e7548b46d7f8fd80168a791e02954e884e822518461a255608339d1c27f2eba1

Analysis

max time kernel
156s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f2c0d0219a96d4d58e2b2318488ed4.exe
Size

1.5MB
MD5

72f2c0d0219a96d4d58e2b2318488ed4
SHA1

e6b5dd941ce68bb1e4f4e034499cc0659e106a2c
SHA256

e7548b46d7f8fd80168a791e02954e884e822518461a255608339d1c27f2eba1
SHA512

45729283436c548acd6b2510748091560c5a1e6b51c00c8078327c86370e6340298bf8e73c91bd9214d0648b38be68ba5584374f7957f49fb162b8a605d9403b
SSDEEP

24576:IQtwG88Y4oykSHC+IAW3kp+dpLB0rHi2Y0GQzTVxYrNZj8/qKDV:IADZY5ykeC+IAW3kypN0rC2KKVxqWDV

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3540	KSWebShield.exe
4960	KSWebShield.exe
3024	KSWebShield.exe
4164	KSWebShield.exe

Loads dropped DLL 7 IoCs

pid	Process
3024	KSWebShield.exe
4164	KSWebShield.exe
4164	KSWebShield.exe
4164	KSWebShield.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3688-0-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/3688-1-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/3688-82-0x0000000000400000-0x00000000004B3000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3688-82-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
3688	72f2c0d0219a96d4d58e2b2318488ed4.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	KSWebShield.exe
Token: SeDebugPrivilege	4960	KSWebShield.exe
Token: SeDebugPrivilege	3024	KSWebShield.exe
Token: 33	3024	KSWebShield.exe
Token: SeIncBasePriorityPrivilege	3024	KSWebShield.exe
Token: SeDebugPrivilege	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
Token: SeDebugPrivilege	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe
Token: SeDebugPrivilege	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4164	KSWebShield.exe
4164	KSWebShield.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 1940	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	88
PID 3688 wrote to memory of 1940	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	88
PID 3688 wrote to memory of 1940	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	88
PID 1940 wrote to memory of 3540	1940	cmd.exe	90
PID 1940 wrote to memory of 3540	1940	cmd.exe	90
PID 1940 wrote to memory of 3540	1940	cmd.exe	90
PID 1940 wrote to memory of 4960	1940	cmd.exe	91
PID 1940 wrote to memory of 4960	1940	cmd.exe	91
PID 1940 wrote to memory of 4960	1940	cmd.exe	91
PID 3024 wrote to memory of 4164	3024	KSWebShield.exe	93
PID 3024 wrote to memory of 4164	3024	KSWebShield.exe	93
PID 3024 wrote to memory of 4164	3024	KSWebShield.exe	93
PID 3688 wrote to memory of 3464	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	32
PID 3688 wrote to memory of 3464	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	32
PID 3688 wrote to memory of 628	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	3
PID 3688 wrote to memory of 628	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	3
PID 3688 wrote to memory of 3464	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	32
PID 3688 wrote to memory of 3464	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	32
PID 3688 wrote to memory of 628	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	3
PID 3688 wrote to memory of 628	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	3
PID 3688 wrote to memory of 3644	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	95
PID 3688 wrote to memory of 3644	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	95
PID 3688 wrote to memory of 3644	3688	72f2c0d0219a96d4d58e2b2318488ed4.exe	95

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\72f2c0d0219a96d4d58e2b2318488ed4.exe
  "C:\Users\Admin\AppData\Local\Temp\72f2c0d0219a96d4d58e2b2318488ed4.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C 1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\ProgramData\Ksn\KSWebShield.exe
      KSWebShield.exe -install
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3540
  - - C:\ProgramData\Ksn\KSWebShield.exe
      KSWebShield.exe -start
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1.bat
    3⤵
    PID:3644

C:\ProgramData\Ksn\KSWebShield.exe
C:\ProgramData\Ksn\KSWebShield.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\ProgramData\Ksn\KSWebShield.exe
  C:\ProgramData\Ksn\KSWebShield.exe -run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Ksn\KSWebShield.exe

Filesize
197KB

MD5
2bcfdc7e51a9c556e5fb04e4d02fed39

SHA1
33e6eca60078affa733c2300605c91adddf992b0

SHA256
ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

SHA512
86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

Download Submit
C:\ProgramData\Ksn\KWSSVC.log

Filesize
202B

MD5
ad0f035a908a52cd2ff88a9af008f7c7

SHA1
c5ff033c7ab9fbf8a3c8cdf89949665a633b3206

SHA256
763d1247855a0f118870f1736c3350a13c95c8ddab5609d827098614be2aa00d

SHA512
6ae271c26aaf787f7a7ef7f65360de158f8bc95f78b01da1a3fdb976d73e7b2e277f0952385cee2fc0f7e0f875fe27a618ae540458528c356db93138c2957499

