Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
09-01-2024 12:06
General
-
Target
4e430563a138c5fd55d7f7a7ea561806.exe
-
Size
2.0MB
-
MD5
4e430563a138c5fd55d7f7a7ea561806
-
SHA1
58a2f0061dc12629ea6a8113b1ee78fd4703c93a
-
SHA256
9a9e962f5ffbf83bcd4c4e75a968986d77bddeb11fea7e74534673e93e99c20e
-
SHA512
2ca274c002ebb6fba19d8cc043e0f758d1498c37b4970e351ce0d0ac60fa9b858213f2d475629778b6996014f1ee8d7b71a8153aaee483d97660713ca530cb4f
-
SSDEEP
49152:ACOxOJTYTGDqc6dGomH6gOT9dkwZMfxPUTqn9ic6f:HOx0pD36wo0f+hS30cc
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs ping.exe 1 TTPs 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e430563a138c5fd55d7f7a7ea561806.exe"C:\Users\Admin\AppData\Local\Temp\4e430563a138c5fd55d7f7a7ea561806.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\mightkak.exemightkak.exe -on "hklm\SYSTEM\CurrentControlSet\Control\Session Manager" -ot reg -actn ace -ace "n:todos;p:full" -ace "n:todos;p:create_subkey;m:deny;i:np"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\regedit.exeregedit /S c:\Windows\mightkak.reg2⤵
- Runs .reg file with regedit
-
-
C:\Windows\mightkak.exemightkak.exe -on "hklm\SYSTEM\CurrentControlSet\Control\Session Manager" -ot reg -actn ace -ace "n:todos;p:full" -ace "n:system;p:create_subkey;m:deny;i:np"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\system32\tmp0101.bat2⤵
- Deletes itself
- Loads dropped DLL
-
C:\Windows\SysWOW64\PING.EXEPING -n 3 -w 0003⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\wbem\systray.exeC:\Windows\system32\wbem\systray.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\PING.EXEPING -n 3 -w 0003⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0003⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0003⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0003⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0003⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia4 /tr c:\windows\kak2.bat /sc ONLOGON /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia3 /tr c:\windows\kak2.bat /sc onstart /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia2 /tr c:\windows\kak.bat /sc ONLOGON /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia /tr c:\windows\kak.bat /sc onstart /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\kak.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehuni.dll3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehabn.dll3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehcef.dll3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehuni.dll3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehabn.dll3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehcef.dll3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbpdist.dll3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbpsv.exe3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpLIB.dll3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpMIB.dll3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehuni.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehcef.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehabn.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\uni.gpc /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\uni.gpc /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpsssh2.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\kak.bat /G todos:F3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\sshib.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpMIB.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpLIB.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\Cef.gpc /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehcef.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehabn.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehuni.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbpsv.exe /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbpdist.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\Cef.gpc /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\GbpSv.exe /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\bb.gpc /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbieh.gmd /D todos3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbieh.dll /D todos3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\sshib.dll3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpsssh2.dll3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\kak2.bat2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\kak.bat /G todos:F1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbieh.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\system32\scpsssh2.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbieh.gmd1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\cef.gpc1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\bb.gpc1⤵
-
