493aa63079d4a7087ca1e3acb85a3018251407546b90f762264459ae34f28def

Analysis

max time kernel
82s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KennedyRemoteSupport4.exe
Size

261KB
MD5

bcd0a1b3180ba39d37e1a2869edb1d9d
SHA1

044b546d6cd58ed0908dc9418a45c1d3d1feca59
SHA256

493aa63079d4a7087ca1e3acb85a3018251407546b90f762264459ae34f28def
SHA512

6cd461295114275ab995d4cadcbeb7416ae9d084b8527d8e2d939c1f3162940ca120c38ff1cbb2a89812a2be7cea403524159b681a0e43783177ca39186e14a1
SSDEEP

6144:HvlAkAsl3DR2+Mq9zntr0eUkIiKTrD8R+E8clVxNGNaumRIg7+9vc:Kk5L2FqP6kInW+E8GVzGskRc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	KennedyRemoteSupport4.exe

Executes dropped EXE 1 IoCs

pid	Process
940	winvnc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4928	KennedyRemoteSupport4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 940	4928	KennedyRemoteSupport4.exe	85
PID 4928 wrote to memory of 940	4928	KennedyRemoteSupport4.exe	85
PID 4928 wrote to memory of 940	4928	KennedyRemoteSupport4.exe	85

C:\Users\Admin\AppData\Local\Temp\KennedyRemoteSupport4.exe
"C:\Users\Admin\AppData\Local\Temp\KennedyRemoteSupport4.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\winvnc.exe
  "C:\Users\Admin\AppData\Local\Temp\winvnc.exe"
  2⤵
  - Executes dropped EXE
  PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\background.bmp

Filesize
1KB

MD5
04e85705e55fdce220278ebb75331baa

SHA1
f8da5272ebdfd32239eed0374feb9d8a51d44c50

SHA256
160191cc57be4f87d48284c12159308b7a59dbb0b062f9ae830c66b820eba662

SHA512
1d35c18bde5776e9f575d3ff1cd867e0f986cb77db9a589733ff3671f6fa4fc874d25490515186534410965f1909b8a47bd9368cf36274792e143777d760c975

Download Submit
C:\Users\Admin\AppData\Local\Temp\helpdesk.txt

Filesize
870B

MD5
b10bf8de5e2a16e323488c107f85bd96

SHA1
47e4d70b49199944701edba8144e8fbd07d35ad6

SHA256
3d95ca576164093652516085dfad1e19a8d4cb8f300fdd31886af86b835be1a6

SHA512
400e449447d1fdddd0473063b34927d653a9cb9273db29ddc6dd44501445faca58d86c0b539f57637d6f435b599598526e658818687b7e2ce31e799098edb095

Download Submit
C:\Users\Admin\AppData\Local\Temp\logo.bmp

Filesize
35KB

MD5
35297ef1419f7950c04f3aa349480e37

SHA1
0658c444a67f91af2c26f1b2d3d50dd5c155baa2

SHA256
e38a4319fba96a795276a1327f74dc8ea2bf28c30b080caa90de260d4239cad0

SHA512
26c4e3a14eec97cceaa724b8df1b27e9dcfc35cdee0221ae164d4c6a7664b1fdd243b3447d9d5fd1f5544a1d8329866e2416e34bfcbe1e5a5986b61bca148c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\winvnc.exe

Filesize
251KB

MD5
17ea95776e24f8386dca277a00212b8c

SHA1
04193bd1ffe73034445b830a8c30fa781508013b

SHA256
034b7899101bc9bfd7f622424dc1d50e3894f1d8eb8c13bb344073da827d7ca5

SHA512
02e5e11b46028e46edbc0df21fc3cd1b16cb06de380fbf4f490cc3e50837d9fb11a4e1ac0f06e85a78d16b946c3931b18b72a70f1469c5f3d5fa971a968a2524

Download Submit
C:\Users\Admin\AppData\Local\Temp\winvnc.exe

Filesize
251KB

MD5
17ea95776e24f8386dca277a00212b8c

SHA1
04193bd1ffe73034445b830a8c30fa781508013b

SHA256
034b7899101bc9bfd7f622424dc1d50e3894f1d8eb8c13bb344073da827d7ca5

SHA512
02e5e11b46028e46edbc0df21fc3cd1b16cb06de380fbf4f490cc3e50837d9fb11a4e1ac0f06e85a78d16b946c3931b18b72a70f1469c5f3d5fa971a968a2524

Download Submit
C:\Users\Admin\AppData\Local\Temp\winvnc.exe

Filesize
251KB

MD5
17ea95776e24f8386dca277a00212b8c

SHA1
04193bd1ffe73034445b830a8c30fa781508013b

SHA256
034b7899101bc9bfd7f622424dc1d50e3894f1d8eb8c13bb344073da827d7ca5

SHA512
02e5e11b46028e46edbc0df21fc3cd1b16cb06de380fbf4f490cc3e50837d9fb11a4e1ac0f06e85a78d16b946c3931b18b72a70f1469c5f3d5fa971a968a2524

Download Submit