e7548b46d7f8fd80168a791e02954e884e822518461a255608339d1c27f2eba1

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f2c0d0219a96d4d58e2b2318488ed4.exe
Size

1.5MB
MD5

72f2c0d0219a96d4d58e2b2318488ed4
SHA1

e6b5dd941ce68bb1e4f4e034499cc0659e106a2c
SHA256

e7548b46d7f8fd80168a791e02954e884e822518461a255608339d1c27f2eba1
SHA512

45729283436c548acd6b2510748091560c5a1e6b51c00c8078327c86370e6340298bf8e73c91bd9214d0648b38be68ba5584374f7957f49fb162b8a605d9403b
SSDEEP

24576:IQtwG88Y4oykSHC+IAW3kp+dpLB0rHi2Y0GQzTVxYrNZj8/qKDV:IADZY5ykeC+IAW3kypN0rC2KKVxqWDV

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2784	KSWebShield.exe
2092	KSWebShield.exe
2024	KSWebShield.exe
2548	KSWebShield.exe

Loads dropped DLL 9 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2024	KSWebShield.exe
2548	KSWebShield.exe
2548	KSWebShield.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2532-0-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/memory/2532-97-0x0000000000400000-0x00000000004B3000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2532-97-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
2532	72f2c0d0219a96d4d58e2b2318488ed4.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	KSWebShield.exe
Token: SeDebugPrivilege	2092	KSWebShield.exe
Token: SeDebugPrivilege	2024	KSWebShield.exe
Token: 33	2024	KSWebShield.exe
Token: SeIncBasePriorityPrivilege	2024	KSWebShield.exe
Token: SeDebugPrivilege	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
Token: SeDebugPrivilege	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe
Token: SeDebugPrivilege	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2548	KSWebShield.exe
2548	KSWebShield.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2732	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	28
PID 2532 wrote to memory of 2732	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	28
PID 2532 wrote to memory of 2732	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	28
PID 2532 wrote to memory of 2732	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	28
PID 2732 wrote to memory of 2784	2732	cmd.exe	30
PID 2732 wrote to memory of 2784	2732	cmd.exe	30
PID 2732 wrote to memory of 2784	2732	cmd.exe	30
PID 2732 wrote to memory of 2784	2732	cmd.exe	30
PID 2732 wrote to memory of 2092	2732	cmd.exe	31
PID 2732 wrote to memory of 2092	2732	cmd.exe	31
PID 2732 wrote to memory of 2092	2732	cmd.exe	31
PID 2732 wrote to memory of 2092	2732	cmd.exe	31
PID 2024 wrote to memory of 2548	2024	KSWebShield.exe	33
PID 2024 wrote to memory of 2548	2024	KSWebShield.exe	33
PID 2024 wrote to memory of 2548	2024	KSWebShield.exe	33
PID 2024 wrote to memory of 2548	2024	KSWebShield.exe	33
PID 2532 wrote to memory of 1252	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	22
PID 2532 wrote to memory of 1252	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	22
PID 2532 wrote to memory of 424	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	3
PID 2532 wrote to memory of 424	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	3
PID 2532 wrote to memory of 1252	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	22
PID 2532 wrote to memory of 1252	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	22
PID 2532 wrote to memory of 424	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	3
PID 2532 wrote to memory of 424	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	3
PID 2532 wrote to memory of 1128	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	35
PID 2532 wrote to memory of 1128	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	35
PID 2532 wrote to memory of 1128	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	35
PID 2532 wrote to memory of 1128	2532	72f2c0d0219a96d4d58e2b2318488ed4.exe	35

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\72f2c0d0219a96d4d58e2b2318488ed4.exe
  "C:\Users\Admin\AppData\Local\Temp\72f2c0d0219a96d4d58e2b2318488ed4.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C 1.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\ProgramData\Ksn\KSWebShield.exe
      KSWebShield.exe -install
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2784
  - - C:\ProgramData\Ksn\KSWebShield.exe
      KSWebShield.exe -start
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\1.bat
    3⤵
    PID:1128

C:\ProgramData\Ksn\KSWebShield.exe
C:\ProgramData\Ksn\KSWebShield.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\ProgramData\Ksn\KSWebShield.exe
  C:\ProgramData\Ksn\KSWebShield.exe -run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Ksn\1.bat

Filesize
50B

MD5
461f5f7c86789523ff09ca0abfe7b890

SHA1
0dcc8a8b9d3c5dc709c69f6ac5cf24f1a302ca01

SHA256
8bab8122f6ea4defd7648e8ea4d91defb8813bd2111535f6e42441db21cbbd01

SHA512
e9d5b9ebb88c82174ccfde778039ee8dcb6c98e6d511c748829144c8f1ecf07fc5dfcd20436b25eff20841ec08fcdfb7c66ae4f0ae103169214c9d830adc4188

Download Submit
C:\ProgramData\Ksn\KWSSVC.log

Filesize
202B

MD5
fd9cbd5e18719dd5000d5f4e203cb258

SHA1
d10dbafece88ee1be1c875c7bfb79ec5c0b7f3d0

SHA256
258faef5532717c64bb866aa8367657c39297f5801ea8b820a55ca88ca55cbb6

SHA512
67388816f672c952bab3081c22ef00070158d5ca34bc3f53a034e1e4b5992f2cd720a2da69fb03a64fef7dbac8ba29409d89538d6d3be225761cb298b37076ad

Download Submit
C:\ProgramData\Ksn\KWSSVC.log

Filesize
296B

MD5
4824ed167a767c74e38c297ead0361ae

SHA1
494364946b6cbbf693b2af114892079bce935bb4

SHA256
e486360e0a92b7c9843e9c252fc14843faba9125deffcff2556d86cc65658e5f

SHA512
db25092c3ca81a8d50076029517eead0d253c6246b44b165af32d8616ea8617d0db9288b4ad2ff91f2e9e67feb04d41ccd62505acd752920ff16a41882c84bd8

Download Submit
C:\ProgramData\Ksn\KWSSVC.log

Filesize
546B

MD5
5e371e37045b5fd98ced7b74b8dedd8e

SHA1
51968a3a416fbdf146a43466bf73d2bcf81dce0a

SHA256
88dea586e436c689b4c2cba4ed67975520a27785bb95a05b4be7870b9e60f559

SHA512
6408e73a862bca5c933594bf412cc3b7bb1a96afdba0d0918d4ee63c316c8f80625aaeb2ad59d1ca9c49904e48a25699ee3a3352a30ace42f53c9d87fb16a2b3

Download Submit
C:\ProgramData\Ksn\kwssp.dll

Filesize
633KB

MD5
8c8dc085ab24bd23b77f146c78c8ff14

SHA1
3c01f9a5338fec055dd2fea36e468d160420a0b8

SHA256
ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

SHA512
4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

Download Submit
C:\ProgramData\kingsoft\kws\kws.ini

Filesize
57B

MD5
dfb202edae2fbb1c1566fee62e1e1535

SHA1
32ef53037441b6956d432d8d219071435b747ee6

SHA256
90572957c29b8bd17203c5cb2c03c682b303c8a3252cea17939e8db953fd2368

SHA512
26d4b1ffc43aa8966133c433c0403549d4495e04f33b1e3706f48152042124d0ab18806a6e28afd9ef524d221aeadf4204be06433338d5e811cac4dfd8974b3f

Download Submit
C:\ProgramData\kingsoft\kws\kws.ini

Filesize
446B

MD5
186a37ecc97bacb5f2e07c3b229d9860

SHA1
250d11778172d6c482719cb3232e1e927ad37344

SHA256
272085c1329a1f4994f608059155f75753b3ffa8cf78d51b29555244a00691a2

SHA512
ed897ae28126f721204aa47898524d4ad6827e87f689fced7ee1506b02389abaef818242e7accc96178737bdb8551526051203a91bb3aa59fd074a73bed2e92a

Download Submit
C:\ProgramData\kingsoft\kws\spitesp.dat

Filesize
71B

MD5
68e770ef3116fb6fb8e21b9e141a41a7

SHA1
58ceea7ab0c119487830697be04efb4fddc524be

SHA256
a149c7a63f601b690d1dc97c6aea093d14b14991cf22f5f55995da7e4186c523

SHA512
788d537bd1c0a30bea47d8c2dfc79fa23976341a9765b766847242a158a1ef6123bf238f2f4cc5669b5939dc8d5b8e5e07e8cb3d78ea3442fcd8403bd7b9c0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
106B

MD5
c9beeb4d38b000fb99082dc5149c8ff1

SHA1
7e4e3ad68b415e4611ee2bf961cc7b6059b8d5f6

SHA256
6e5b24747493fcb5f1f707f78f6b41530c8e769ed36a61d8b7fdb0ae50576f8e

SHA512
c6cb8b55f1bf2c5c09e6f743394fc909cf3e3c34b3d6906d33ed6325d804a41a4c8f68bed0f8d487098028e55500b2cbaa80da2f3bd2b6633403c9b5369a9342

Download Submit
\ProgramData\Ksn\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
\ProgramData\Ksn\kswebshield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
\ProgramData\Ksn\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
memory/1252-76-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/2532-74-0x0000000003230000-0x00000000032A0000-memory.dmp

Filesize
448KB

Download
memory/2532-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2532-59-0x0000000003230000-0x00000000032A0000-memory.dmp

Filesize
448KB

Download
memory/2532-97-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2532-99-0x0000000003230000-0x00000000032A0000-memory.dmp

Filesize
448KB

Download
memory/2548-53-0x0000000000240000-0x00000000002B0000-memory.dmp

Filesize
448KB

Download