Analysis
-
max time kernel
128s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 05:47
Static task
static1
Behavioral task
behavioral1
Sample
f6ed1f34f629ab51dba4c63dc57c1a91.exe
Resource
win7-20230220-en
General
-
Target
f6ed1f34f629ab51dba4c63dc57c1a91.exe
-
Size
6.8MB
-
MD5
f6ed1f34f629ab51dba4c63dc57c1a91
-
SHA1
b62bbeef12de9a18ecf785153b9b429bca733aba
-
SHA256
104645c74843e385754502a80a935156b585c6969fba1be83efe9b554a746560
-
SHA512
853b9c762d5ce15948b2a23e26f581b02ac16749157669fd8ec702e7cdab25aded95ece117b2ed971cedee9d4df724340ad946e8cb8e775bd749e7de61fb468d
-
SSDEEP
196608:7DANPFmCV+OoxomMRb4MGK3oI8XY2OqjoRK:70HPE+7GK3oVhOI
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4016-161-0x0000000000400000-0x00000000004D6000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f6ed1f34f629ab51dba4c63dc57c1a91.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ kecovi.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f6ed1f34f629ab51dba4c63dc57c1a91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f6ed1f34f629ab51dba4c63dc57c1a91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kecovi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kecovi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f6ed1f34f629ab51dba4c63dc57c1a91.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation f6ed1f34f629ab51dba4c63dc57c1a91.exe -
Drops startup file 2 IoCs
Processes:
f6ed1f34f629ab51dba4c63dc57c1a91.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\camilixato.url f6ed1f34f629ab51dba4c63dc57c1a91.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\camilixato.url f6ed1f34f629ab51dba4c63dc57c1a91.exe -
Executes dropped EXE 1 IoCs
Processes:
kecovi.exepid process 4968 kecovi.exe -
Processes:
f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f6ed1f34f629ab51dba4c63dc57c1a91.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kecovi.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exedescription ioc process File opened for modification \??\PhysicalDrive0 f6ed1f34f629ab51dba4c63dc57c1a91.exe File opened for modification \??\PhysicalDrive0 kecovi.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exepid process 4352 f6ed1f34f629ab51dba4c63dc57c1a91.exe 4968 kecovi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kecovi.exedescription pid process target process PID 4968 set thread context of 4016 4968 kecovi.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exepid process 4352 f6ed1f34f629ab51dba4c63dc57c1a91.exe 4352 f6ed1f34f629ab51dba4c63dc57c1a91.exe 4352 f6ed1f34f629ab51dba4c63dc57c1a91.exe 4352 f6ed1f34f629ab51dba4c63dc57c1a91.exe 4968 kecovi.exe 4968 kecovi.exe 4968 kecovi.exe 4968 kecovi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 4016 InstallUtil.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
f6ed1f34f629ab51dba4c63dc57c1a91.execmd.exekecovi.exedescription pid process target process PID 4352 wrote to memory of 4968 4352 f6ed1f34f629ab51dba4c63dc57c1a91.exe kecovi.exe PID 4352 wrote to memory of 4968 4352 f6ed1f34f629ab51dba4c63dc57c1a91.exe kecovi.exe PID 4352 wrote to memory of 4968 4352 f6ed1f34f629ab51dba4c63dc57c1a91.exe kecovi.exe PID 4352 wrote to memory of 3472 4352 f6ed1f34f629ab51dba4c63dc57c1a91.exe cmd.exe PID 4352 wrote to memory of 3472 4352 f6ed1f34f629ab51dba4c63dc57c1a91.exe cmd.exe PID 4352 wrote to memory of 3472 4352 f6ed1f34f629ab51dba4c63dc57c1a91.exe cmd.exe PID 3472 wrote to memory of 3940 3472 cmd.exe PING.EXE PID 3472 wrote to memory of 3940 3472 cmd.exe PING.EXE PID 3472 wrote to memory of 3940 3472 cmd.exe PING.EXE PID 4968 wrote to memory of 4016 4968 kecovi.exe InstallUtil.exe PID 4968 wrote to memory of 4016 4968 kecovi.exe InstallUtil.exe PID 4968 wrote to memory of 4016 4968 kecovi.exe InstallUtil.exe PID 4968 wrote to memory of 4016 4968 kecovi.exe InstallUtil.exe PID 4968 wrote to memory of 4016 4968 kecovi.