a7248d1e579843c867e20538e5c557bd20d84b07612af7f1073363b3262c2f89

Resubmissions

31-03-2023 18:49

230331-xgmkhsce75 7

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OPEN_SETUP_FILE_KMS_PICO_FULL.exe
Size

9.5MB
MD5

40637b33eac9f79cdeb8df7975d80c85
SHA1

fb167f4a7c9cfbf14df59accea1961160871c729
SHA256

ec6a3b8ca35b6fe0c19c0421fe19f29fc8899d9b25d242f13be26fb08d9e2afe
SHA512

e83359d020e2c691ac1df6161948fc3b92b5869e7c29c083c43543c4fc882ceabdde8d1e02ea4abbfd61f80038f6b5ca8a9e6410b8199daf94ec24a83823e14a
SSDEEP

196608:pxVQ9qHvHe98YVPEmzF/+Ek9amX46X8bViIJ+11R/c3CKS6:/VQ9qbYVMmt3C7X4NLOX/4CKl

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OPEN_SETUP_FILE_KMS_PICO_FULL.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OPEN_SETUP_FILE_KMS_PICO_FULL.exe

Executes dropped EXE 3 IoCs

Processes:

Setup.exeKMSpico.exeKMSpico.tmp

pid process

988 Setup.exe
2700 KMSpico.exe
1948 KMSpico.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
988	Setup.exe
2700	KMSpico.exe
1948	KMSpico.tmp

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Setup.exe

Drops file in Program Files directory 6 IoCs

Processes:

OPEN_SETUP_FILE_KMS_PICO_FULL.exe

description	ioc	process
File created	C:\Program Files (x86)\manque1\KMSpico.exe	OPEN_SETUP_FILE_KMS_PICO_FULL.exe
File opened for modification	C:\Program Files (x86)\manque1\KMSpico.exe	OPEN_SETUP_FILE_KMS_PICO_FULL.exe
File created	C:\Program Files (x86)\manque1\Setup.exe	OPEN_SETUP_FILE_KMS_PICO_FULL.exe
File opened for modification	C:\Program Files (x86)\manque1\Setup.exe	OPEN_SETUP_FILE_KMS_PICO_FULL.exe
File opened for modification	C:\Program Files (x86)\manque1	OPEN_SETUP_FILE_KMS_PICO_FULL.exe
File created	C:\Program Files (x86)\manque1\__tmp_rar_sfx_access_check_240551109	OPEN_SETUP_FILE_KMS_PICO_FULL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exe

pid process

988 Setup.exe
988 Setup.exe
988 Setup.exe
988 Setup.exe

pid	process
988	Setup.exe
988	Setup.exe
988	Setup.exe
988	Setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

OPEN_SETUP_FILE_KMS_PICO_FULL.exeKMSpico.exe

description	pid	process	target process
PID 2732 wrote to memory of 988	2732	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	Setup.exe
PID 2732 wrote to memory of 988	2732	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	Setup.exe
PID 2732 wrote to memory of 988	2732	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	Setup.exe
PID 2732 wrote to memory of 2700	2732	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	KMSpico.exe
PID 2732 wrote to memory of 2700	2732	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	KMSpico.exe
PID 2732 wrote to memory of 2700	2732	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	KMSpico.exe
PID 2700 wrote to memory of 1948	2700	KMSpico.exe	KMSpico.tmp
PID 2700 wrote to memory of 1948	2700	KMSpico.exe	KMSpico.tmp
PID 2700 wrote to memory of 1948	2700	KMSpico.exe	KMSpico.tmp

C:\Users\Admin\AppData\Local\Temp\OPEN_SETUP_FILE_KMS_PICO_FULL.exe
"C:\Users\Admin\AppData\Local\Temp\OPEN_SETUP_FILE_KMS_PICO_FULL.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2732

C:\Program Files (x86)\manque1\Setup.exe
"C:\Program Files (x86)\manque1\Setup.exe"
2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:988

C:\Program Files (x86)\manque1\KMSpico.exe
"C:\Program Files (x86)\manque1\KMSpico.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\is-U9MP6.tmp\KMSpico.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U9MP6.tmp\KMSpico.tmp" /SL5="$5005E,2952592,69120,C:\Program Files (x86)\manque1\KMSpico.exe"
3⤵
- Executes dropped EXE
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\manque1\KMSpico.exe
Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
C:\Program Files (x86)\manque1\KMSpico.exe
Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
C:\Program Files (x86)\manque1\KMSpico.exe
Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
C:\Program Files (x86)\manque1\Setup.exe
Filesize
541.4MB

MD5
96190dc7e4afad2866bd9bfc2a32a050

SHA1
fa21fdd0644fd61029442630bac4badbbc298730

SHA256
f0ebcbee89c3495d5fc6d17b00ae986f554c0699056d2f280f57da8374314787

SHA512
e4b0126882f7749960c10532a26ac2123ba6514bd240005da00b27ac4971be1cf46c6195e544c067dfc1e3a2a8bed5481f37de9ebbb78f936a1df1fa5c533f80

Download Submit
C:\Program Files (x86)\manque1\Setup.exe
Filesize
213.8MB

MD5
9541dc09ec22b74e1b86f2d6c57df919

SHA1
cddcbfcf2ccac313cb203204f2e4d39bdc2485bb

SHA256
53f2f6d8dc6d0928423a4d917d87f3c0e92c83d24f17726e896739cdb54bbf37

SHA512
87cc6732edb7294bd53ef3d7f1f4fa39a59087f21fa5ae691fa457ec485cdd88cdf409209410a765ee8db23a1bc2e4a8e0c4e5b407c8300b55d65910d7e3517f

Download Submit
C:\Program Files (x86)\manque1\Setup.exe
Filesize
186.9MB

MD5
139d2daa94fa7713b5e26999229d3668

SHA1
92d62fe71e766450a427251b0f7ee86f238d76b2

SHA256
6731d5ee244d04e5afbe6b25d719af61ab50ec4130e5ab44a4276de2445629f8

SHA512
296ae5495c187595ddee31a0c8d1e5e0f702b3f367e86ffc96189f40dac31554812c78a6bf53bae8b9cdf3bd7ae68b691ba32431058bec697ee960357411b12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\89C7.tmp
Filesize
71KB

MD5
92d24961d2ebaacf1ace5463dfc9930d

SHA1
99ffaf6904ab616c33a37ce01d383e4a493df335

SHA256
9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3

SHA512
77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U9MP6.tmp\KMSpico.tmp
Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U9MP6.tmp\KMSpico.tmp
Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
memory/988-169-0x0000000000400000-0x0000000000E15000-memory.dmp

Filesize
10.1MB

Download
memory/988-168-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/1948-173-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1948-167-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1948-183-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1948-204-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2700-172-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2700-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download