Analysis
-
max time kernel
140s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 19:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0f11ac2d2651a04818e0fe6ad5e9f96a.exe
Resource
win7-20231129-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
0f11ac2d2651a04818e0fe6ad5e9f96a.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0f11ac2d2651a04818e0fe6ad5e9f96a.exe
-
Size
75KB
-
MD5
0f11ac2d2651a04818e0fe6ad5e9f96a
-
SHA1
b11e8533fd75c53c4c8cc800495725d5a742f2bc
-
SHA256
29b38d0fa9fd547e21d489d036c7dd0f44d867b8392145f9814c196b01b076fd
-
SHA512
4fbb9f315ebd73d16a825833c799c0dcdd5a2fc885ef21859d7d9e139dbee1fd1d648c3fd60861899b2fbbb5cd4d24bf8cf53ae959913be41ab0e84eb4934351
-
SSDEEP
1536:pLrq+nXbwcuY97OgJNCcWtXUOuQoRdbZLcrYd93dVj8My:pfCjgJDWtXUOu//bZ7d3KM
Score
6/10
Malware Config
Signatures
-
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdkmv.exe" 0f11ac2d2651a04818e0fe6ad5e9f96a.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\kdkmv.exe 0f11ac2d2651a04818e0fe6ad5e9f96a.exe File opened for modification C:\Windows\SysWOW64\kdkmv.exe 0f11ac2d2651a04818e0fe6ad5e9f96a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 932 set thread context of 4324 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 22 -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeSecurityPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeTakeOwnershipPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeLoadDriverPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeSystemProfilePrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeSystemtimePrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeProfSingleProcessPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeIncBasePriorityPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeCreatePagefilePrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeBackupPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeRestorePrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeShutdownPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeDebugPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeSystemEnvironmentPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeChangeNotifyPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeRemoteShutdownPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeUndockPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeManageVolumePrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeImpersonatePrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: SeCreateGlobalPrivilege 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: 33 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: 34 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: 35 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe Token: 36 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 932 wrote to memory of 3764 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 23 PID 932 wrote to memory of 3764 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 23 PID 932 wrote to memory of 4324 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 22 PID 932 wrote to memory of 4324 932 0f11ac2d2651a04818e0fe6ad5e9f96a.exe 22
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f11ac2d2651a04818e0fe6ad5e9f96a.exe"C:\Users\Admin\AppData\Local\Temp\0f11ac2d2651a04818e0fe6ad5e9f96a.exe"1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe2⤵PID:4324
-
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe2⤵PID:3764
-