Download Submit
C:\ProgramData\Ksn\KWSSVC.log

Filesize
296B

MD5
468872ab4fe6b1b93edf80e65b49774f

SHA1
4df6e924e646c846fc5801ee309309a4ed773365

SHA256
0b5a7c011c06bbf5d5a4f36bdca8cdcb5bdc49e33d37b625aa70287f57f670f8

SHA512
b003c760fafdd283fc02d3c152e630eafd224eb8929443f8d8598cc5b49dc3b5e8c3510ea8c38b03354e56e86e547b4de3a46fa56e7acb752d252cd3619fc89d

Download Submit
C:\ProgramData\Ksn\KWSSVC.log

Filesize
546B

MD5
2f12ab915748a39fabfe445a5cb93553

SHA1
cdef6ae458a953f05a2c128cf102417df7e00d98

SHA256
e0f02243d641795bbccf57208e55116870e33e8209e705667fc4a4c45edbe68b

SHA512
a0c01cd87e0969ab2e6097961e8595e8f1e06fc70d9e6f7fb9e222d61c89808a3ca7e20be24954a88631fcd93092bbe46f8836d25dfc669bcc4bcf2f1dc846d2

Download Submit
C:\ProgramData\Ksn\kswebshield.dll

Filesize
437KB

MD5
0b629e4318e64a6ab7e2c43ad6cc3e83

SHA1
27e835072fb85614f49e7cd586f64bd10bfcd497

SHA256
41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

SHA512
298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

Download Submit
C:\ProgramData\Ksn\kwssp.dll

Filesize
633KB

MD5
8c8dc085ab24bd23b77f146c78c8ff14

SHA1
3c01f9a5338fec055dd2fea36e468d160420a0b8

SHA256
ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

SHA512
4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

Download Submit
C:\ProgramData\Ksn\kwsui.dll

Filesize
457KB

MD5
272764640b4b296e13c7c136cfbaaca2

SHA1
8c4f405469d370db5270c64f119d5b5ba0eece4e

SHA256
50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

SHA512
97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

Download Submit
C:\ProgramData\kingsoft\kws\kws.ini

Filesize
446B

MD5
186a37ecc97bacb5f2e07c3b229d9860

SHA1
250d11778172d6c482719cb3232e1e927ad37344

SHA256
272085c1329a1f4994f608059155f75753b3ffa8cf78d51b29555244a00691a2

SHA512
ed897ae28126f721204aa47898524d4ad6827e87f689fced7ee1506b02389abaef818242e7accc96178737bdb8551526051203a91bb3aa59fd074a73bed2e92a

Download Submit
C:\ProgramData\kingsoft\kws\spitesp.dat

Filesize
71B

MD5
68e770ef3116fb6fb8e21b9e141a41a7

SHA1
58ceea7ab0c119487830697be04efb4fddc524be

SHA256
a149c7a63f601b690d1dc97c6aea093d14b14991cf22f5f55995da7e4186c523

SHA512
788d537bd1c0a30bea47d8c2dfc79fa23976341a9765b766847242a158a1ef6123bf238f2f4cc5669b5939dc8d5b8e5e07e8cb3d78ea3442fcd8403bd7b9c0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
427B

MD5
6f710bb93e7085ea29f4a514fa2855ed

SHA1
7b15ffef7428d9b7b9b8e954014184d76736d8a9

SHA256
eca3e5334e3e3021fd5a64746b5803fe0a61fa292ae4f94fd619c8c40838e179

SHA512
b1849ad6af8f581558d276ed016eabb25ed17214398977db557b6dd8ea534afed5398341408481446a9590d1af84b13e4406505a2b190bc47dba8b4434c44f12

Download Submit
memory/3688-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3688-1-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3688-60-0x0000000004210000-0x0000000004280000-memory.dmp

Filesize
448KB

Download
memory/3688-74-0x0000000004210000-0x0000000004280000-memory.dmp

Filesize
448KB

Download
memory/3688-82-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3688-83-0x0000000004210000-0x0000000004280000-memory.dmp

Filesize
448KB

Download
memory/4164-53-0x00000000020C0000-0x0000000002130000-memory.dmp

Filesize
448KB

Download