C:\Windows\mightkak.exemightkak.exe -on "hklm\SYSTEM\CurrentControlSet\Control\Session Manager" -ot reg -actn ace -ace "n:todos;p:full" -ace "n:system;p:create_subkey;m:deny;i:np"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\bb.gpc1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbieh.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehcef.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehcef.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbpsv.exe1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpsssh2.dll1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbieh.gmd /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\GbpSv.exe /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbpsv.exe /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\Cef.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpLIB.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\kak.bat /G todos:F1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\sshib.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpsssh2.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpMIB.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\uni.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehcef.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehabn.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehuni.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbpdist.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\uni.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\Cef.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehcef.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehabn.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehuni.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\bb.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbieh.dll /D todos1⤵
-
C:\Windows\SysWOW64\PING.EXEPING -n 3 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 3 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\sshib.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpMIB.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpLIB.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbpdist.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehabn.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehuni.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehabn.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehuni.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\system32\scpsssh2.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbieh.gmd1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\cef.gpc1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\kak.bat /G todos:F1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\system32\tmp0101.bat1⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia4 /tr c:\windows\kak2.bat /sc ONLOGON /ru system1⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia3 /tr c:\windows\kak2.bat /sc onstart /ru system1⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia2 /tr c:\windows\kak.bat /sc ONLOGON /ru system1⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia /tr c:\windows\kak.bat /sc onstart /ru system1⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\kak.bat1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\kak2.bat1⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /S c:\Windows\mightkak.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\mightkak.exemightkak.exe -on "hklm\SYSTEM\CurrentControlSet\Control\Session Manager" -ot reg -actn ace -ace "n:todos;p:full" -ace "n:todos;p:create_subkey;m:deny;i:np"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3B
MD5dcf2024ce15b54188e9de12e855fc761
SHA1faae2c0b81dda269ffad17fbbd86e370f7890528
SHA256f7217e671e4f819bc69da9d1a2d3683c26a327473bc5623a81aaaf59362bcd6e
SHA5121919d049fef030430aa17fedd80a28e95db16ca00374737021a4d2024253a0ec8657019b3e40b33ef165e192412a4fc5b0e5e4619f8077a13664d7744c739fdf
-
Filesize
493B
MD5c087e83ceba28662eea05be5469de35a
SHA1e0976223a768eefe8f398db3e4cf997e3185d6ef
SHA2560436751f6bd854039bbee6e629a44ff6fca19923249c873acdae6c0892fc43ea
SHA5123781edeb7138394da10ea9d58db3bc0ec5b760127a75bd915b7bc85b874ee8a1289ccaa65bc801d396c3960cff15e2857003ce45a71cef0bea3736b7e2f5a018
-
Filesize
136KB
MD576f018fea52ffd9a64f0736e70454f53
SHA1af4c71d80edcfb7a51c84b5aa2df4473405415e4
SHA256d75b55f38cbc966c2a4fa161a44e90a9cf202d1a1f1fb3349ace857f0b00f2ff
SHA512e9f15ea41930ac4160940891851c7d45f4e095112fe01a744bc860b4537bdf6fa8f65567d8ece6e66a2432e23039b4b7aaadb46c0923110fc16e180debfb020e
-
Filesize
252KB
MD519bb0722fdbeb638df3b66b1ac1552f1
SHA17d9f036a3b49b9b9c6b0eb41b789837e188a8da0
SHA2564c3e18a58be2b15784a3460c7d49f1b50755dd3ccef8003d15aa7b2ae847e748
SHA512169a3da36cc749f12812a1ab625da622042567aad0ecebbf6fc10848ccd1cb136c5182941120d7c92881ef488a2b8b559392117cfd2050f3ecde54bad7cdb36f
-
Filesize
39KB
MD55dabfc06b6f95be78f9a8035dc5222a8
SHA1db27ad18e333c3355f526b66821434ade1ec6cff
SHA256e30928bfa743c4ef5ad95337af6e135208e3e3b75248e384208af7f130538a84
SHA512fe818ca83e1bb8c6a5155a1d66c09f957c4a0699f358d427bd261b1da031f9671ba23d118f467d549eefb19aabb4a83fa3e7566ae67950dbd1fdf7c0a20477eb
-
Filesize
463B
MD5c3248e0f422299116834542e27cd3f45
SHA1fcd5cfce031703b8d65ae6b5f27d821e5f453ed8
SHA2566f12a34c4bf70d37b597fa0d06019ab53a596551c33ece15e1f0a446a8b59dcc
SHA5123531071d8ff589b16719e824cc947de112208ebfbfff265ec384d967616dd07b0c061126726e46e1c5acce7e1a0825edebe073d1c297d77985042c452c90b027
-
Filesize
2KB
MD50e0cc25778021a8066b33281fd7979de
SHA13fb2272e50ccb40f1d8c742fe9f8db4e2fbdbf53
SHA256f2d959e38c6b759cf84d8342bcc810211d635706ecd5f4a2fede2bdd64591641
SHA5129b80301100a24050497a02ccfbf2815c3b7262db494b99d0689a3ae9559231dd17df2630a35edaf693c4963ead71c6dc008448b144b17a23e8e83b9150d4cbb3
-
Filesize
60B
MD5d4c455e4e7e187673e5d7059d52d559a
SHA1d7230bb387bca90367de1f377b0089e6004733a1
SHA256f2d3c4687c6e41f462be4ea4880ae43afdf96e34603abef5d051f303a8855b76
SHA5123d7b0f0b22188bcb494edcda43de22389f3285e2e0499030860dfd9361fc4d15ab410c5aae947433bc5f58c86750d67d8226c014d39d8b807fc96be3cbf74457
-
Filesize
177KB
MD50993ea024af48638bb18f843d35c0fd5
SHA17c7f7ae7af8be2bec0965a226daeb745532c4129
SHA256eae7b2b6b0bc36e0624be13ee1079270f61e9bc79a449c403cf4a345d11b9090
SHA5128710878e7e99378ddcc95e447a97a9187a83ad972aea64876271afc4039bd4d9747e784a28c653bba749b76b9c600c71b06dc5eba3cfde921602c7fd52c317d2
-
Filesize
4KB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
15.7MB
-
Filesize
4KB
-
Filesize
15.7MB
-
Filesize
28KB
-
Filesize
15.7MB
-
Filesize
15.7MB