3a7e73d197980a72cfa212a4ebb2eab809c1cf1abf0be5e7ffde4275d513b477

General

Target

32050adefb91ca7c5a7fecbf86647784.exe
Size

393KB
MD5

32050adefb91ca7c5a7fecbf86647784
SHA1

b0c08e13b33aef6b13ce50078484be426888b023
SHA256

3a7e73d197980a72cfa212a4ebb2eab809c1cf1abf0be5e7ffde4275d513b477
SHA512

bf7469872038646a581711b3c453d9a6669b2a985d6ee8505faabdaa16cbdc64fef20c4e5bccbac3be929af35996df3608f236c9ee3b17f8785b2947a44128c3
SSDEEP

6144:TbXE9OiTGfhEClq98bd3BTznTiVrDpXA7U4ze4FGkxKawNSH:fU9XiuiHbdxTznTor2lGkx5N

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	32050adefb91ca7c5a7fecbf86647784.exe

Executes dropped EXE 1 IoCs

pid	Process
516	iphone.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\kk2\kk1\monkeypad.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\kk2\kk1\data.txt	32050adefb91ca7c5a7fecbf86647784.exe
File opened for modification	C:\Program Files (x86)\kk2\kk1\bramapod.bat	32050adefb91ca7c5a7fecbf86647784.exe
File opened for modification	C:\Program Files (x86)\kk2\kk1\monkeypad.jpg	32050adefb91ca7c5a7fecbf86647784.exe
File opened for modification	C:\Program Files (x86)\kk2\kk1\iphone.exe	32050adefb91ca7c5a7fecbf86647784.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3832	516	WerFault.exe	31

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	32050adefb91ca7c5a7fecbf86647784.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1152	mspaint.exe
1152	mspaint.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1152	mspaint.exe
1212	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4904	3588	32050adefb91ca7c5a7fecbf86647784.exe	32
PID 3588 wrote to memory of 4904	3588	32050adefb91ca7c5a7fecbf86647784.exe	32
PID 3588 wrote to memory of 4904	3588	32050adefb91ca7c5a7fecbf86647784.exe	32
PID 3588 wrote to memory of 1152	3588	32050adefb91ca7c5a7fecbf86647784.exe	27
PID 3588 wrote to memory of 1152	3588	32050adefb91ca7c5a7fecbf86647784.exe	27
PID 3588 wrote to memory of 1152	3588	32050adefb91ca7c5a7fecbf86647784.exe	27
PID 3588 wrote to memory of 516	3588	32050adefb91ca7c5a7fecbf86647784.exe	31
PID 3588 wrote to memory of 516	3588	32050adefb91ca7c5a7fecbf86647784.exe	31
PID 3588 wrote to memory of 516	3588	32050adefb91ca7c5a7fecbf86647784.exe	31

C:\Users\Admin\AppData\Local\Temp\32050adefb91ca7c5a7fecbf86647784.exe
"C:\Users\Admin\AppData\Local\Temp\32050adefb91ca7c5a7fecbf86647784.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Program Files (x86)\kk2\kk1\monkeypad.jpg" /ForceBootstrapPaint3D
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1152
- C:\Program Files (x86)\kk2\kk1\iphone.exe
  "C:\Program Files (x86)\kk2\kk1\iphone.exe"
  2⤵
  - Executes dropped EXE
  PID:516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 516
    3⤵
    - Program crash
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\kk2\kk1\bramapod.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:4904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 516 -ip 516
1⤵
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kk2\kk1\bramapod.bat

Filesize
2KB

MD5
d3e2b787c9bb557f868b37a2dda64c82

SHA1
77c7ee948c18f982c3c393f49552024a929a6a35

SHA256
4ce4840298e5362057936d7dc444ba68dc4f2a7a370476e318b8aee892f87ffe

SHA512
db1a37a27bb3e9fc41afcebc08735ec4990f7715ff6935cdad8476726c80a217bb663dbd68ccb780ffe29d5d4e546bdfa8caae8ba655a5f751cd64c9998b3634

Download Submit
C:\Program Files (x86)\kk2\kk1\monkeypad.jpg

Filesize
14KB

MD5
1ce53b5898c48aad343c8c9039aec3d1

SHA1
d38c295815a6f65892d52da1984e1ad5bc342210

SHA256
d36ecb544f4b14858914dd0f00d5b725ae842adb231054de599d45f523b5a7f8

SHA512
a0858dfd4c6018ca47c7a1f5db8019e46b63602ec184556eb001787184ab60c03e496ed1e66f063502b59eeb9964b0f84249b8ab78e34b96360d26b2440210bc

Download Submit
memory/516-72-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/516-70-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1972-67-0x000001D9E8E50000-0x000001D9E8E51000-memory.dmp

Filesize
4KB

Download
memory/1972-65-0x000001D9E8E40000-0x000001D9E8E41000-memory.dmp

Filesize
4KB

Download
memory/1972-66-0x000001D9E8E50000-0x000001D9E8E51000-memory.dmp

Filesize
4KB

Download
memory/1972-64-0x000001D9E8E40000-0x000001D9E8E41000-memory.dmp

Filesize
4KB

Download
memory/1972-63-0x000001D9E8DB0000-0x000001D9E8DB1000-memory.dmp

Filesize
4KB

Download
memory/1972-59-0x000001D9E8D30000-0x000001D9E8D31000-memory.dmp

Filesize
4KB

Download
memory/1972-61-0x000001D9E8DB0000-0x000001D9E8DB1000-memory.dmp

Filesize
4KB

Download
memory/1972-52-0x000001D9E0A60000-0x000001D9E0A70000-memory.dmp

Filesize
64KB

Download
memory/1972-48-0x000001D9E01A0000-0x000001D9E01B0000-memory.dmp

Filesize
64KB

Download
memory/3588-44-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing