0cf1fb98bec224f1b5060c40c4784e5a43b022e2ce105b920bca786a92d153c3

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2023 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kek.exe
Size

14KB
MD5

68974532c8f44695e93037387a4c144e
SHA1

581dc09b37eaf8177757a0d02598b5f8d528a59b
SHA256

0cf1fb98bec224f1b5060c40c4784e5a43b022e2ce105b920bca786a92d153c3
SHA512

7aea74e4cabfdd66034537eb3421e1e01029b084139657f4ce93cd8bdd019ef843570d1b986653a54388dcbf60a1eb069ee4252c6e98ae3739a81d63134db87a
SSDEEP

192:y+8C+EKS0O9ejYTDG8bcp4LlzSnieXubWyD9JEBkGxVXoqoNSRJo:yNVjYTDG8gpqZeXTyD3EnxXoNV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

kek.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation kek.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

4552 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation	kek.exe

pid	process
4552	WScript.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kek.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kek.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	kek.exe

Modifies registry class 1 IoCs

Processes:

kek.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings kek.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kek.exe

description pid process

Token: SeDebugPrivilege 3496 kek.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings	kek.exe

description	pid	process
Token: SeDebugPrivilege	3496	kek.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

kek.exe

description	pid	process	target process
PID 3496 wrote to memory of 4552	3496	kek.exe	WScript.exe
PID 3496 wrote to memory of 4552	3496	kek.exe	WScript.exe
PID 3496 wrote to memory of 4552	3496	kek.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\kek.exe
"C:\Users\Admin\AppData\Local\Temp\kek.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mjjtnxDp.vbs"
2⤵
- Deletes itself
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mjjtnxDp.vbs
Filesize
140B

MD5
8bd270c7ed718398879d43068036c048

SHA1
bda95a68367b9ce22e4fc53a0d88eb2c455a07a1

SHA256
29886efc9ce6a9a72ec952a8a036dd7ee2dc951317f523e54b645a9b34271462

SHA512
2b72c6dfaa49121a07bd25abcf45aa8370e3da9e630ffc0295e76ef58d89938e05f47363df39dc16fe84862315510453a72ab914a5c7efa4c47ca38f9adec4f2

Download Submit
memory/3496-0-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3496-1-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/3496-2-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3496-6-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download