0cf1fb98bec224f1b5060c40c4784e5a43b022e2ce105b920bca786a92d153c3

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
06-12-2023 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kek.exe
Size

14KB
MD5

68974532c8f44695e93037387a4c144e
SHA1

581dc09b37eaf8177757a0d02598b5f8d528a59b
SHA256

0cf1fb98bec224f1b5060c40c4784e5a43b022e2ce105b920bca786a92d153c3
SHA512

7aea74e4cabfdd66034537eb3421e1e01029b084139657f4ce93cd8bdd019ef843570d1b986653a54388dcbf60a1eb069ee4252c6e98ae3739a81d63134db87a
SSDEEP

192:y+8C+EKS0O9ejYTDG8bcp4LlzSnieXubWyD9JEBkGxVXoqoNSRJo:yNVjYTDG8gpqZeXTyD3EnxXoNV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

2680 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2680	WScript.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kek.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	kek.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kek.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kek.exe

description pid process

Token: SeDebugPrivilege 1964 kek.exe

description	pid	process
Token: SeDebugPrivilege	1964	kek.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

kek.exe

description	pid	process	target process
PID 1964 wrote to memory of 2680	1964	kek.exe	WScript.exe
PID 1964 wrote to memory of 2680	1964	kek.exe	WScript.exe
PID 1964 wrote to memory of 2680	1964	kek.exe	WScript.exe
PID 1964 wrote to memory of 2680	1964	kek.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\kek.exe
"C:\Users\Admin\AppData\Local\Temp\kek.exe"
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\maKuSAtY.vbs"
2⤵
- Deletes itself
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\maKuSAtY.vbs
Filesize
140B

MD5
8bd270c7ed718398879d43068036c048

SHA1
bda95a68367b9ce22e4fc53a0d88eb2c455a07a1

SHA256
29886efc9ce6a9a72ec952a8a036dd7ee2dc951317f523e54b645a9b34271462

SHA512
2b72c6dfaa49121a07bd25abcf45aa8370e3da9e630ffc0295e76ef58d89938e05f47363df39dc16fe84862315510453a72ab914a5c7efa4c47ca38f9adec4f2

Download Submit
memory/1964-0-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-1-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-2-0x00000000001D0000-0x0000000000210000-memory.dmp

Filesize
256KB

Download
memory/1964-7-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download