Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 12:32
Static task
static1
Behavioral task
behavioral1
Sample
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
Resource
win7-20220812-en
General
-
Target
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe
-
Size
861KB
-
MD5
9905a37faf38c17aead5bab3856a10f6
-
SHA1
04366e15e42148dca66e53bc96ef9fd7a8f18e44
-
SHA256
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3
-
SHA512
71cf500ef94368ef9c364edf3d9b760676138c17e01db91b9c8f63326a8e34ab47b3b2af8f2d846263bb8f218d06fc42604eceebb0baf721662b1b3c3de35e3c
-
SSDEEP
24576:dA78/eSlW1c98PkHJQ0hYt3fpQGRP3nNAA8MJw:dlPWL+7hYdxQOnaN
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
nkdv16c.exenkdcv16.exepid process 5088 nkdv16c.exe 3908 nkdcv16.exe -
Possible privilege escalation attempt 3 IoCs
Processes:
icacls.exetakeown.exeicacls.exepid process 4248 icacls.exe 4956 takeown.exe 1660 icacls.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\nkdv16c.exe upx C:\Users\Admin\AppData\Roaming\nkdv16c.exe upx behavioral2/memory/5088-142-0x0000000000400000-0x00000000004E3000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe -
Loads dropped DLL 1 IoCs
Processes:
nkdv16c.exepid process 5088 nkdv16c.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exetakeown.exeicacls.exepid process 4248 icacls.exe 4956 takeown.exe 1660 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 1 IoCs
Processes:
icacls.exedescription ioc process File created C:\Windows\SysWOW64\fltLib.acl icacls.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exedescription pid process target process PID 5060 set thread context of 4944 5060 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Google" 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}" 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}" 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
WMIC.exetakeown.exedescription pid process Token: SeIncreaseQuotaPrivilege 2804 WMIC.exe Token: SeSecurityPrivilege 2804 WMIC.exe Token: SeTakeOwnershipPrivilege 2804 WMIC.exe Token: SeLoadDriverPrivilege 2804 WMIC.exe Token: SeSystemProfilePrivilege 2804 WMIC.exe Token: SeSystemtimePrivilege 2804 WMIC.exe Token: SeProfSingleProcessPrivilege 2804 WMIC.exe Token: SeIncBasePriorityPrivilege 2804 WMIC.exe Token: SeCreatePagefilePrivilege 2804 WMIC.exe Token: SeBackupPrivilege 2804 WMIC.exe Token: SeRestorePrivilege 2804 WMIC.exe Token: SeShutdownPrivilege 2804 WMIC.exe Token: SeDebugPrivilege 2804 WMIC.exe Token: SeSystemEnvironmentPrivilege 2804 WMIC.exe Token: SeRemoteShutdownPrivilege 2804 WMIC.exe Token: SeUndockPrivilege 2804 WMIC.exe Token: SeManageVolumePrivilege 2804 WMIC.exe Token: 33 2804 WMIC.exe Token: 34 2804 WMIC.exe Token: 35 2804 WMIC.exe Token: 36 2804 WMIC.exe Token: SeIncreaseQuotaPrivilege 2804 WMIC.exe Token: SeSecurityPrivilege 2804 WMIC.exe Token: SeTakeOwnershipPrivilege 2804 WMIC.exe Token: SeLoadDriverPrivilege 2804 WMIC.exe Token: SeSystemProfilePrivilege 2804 WMIC.exe Token: SeSystemtimePrivilege 2804 WMIC.exe Token: SeProfSingleProcessPrivilege 2804 WMIC.exe Token: SeIncBasePriorityPrivilege 2804 WMIC.exe Token: SeCreatePagefilePrivilege 2804 WMIC.exe Token: SeBackupPrivilege 2804 WMIC.exe Token: SeRestorePrivilege 2804 WMIC.exe Token: SeShutdownPrivilege 2804 WMIC.exe Token: SeDebugPrivilege 2804 WMIC.exe Token: SeSystemEnvironmentPrivilege 2804 WMIC.exe Token: SeRemoteShutdownPrivilege 2804 WMIC.exe Token: SeUndockPrivilege 2804 WMIC.exe Token: SeManageVolumePrivilege 2804 WMIC.exe Token: 33 2804 WMIC.exe Token: 34 2804 WMIC.exe Token: 35 2804 WMIC.exe Token: 36 2804 WMIC.exe Token: SeTakeOwnershipPrivilege 4956 takeown.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exenkdv16c.execmd.execmd.exedescription pid process target process PID 5060 wrote to memory of 4944 5060 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 5060 wrote to memory of 4944 5060 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 5060 wrote to memory of 4944 5060 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 5060 wrote to memory of 4944 5060 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 5060 wrote to memory of 4944 5060 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 5060 wrote to memory of 4944 5060 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 5060 wrote to memory of 4944 5060 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 5060 wrote to memory of 4944 5060 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe PID 4944 wrote to memory of 5088 4944 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe nkdv16c.exe PID 4944 wrote to memory of 5088 4944 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe nkdv16c.exe PID 4944 wrote to memory of 5088 4944 9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe nkdv16c.exe PID 5088 wrote to memory of 5040 5088 nkdv16c.exe cmd.exe PID 5088 wrote to memory of 5040 5088 nkdv16c.exe cmd.exe PID 5088 wrote to memory of 5040 5088 nkdv16c.exe cmd.exe PID 5040 wrote to memory of 1148 5040 cmd.exe reg.exe PID 5040 wrote to memory of 1148 5040 cmd.exe reg.exe PID 5040 wrote to memory of 1148 5040 cmd.exe reg.exe PID 5040 wrote to memory of 1496 5040 cmd.exe reg.exe PID 5040 wrote to memory of 1496 5040 cmd.exe reg.exe PID 5040 wrote to memory of 1496 5040 cmd.exe reg.exe PID 5040 wrote to memory of 2960 5040 cmd.exe cmd.exe PID 5040 wrote to memory of 2960 5040 cmd.exe cmd.exe PID 5040 wrote to memory of 2960 5040 cmd.exe cmd.exe PID 2960 wrote to memory of 2804 2960 cmd.exe WMIC.exe PID 2960 wrote to memory of 2804 2960 cmd.exe WMIC.exe PID 2960 wrote to memory of 2804 2960 cmd.exe WMIC.exe PID 5040 wrote to memory of 4248 5040 cmd.exe icacls.exe PID 5040 wrote to memory of 4248 5040 cmd.exe icacls.exe PID 5040 wrote to memory of 4248 5040 cmd.exe icacls.exe PID 5040 wrote to memory of 4956 5040 cmd.exe takeown.exe PID 5040 wrote to memory of 4956 5040 cmd.exe takeown.exe PID 5040 wrote to memory of 4956 5040 cmd.exe takeown.exe PID 5040 wrote to memory of 1660 5040 cmd.exe icacls.exe PID 5040 wrote to memory of 1660 5040 cmd.exe icacls.exe PID 5040 wrote to memory of 1660 5040 cmd.exe icacls.exe PID 5040 wrote to memory of 3908 5040 cmd.exe nkdcv16.exe PID 5040 wrote to memory of 3908 5040 cmd.exe nkdcv16.exe PID 5040 wrote to memory of 3908 5040 cmd.exe nkdcv16.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe"C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exeC:\Users\Admin\AppData\Local\Temp\9f861af0865c11876260b8f5dc98f79e692d97cf481768d88f808da83b9eaee3.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nkdv16c.exe"C:\Users\Admin\AppData\Roaming\nkdv16c.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8B4D.tmp\nkdv16c.cmd""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SfcDisabled /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic Group Where SID="S-1-5-32-544" Get Name /Value5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic Group Where SID="S-1-5-32-544" Get Name /Value6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\fltLib.dll /save C:\Windows\System32\fltLib.acl /T5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\fltLib.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\fltLib.dll /grant Administrators:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\nkdcv16.exenkdcv16.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8B4D.tmp\b2e.dllFilesize
31KB
MD57b860f28be19d4aef761fb991134a556
SHA10658a7456d0234dcca598b6ee599fe134d0ecd61
SHA25657a2586d73188a694944c7da60c78380f82fac46452ed1a31c818ceb93e660bc
SHA512a0685a25cbc3fff74aa4ad538ade5282242980f07fe1171e01644e0fa98e1ec6adc87b943290983f6fb5070d26fc15d697ae31a1f570e83e504ae1e4508aefa5
-
C:\Users\Admin\AppData\Local\Temp\8B4D.tmp\nkdv16c.cmdFilesize
2KB
MD5a18077e8ca8217c7ac84ac9cadcafb7e
SHA11d212d0c6bd6da0c8da8869419711e197a7125f7
SHA256c7f92ce8222b40a1b9c934809ddcb467354cabbe0fcba3af6a155a808683e2b5
SHA512352ac2b3c6a6768566296e5fb4186b0e55345717f5422ac2ae656a85f0a4e29ac98d8e63a81a064775cac8bc349f96ccf34b06bddc405fd02e51412d8f7264e6
-
C:\Users\Admin\AppData\Local\Temp\nkdcv16.exeFilesize
823KB
MD52c182a7c31678076fc7ace093b2d842b
SHA121146f56c76193cdc790f40e63432e9a440d1f7b
SHA25688f7d722eb65f7aa4b5ec18672eee3042d4db23f574b0057141599ba4205fbfd
SHA512470503ce01696ca90273647366a7d90b17a14b6bbbd0ec6a32e1061e89252b9e7a53c3ec03bbcbf7d9f7cf182997085383719188d68e842f6ad5760bb00f5caf
-
C:\Users\Admin\AppData\Local\Temp\nkdcv16.exeFilesize
823KB
MD52c182a7c31678076fc7ace093b2d842b
SHA121146f56c76193cdc790f40e63432e9a440d1f7b
SHA25688f7d722eb65f7aa4b5ec18672eee3042d4db23f574b0057141599ba4205fbfd
SHA512470503ce01696ca90273647366a7d90b17a14b6bbbd0ec6a32e1061e89252b9e7a53c3ec03bbcbf7d9f7cf182997085383719188d68e842f6ad5760bb00f5caf
-
C:\Users\Admin\AppData\Roaming\nkdv16c.exeFilesize
529KB
MD5d9977aa232ade22471469a6487b30f99
SHA1f1c5529d749a6e48c7d13395c92a6eb1c0c9a518
SHA2562394f0d3bec63a501f9bbcb618ac2981b22d49911fa7a3fdba0766d95dd15e62
SHA512a430fed6f5434550b36a596d175efbfcc83e52ca4d678781c44d73f1ed2bdaad8e5712cd2c09b790f9eb10b4562afff3ea8f41aebf4d2fddb104df24eacf6995
-
C:\Users\Admin\AppData\Roaming\nkdv16c.exeFilesize
529KB
MD5d9977aa232ade22471469a6487b30f99
SHA1f1c5529d749a6e48c7d13395c92a6eb1c0c9a518
SHA2562394f0d3bec63a501f9bbcb618ac2981b22d49911fa7a3fdba0766d95dd15e62
SHA512a430fed6f5434550b36a596d175efbfcc83e52ca4d678781c44d73f1ed2bdaad8e5712cd2c09b790f9eb10b4562afff3ea8f41aebf4d2fddb104df24eacf6995
-
memory/1148-145-0x0000000000000000-mapping.dmp
-
memory/1496-146-0x0000000000000000-mapping.dmp
-
memory/1660-151-0x0000000000000000-mapping.dmp
-
memory/2804-148-0x0000000000000000-mapping.dmp
-
memory/2960-147-0x0000000000000000-mapping.dmp
-
memory/3908-152-0x0000000000000000-mapping.dmp
-
memory/4248-149-0x0000000000000000-mapping.dmp
-
memory/4944-139-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/4944-132-0x0000000000000000-mapping.dmp
-
memory/4944-136-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/4944-135-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/4944-133-0x0000000000400000-0x00000000004DE000-memory.dmpFilesize
888KB
-
memory/4956-150-0x0000000000000000-mapping.dmp
-
memory/5040-143-0x0000000000000000-mapping.dmp
-
memory/5088-142-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/5088-137-0x0000000000000000-mapping.dmp