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6ed1f34f629ab51dba4c63dc57c1a91.exe"C:\Users\Admin\AppData\Local\Temp\f6ed1f34f629ab51dba4c63dc57c1a91.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\kidequoxayes\kecovi.exe"C:\ProgramData\kidequoxayes\kecovi.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c @echo off & ping 127.0.0.1 -n 5 -w 1000 > nul & del "C:\Users\Admin\AppData\Local\Temp\f6ed1f34f629ab51dba4c63dc57c1a91.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5 -w 10003⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\kidequoxayes\kecovi.exeFilesize
656.8MB
MD55203b21a7197dbdc609141209258646d
SHA1c54155859b18af061b6cb46a329ec4aecbbe0077
SHA2567dc7b4d834c091fd35647857f39317be4deb6e3744e3f4f2a2ff4fda258d28b7
SHA51295c81e3fc405faeb238e85b4a2b1c3d26ef4ab4eba0a6d2a6156d19186a17d502bd86ebcd1a0a96a7089b88976eb987a76e729c33a591074078f9e9e7155437a
-
C:\ProgramData\kidequoxayes\kecovi.exeFilesize
656.8MB
MD55203b21a7197dbdc609141209258646d
SHA1c54155859b18af061b6cb46a329ec4aecbbe0077
SHA2567dc7b4d834c091fd35647857f39317be4deb6e3744e3f4f2a2ff4fda258d28b7
SHA51295c81e3fc405faeb238e85b4a2b1c3d26ef4ab4eba0a6d2a6156d19186a17d502bd86ebcd1a0a96a7089b88976eb987a76e729c33a591074078f9e9e7155437a
-
C:\ProgramData\kidequoxayes\kecovi.exeFilesize
656.8MB
MD55203b21a7197dbdc609141209258646d
SHA1c54155859b18af061b6cb46a329ec4aecbbe0077
SHA2567dc7b4d834c091fd35647857f39317be4deb6e3744e3f4f2a2ff4fda258d28b7
SHA51295c81e3fc405faeb238e85b4a2b1c3d26ef4ab4eba0a6d2a6156d19186a17d502bd86ebcd1a0a96a7089b88976eb987a76e729c33a591074078f9e9e7155437a
-
C:\ProgramData\mntempFilesize
16B
MD5b19a4205f90c549c25f5da39604816ac
SHA175491ac56838dc08896d4f2ba565e759bc706759
SHA25642a654a48aa31d713ad2b1bb9758d4580229355568835713ecfc8abd2f56b3d2
SHA512d75a960672f576ffad44b5225be4053881166f1fbb2692adf7b77fee46d3c7211564ae79b5fe198cd2f0bc1cc57ed00886afdbdb49ce8f76c9faba9b6187874d
-
memory/4016-160-0x0000000000400000-0x00000000004D6000-memory.dmpFilesize
856KB
-
memory/4016-169-0x0000000005940000-0x0000000005950000-memory.dmpFilesize
64KB
-
memory/4016-168-0x0000000005940000-0x0000000005950000-memory.dmpFilesize
64KB
-
memory/4016-167-0x0000000005650000-0x0000000005688000-memory.dmpFilesize
224KB
-
memory/4016-166-0x0000000005620000-0x000000000564E000-memory.dmpFilesize
184KB
-
memory/4016-165-0x00000000056C0000-0x0000000005752000-memory.dmpFilesize
584KB
-
memory/4016-164-0x0000000005BD0000-0x0000000006174000-memory.dmpFilesize
5.6MB
-
memory/4016-161-0x0000000000400000-0x00000000004D6000-memory.dmpFilesize
856KB
-
memory/4352-150-0x0000000001660000-0x0000000001670000-memory.dmpFilesize
64KB
-
memory/4352-155-0x0000000000400000-0x00000000012AE000-memory.dmpFilesize
14.7MB
-
memory/4352-133-0x0000000000400000-0x00000000012AE000-memory.dmpFilesize
14.7MB
-
memory/4352-139-0x0000000000400000-0x00000000012AE000-memory.dmpFilesize
14.7MB
-
memory/4352-138-0x0000000001660000-0x0000000001670000-memory.dmpFilesize
64KB
-
memory/4352-137-0x0000000001660000-0x0000000001670000-memory.dmpFilesize
64KB
-
memory/4968-159-0x00000000037F0000-0x0000000003800000-memory.dmpFilesize
64KB
-
memory/4968-158-0x0000000000400000-0x00000000012AE000-memory.dmpFilesize
14.7MB
-
memory/4968-162-0x00000000037F0000-0x0000000003800000-memory.dmpFilesize
64KB
-
memory/4968-163-0x0000000000400000-0x00000000012AE000-memory.dmpFilesize
14.7MB
-
memory/4968-156-0x0000000000400000-0x00000000012AE000-memory.dmpFilesize
14.7MB