782dc9d54eced33b0f21a438cda4df6ddd45ea1aa0f0e70c01cb6cc6fef60663

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

482200f6375925a43a15bc9027fb11b1.exe
Size

42KB
MD5

482200f6375925a43a15bc9027fb11b1
SHA1

7152f198890156a0b96201690b6eb9c57525641d
SHA256

782dc9d54eced33b0f21a438cda4df6ddd45ea1aa0f0e70c01cb6cc6fef60663
SHA512

4c2e65e13ba5616ce6b81cd2d73ad346708c301df775d78fdc30b9e84184230fb56f4cae33361906533bd91f9d1fecd661314c8c0f45cbba7f311009613ce619
SSDEEP

768:pWz+YRpV9NjtBjF+GH6CMADff0rLvjrO4PXJGR6B55ci1vaSd3xoLkDbm:Ez+YdXjLjkGH6CMef0fvHrPlB5WpSsAm

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kkdj3sdf3\ImagePath = "C:\\Windows\\system32\\kkdj3sdf3.exe -j"	482200f6375925a43a15bc9027fb11b1.exe

Executes dropped EXE 1 IoCs

pid	Process
3420	kkdj3sdf3.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kkdj3sdf3.exe	482200f6375925a43a15bc9027fb11b1.exe
File opened for modification	C:\Windows\SysWOW64\kkdj3sdf3.exe	482200f6375925a43a15bc9027fb11b1.exe
File created	C:\Windows\SysWOW64\kkdj3sdf3.exe	kkdj3sdf3.exe
File created	C:\Windows\SysWOW64\kkdj3sdf3.dll	kkdj3sdf3.exe
File created	C:\Windows\SysWOW64\KillMe.bat	482200f6375925a43a15bc9027fb11b1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3420	kkdj3sdf3.exe
3420	kkdj3sdf3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2268	482200f6375925a43a15bc9027fb11b1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2612	2268	482200f6375925a43a15bc9027fb11b1.exe	100
PID 2268 wrote to memory of 2612	2268	482200f6375925a43a15bc9027fb11b1.exe	100
PID 2268 wrote to memory of 2612	2268	482200f6375925a43a15bc9027fb11b1.exe	100

C:\Users\Admin\AppData\Local\Temp\482200f6375925a43a15bc9027fb11b1.exe
"C:\Users\Admin\AppData\Local\Temp\482200f6375925a43a15bc9027fb11b1.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\KillMe.bat
  2⤵
  PID:2612

C:\Windows\SysWOW64\kkdj3sdf3.exe
C:\Windows\SysWOW64\kkdj3sdf3.exe -j
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KillMe.bat

Filesize
211B

MD5
4f2f80ae921c4fb051b84d89b607f7cc

SHA1
be2bbde3459fc26b5a09423a13af23e443387df8

SHA256
3b7f602995d546b7860164560a99e9990698bdb4abe349a9e37a5fd9e3a2ae51

SHA512
5cb85b11d028d6f06f73cee816607a3904205f02837574a495c7b37758d921bc2799621e2282da8b477db63048c126a9b6488a769d72313622c141ea0a3e28d8

Download Submit
C:\Windows\SysWOW64\kkdj3sdf3.exe

Filesize
42KB

MD5
482200f6375925a43a15bc9027fb11b1

SHA1
7152f198890156a0b96201690b6eb9c57525641d

SHA256
782dc9d54eced33b0f21a438cda4df6ddd45ea1aa0f0e70c01cb6cc6fef60663

SHA512
4c2e65e13ba5616ce6b81cd2d73ad346708c301df775d78fdc30b9e84184230fb56f4cae33361906533bd91f9d1fecd661314c8c0f45cbba7f311009613ce619

Download Submit
memory/2268-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2268-1-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2268-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2268-3-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/3420-11-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download