5bab3856a10f6
SHA1

04366e15e42148dca66e53bc96ef9fd7a8f18e44
SHA256

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3
SHA512

71cf500ef94368ef9c364edf3d9b760676138c17e01db91b9c8f63326a8e34ab47b3b2af8f2d846263bb8f218d06fc42604eceebb0baf721662b1b3c3de35e3c
SSDEEP

24576:dA78/eSlW1c98PkHJQ0hYt3fpQGRP3nNAA8MJw:dlPWL+7hYdxQOnaN

Score

8^/10

discovery exploit spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

nkdv16c.exenkdcv16.exe

pid process

5088 nkdv16c.exe
3908 nkdcv16.exe
Possible privilege escalation attempt 3 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exe

pid process

4248 icacls.exe
4956 takeown.exe
1660 icacls.exe

pid	process
5088	nkdv16c.exe
3908	nkdcv16.exe

pid	process
4248	icacls.exe
4956	takeown.exe
1660	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\nkdv16c.exe	upx
C:\Users\Admin\AppData\Roaming\nkdv16c.exe	upx
behavioral2/memory/5088-142-0x0000000000400000-0x00000000004E3000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe

Loads dropped DLL 1 IoCs

Processes:

nkdv16c.exe

pid process

5088 nkdv16c.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exe

pid process

4248 icacls.exe
4956 takeown.exe
1660 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops file in System32 directory 1 IoCs

Processes:

icacls.exe

description ioc process

File created C:\Windows\SysWOW64\fltLib.acl icacls.exe

pid	process
5088	nkdv16c.exe

pid	process
4248	icacls.exe
4956	takeown.exe
1660	icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\fltLib.acl	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe

description	pid	process	target process
PID 5060 set thread context of 4944	5060	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Google"	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}"	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}"	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exetakeown.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2804	WMIC.exe
Token: SeSecurityPrivilege	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	2804	WMIC.exe
Token: SeLoadDriverPrivilege	2804	WMIC.exe
Token: SeSystemProfilePrivilege	2804	WMIC.exe
Token: SeSystemtimePrivilege	2804	WMIC.exe
Token: SeProfSingleProcessPrivilege	2804	WMIC.exe
Token: SeIncBasePriorityPrivilege	2804	WMIC.exe
Token: SeCreatePagefilePrivilege	2804	WMIC.exe
Token: SeBackupPrivilege	2804	WMIC.exe
Token: SeRestorePrivilege	2804	WMIC.exe
Token: SeShutdownPrivilege	2804	WMIC.exe
Token: SeDebugPrivilege	2804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2804	WMIC.exe
Token: SeRemoteShutdownPrivilege	2804	WMIC.exe
Token: SeUndockPrivilege	2804	WMIC.exe
Token: SeManageVolumePrivilege	2804	WMIC.exe
Token: 33	2804	WMIC.exe
Token: 34	2804	WMIC.exe
Token: 35	2804	WMIC.exe
Token: 36	2804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2804	WMIC.exe
Token: SeSecurityPrivilege	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	2804	WMIC.exe
Token: SeLoadDriverPrivilege	2804	WMIC.exe
Token: SeSystemProfilePrivilege	2804	WMIC.exe
Token: SeSystemtimePrivilege	2804	WMIC.exe
Token: SeProfSingleProcessPrivilege	2804	WMIC.exe
Token: SeIncBasePriorityPrivilege	2804	WMIC.exe
Token: SeCreatePagefilePrivilege	2804	WMIC.exe
Token: SeBackupPrivilege	2804	WMIC.exe
Token: SeRestorePrivilege	2804	WMIC.exe
Token: SeShutdownPrivilege	2804	WMIC.exe
Token: SeDebugPrivilege	2804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2804	WMIC.exe
Token: SeRemoteShutdownPrivilege	2804	WMIC.exe
Token: SeUndockPrivilege	2804	WMIC.exe
Token: SeManageVolumePrivilege	2804	WMIC.exe
Token: 33	2804	WMIC.exe
Token: 34	2804	WMIC.exe
Token: 35	2804	WMIC.exe
Token: 36	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	4956	takeown.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exenkdv16c.execmd.execmd.exe

description	pid	process	target process
PID 5060 wrote to memory of 4944	5060	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 5060 wrote to memory of 4944	5060	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 5060 wrote to memory of 4944	5060	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 5060 wrote to memory of 4944	5060	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 5060 wrote to memory of 4944	5060	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 5060 wrote to memory of 4944	5060	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 5060 wrote to memory of 4944	5060	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 5060 wrote to memory of 4944	5060	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
PID 4944 wrote to memory of 5088	4944	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	nkdv16c.exe
PID 4944 wrote to memory of 5088	4944	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	nkdv16c.exe
PID 4944 wrote to memory of 5088	4944	9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe	nkdv16c.exe
PID 5088 wrote to memory of 5040	5088	nkdv16c.exe	cmd.exe
PID 5088 wrote to memory of 5040	5088	nkdv16c.exe	cmd.exe
PID 5088 wrote to memory of 5040	5088	nkdv16c.exe	cmd.exe
PID 5040 wrote to memory of 1148	5040	cmd.exe	reg.exe
PID 5040 wrote to memory of 1148	5040	cmd.exe	reg.exe
PID 5040 wrote to memory of 1148	5040	cmd.exe	reg.exe
PID 5040 wrote to memory of 1496	5040	cmd.exe	reg.exe
PID 5040 wrote to memory of 1496	5040	cmd.exe	reg.exe
PID 5040 wrote to memory of 1496	5040	cmd.exe	reg.exe
PID 5040 wrote to memory of 2960	5040	cmd.exe	cmd.exe
PID 5040 wrote to memory of 2960	5040	cmd.exe	cmd.exe
PID 5040 wrote to memory of 2960	5040	cmd.exe	cmd.exe
PID 2960 wrote to memory of 2804	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 2804	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 2804	2960	cmd.exe	WMIC.exe
PID 5040 wrote to memory of 4248	5040	cmd.exe	icacls.exe
PID 5040 wrote to memory of 4248	5040	cmd.exe	icacls.exe
PID 5040 wrote to memory of 4248	5040	cmd.exe	icacls.exe
PID 5040 wrote to memory of 4956	5040	cmd.exe	takeown.exe
PID 5040 wrote to memory of 4956	5040	cmd.exe	takeown.exe
PID 5040 wrote to memory of 4956	5040	cmd.exe	takeown.exe
PID 5040 wrote to memory of 1660	5040	cmd.exe	icacls.exe
PID 5040 wrote to memory of 1660	5040	cmd.exe	icacls.exe
PID 5040 wrote to memory of 1660	5040	cmd.exe	icacls.exe
PID 5040 wrote to memory of 3908	5040	cmd.exe	nkdcv16.exe
PID 5040 wrote to memory of 3908	5040	cmd.exe	nkdcv16.exe
PID 5040 wrote to memory of 3908	5040	cmd.exe	nkdcv16.exe

C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
"C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Roaming\nkdv16c.exe
"C:\Users\Admin\AppData\Roaming\nkdv16c.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8B4D.tmp\nkdv16c.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d 1 /f
5⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SfcDisabled /t REG_DWORD /d 1 /f
5⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic Group Where SID="S-1-5-32-544" Get Name /Value
5⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic Group Where SID="S-1-5-32-544" Get Name /Value
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\fltLib.dll /save C:\Windows\System32\fltLib.acl /T
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
PID:4248

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\fltLib.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\fltLib.dll /grant Administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1660

C:\Users\Admin\AppData\Local\Temp\nkdcv16.exe
nkdcv16.exe
5⤵
- Executes dropped EXE
PID:3908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8B4D.tmp\b2e.dll
Filesize
31KB

MD5
7b860f28be19d4aef761fb991134a556

SHA1
0658a7456d0234dcca598b6ee599fe134d0ecd61

SHA256
57a2586d73188a694944c7da60c78380f82fac46452ed1a31c818ceb93e660bc

SHA512
a0685a25cbc3fff74aa4ad538ade5282242980f07fe1171e01644e0fa98e1ec6adc87b943290983f6fb5070d26fc15d697ae31a1f570e83e504ae1e4508aefa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B4D.tmp\nkdv16c.cmd
Filesize
2KB

MD5
a18077e8ca8217c7ac84ac9cadcafb7e

SHA1
1d212d0c6bd6da0c8da8869419711e197a7125f7

SHA256
c7f92ce8222b40a1b9c934809ddcb467354cabbe0fcba3af6a155a808683e2b5

SHA512
352ac2b3c6a6768566296e5fb4186b0e55345717f5422ac2ae656a85f0a4e29ac98d8e63a81a064775cac8bc349f96ccf34b06bddc405fd02e51412d8f7264e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkdcv16.exe
Filesize
823KB

MD5
2c182a7c31678076fc7ace093b2d842b

SHA1
21146f56c76193cdc790f40e63432e9a440d1f7b

SHA256
88f7d722eb65f7aa4b5ec18672eee3042d4db23f574b0057141599ba4205fbfd

SHA512
470503ce01696ca90273647366a7d90b17a14b6bbbd0ec6a32e1061e89252b9e7a53c3ec03bbcbf7d9f7cf182997085383719188d68e842f6ad5760bb00f5caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkdcv16.exe
Filesize
823KB

MD5
2c182a7c31678076fc7ace093b2d842b

SHA1
21146f56c76193cdc790f40e63432e9a440d1f7b

SHA256
88f7d722eb65f7aa4b5ec18672eee3042d4db23f574b0057141599ba4205fbfd

SHA512
470503ce01696ca90273647366a7d90b17a14b6bbbd0ec6a32e1061e89252b9e7a53c3ec03bbcbf7d9f7cf182997085383719188d68e842f6ad5760bb00f5caf

Download Submit
C:\Users\Admin\AppData\Roaming\nkdv16c.exe
Filesize
529KB

MD5
d9977aa232ade22471469a6487b30f99

SHA1
f1c5529d749a6e48c7d13395c92a6eb1c0c9a518

SHA256
2394f0d3bec63a501f9bbcb618ac2981b22d49911fa7a3fdba0766d95dd15e62

SHA512
a430fed6f5434550b36a596d175efbfcc83e52ca4d678781c44d73f1ed2bdaad8e5712cd2c09b790f9eb10b4562afff3ea8f41aebf4d2fddb104df24eacf6995

Download Submit
C:\Users\Admin\AppData\Roaming\nkdv16c.exe
Filesize
529KB

MD5
d9977aa232ade22471469a6487b30f99

SHA1
f1c5529d749a6e48c7d13395c92a6eb1c0c9a518

SHA256
2394f0d3bec63a501f9bbcb618ac2981b22d49911fa7a3fdba0766d95dd15e62

SHA512
a430fed6f5434550b36a596d175efbfcc83e52ca4d678781c44d73f1ed2bdaad8e5712cd2c09b790f9eb10b4562afff3ea8f41aebf4d2fddb104df24eacf6995

Download Submit
memory/1148-145-0x0000000000000000-mapping.dmp

Download
memory/1496-146-0x0000000000000000-mapping.dmp

Download
memory/1660-151-0x0000000000000000-mapping.dmp

Download
memory/2804-148-0x0000000000000000-mapping.dmp

Download
memory/2960-147-0x0000000000000000-mapping.dmp

Download
memory/3908-152-0x0000000000000000-mapping.dmp

Download
memory/4248-149-0x0000000000000000-mapping.dmp

Download
memory/4944-139-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4944-132-0x0000000000000000-mapping.dmp

Download
memory/4944-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4944-135-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4944-133-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4956-150-0x0000000000000000-mapping.dmp

Download
memory/5040-143-0x0000000000000000-mapping.dmp

Download
memory/5088-142-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/5088-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads