54bc8ad70bdd156ce345dc785b4858d2b47a69b74855f76a7016d1aae3b74e13

General

Target

rKabelimpedansen.exe
Size

261KB
MD5

c1ec64696fd5605c0c5ce991dc745e9c
SHA1

540ef9ba5b441361034bb532013d2c8e5614b02f
SHA256

54bc8ad70bdd156ce345dc785b4858d2b47a69b74855f76a7016d1aae3b74e13
SHA512

8c87a48fd3af7f9e1dc273c2d3a2d23712b524b735da426cdfa3c94ae7f6a6b050a552d2e596abc5eb30068ef835fd9dba0a045ceee4779116162ca4b981873d
SSDEEP

6144:pkyacCTf78bzTXytStmOAaE0w8QUwe8AW8R:pkNTTQTXWSkY4e8AP

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
55	968	wscript.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	rKabelimpedansen.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	rKabelimpedansen.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	rKabelimpedansen.exe

Loads dropped DLL 1 IoCs

pid	Process
4908	rKabelimpedansen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1696	rKabelimpedansen.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4908	rKabelimpedansen.exe
1696	rKabelimpedansen.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4908 set thread context of 1696	4908	rKabelimpedansen.exe	87
PID 1696 set thread context of 3284	1696	rKabelimpedansen.exe	37
PID 968 set thread context of 3284	968	wscript.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2096	3908	WerFault.exe	92

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wscript.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1696	rKabelimpedansen.exe
1696	rKabelimpedansen.exe
1696	rKabelimpedansen.exe
1696	rKabelimpedansen.exe
1696	rKabelimpedansen.exe
1696	rKabelimpedansen.exe
1696	rKabelimpedansen.exe
1696	rKabelimpedansen.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3284	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4908	rKabelimpedansen.exe
1696	rKabelimpedansen.exe
1696	rKabelimpedansen.exe
1696	rKabelimpedansen.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe
968	wscript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	rKabelimpedansen.exe
Token: SeDebugPrivilege	968	wscript.exe
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1696	4908	rKabelimpedansen.exe	87
PID 4908 wrote to memory of 1696	4908	rKabelimpedansen.exe	87
PID 4908 wrote to memory of 1696	4908	rKabelimpedansen.exe	87
PID 4908 wrote to memory of 1696	4908	rKabelimpedansen.exe	87
PID 3284 wrote to memory of 968	3284	Explorer.EXE	91
PID 3284 wrote to memory of 968	3284	Explorer.EXE	91
PID 3284 wrote to memory of 968	3284	Explorer.EXE	91
PID 968 wrote to memory of 3908	968	wscript.exe	92
PID 968 wrote to memory of 3908	968	wscript.exe	92
PID 968 wrote to memory of 3908	968	wscript.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Users\Admin\AppData\Local\Temp\rKabelimpedansen.exe
  "C:\Users\Admin\AppData\Local\Temp\rKabelimpedansen.exe"
  2⤵
  - Checks QEMU agent file
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\rKabelimpedansen.exe
    "C:\Users\Admin\AppData\Local\Temp\rKabelimpedansen.exe"
    3⤵
    - Checks QEMU agent file
    - Checks computer location settings
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3908
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3908 -s 136
      4⤵
      Program crash
      PID:2096

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3908 -ip 3908
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb7E4E.tmp\System.dll

Filesize
11KB

MD5
fc90dfb694d0e17b013d6f818bce41b0

SHA1
3243969886d640af3bfa442728b9f0dff9d5f5b0

SHA256
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

SHA512
324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

Download Submit
memory/968-165-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/968-171-0x00000000013F0000-0x000000000147F000-memory.dmp

Filesize
572KB

Download
memory/968-170-0x0000000002FF0000-0x000000000333A000-memory.dmp

Filesize
3.3MB

Download
memory/968-168-0x0000000000E00000-0x0000000000E2D000-memory.dmp

Filesize
180KB

Download
memory/968-167-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1696-159-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1696-163-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/1696-162-0x0000000037640000-0x000000003798A000-memory.dmp

Filesize
3.3MB

Download
memory/1696-166-0x0000000001660000-0x0000000006FDD000-memory.dmp

Filesize
89.5MB

Download
memory/1696-158-0x0000000001660000-0x0000000006FDD000-memory.dmp

Filesize
89.5MB

Download
memory/1696-169-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1696-157-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1696-144-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3284-164-0x0000000003140000-0x00000000031F8000-memory.dmp

Filesize
736KB

Download
memory/3284-173-0x0000000007440000-0x000000000752F000-memory.dmp

Filesize
956KB

Download
memory/3284-175-0x0000000007440000-0x000000000752F000-memory.dmp

Filesize
956KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads