e5d635f480c9ceb724441a3bd09220ff1cb15d46fa13bb7d8ae6acb7eb347956

General

Target

181d489cb509010138daad808c9cc74d.exe
Size

1.8MB
MD5

181d489cb509010138daad808c9cc74d
SHA1

5b6f103a72d54440bfe614fc9f97cc5f4bc84c5c
SHA256

e5d635f480c9ceb724441a3bd09220ff1cb15d46fa13bb7d8ae6acb7eb347956
SHA512

b65a4734584e5593b70bd87d037b868356c02ca4431ef7b8308df9078866573a1f318983dfc2480d4017142abcc29c153d5820c5fb4151b94f838ab091d232fa
SSDEEP

49152:kNaX98Adc4IJX0rdldc4IJX0rdU4IJX0rdldRldc4IJt:0SqAq4Iedlq4IedU4Iedl7lq4In

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3432	ktyne.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/764-0-0x0000000000400000-0x00000000005DC000-memory.dmp	upx
behavioral2/files/0x000400000001e982-5.dat	upx
behavioral2/memory/764-6-0x0000000000400000-0x00000000005DC000-memory.dmp	upx
behavioral2/memory/3432-11-0x0000000000400000-0x00000000005DC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ktyne.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	ktyne.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	ktyne.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	ktyne.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	ktyne.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	ktyne.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	ktyne.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	ktyne.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ktyne.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	ktyne.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	ktyne.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	ktyne.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	ktyne.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ktyne.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	ktyne.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	ktyne.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	ktyne.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	ktyne.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
764	181d489cb509010138daad808c9cc74d.exe
764	181d489cb509010138daad808c9cc74d.exe
764	181d489cb509010138daad808c9cc74d.exe
764	181d489cb509010138daad808c9cc74d.exe
3432	ktyne.exe
3432	ktyne.exe
3432	ktyne.exe
3432	ktyne.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3432	ktyne.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 3432	764	181d489cb509010138daad808c9cc74d.exe	91
PID 764 wrote to memory of 3432	764	181d489cb509010138daad808c9cc74d.exe	91
PID 764 wrote to memory of 3432	764	181d489cb509010138daad808c9cc74d.exe	91

C:\Users\Admin\AppData\Local\Temp\181d489cb509010138daad808c9cc74d.exe
"C:\Users\Admin\AppData\Local\Temp\181d489cb509010138daad808c9cc74d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\ktyne.exe
  C:\Users\Admin\AppData\Local\Temp\ktyne.exe -run C:\Users\Admin\AppData\Local\Temp\181d489cb509010138daad808c9cc74d.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ktyne.exe

Filesize
1.8MB

MD5
64dc8da39b32eac2a837d0b879d86d0a

SHA1
b60e6e217343fce0b364eb3726869425a5bed91c

SHA256
cb82cff183045aa92847bc8f25e3ab8f984f16ba17bfb588456a90966a0c984f

SHA512
92d4bbbddc380f10a261ad2d4558a6e5dc73bc6f1d239b0e4dbd1e9b4504e9f41cad406ed64cfab394adf7ff9dc6023bd06d27620a5eeed6dac588a8cf76c589

Download Submit
memory/764-0-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/764-6-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/3432-10-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3432-11-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing