Analysis

  • max time kernel
    149s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12-02-2024 20:40

General

  • Target

    ka6ber.exe

  • Size

    561KB

  • MD5

    b3027dffa9bbac7e1999223cf737200b

  • SHA1

    04f7be390d135405b5d1925b205c0c871301b522

  • SHA256

    79f6b4271df1773fff40117e4d3b5dcee71e2ec149d749541d0160e2873b88eb

  • SHA512

    4bbc090301c821f3fa8f008d4e1262a80b00b0f36fdb365bb76b78f4d679789cc4b30dcb8b4008730492312d5d93eb55de44cbae5bcb2368c63f2373613c6109

  • SSDEEP

    12288:GP7CFdIekSytTtTcZ5Oz6Y147em6cZLxd9f0OimJfL:u7CIiCtTcPV7lL1jxlL

Malware Config

Signatures

  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 49 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs .reg file with regedit 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ka6ber.exe
    "C:\Users\Admin\AppData\Local\Temp\ka6ber.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\norton.exe
      "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
      2⤵
        PID:2172
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2076
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2968
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:3032
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:768
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:584
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1868
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1980
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2060
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2248
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1552
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1656
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2160
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2428
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1252
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:996
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1716
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2516
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2240
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2124
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2868
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2720
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1356
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2732
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2592
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2492
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1232
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2972
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:3060
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2316
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2852
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2320
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2836
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2012
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1668
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1580
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2104
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1740
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2892
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1676
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:772
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1108
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1568
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:924
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2060
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2372
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1552
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1044
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1056
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s org.reg
        2⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:2428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\o1o2o3o4

      Filesize

      2KB

      MD5

      ddd6182018e46e7014637d06accfd629

      SHA1

      a44075c41515eaea3e0d551642e113a75640fb6f

      SHA256

      f9eb4875406e86f56447510b6b48c90ced438ff6b0ccd928d0703b1c7cdf85d2

      SHA512

      7ad1d7559a9496e738f70edb0c4af7bd45b893ace7c18f12e7c9dfb7944462255f40654640aebfcfb1f5930d24d8c85d041d44600b09a40e1bd89932a3acad94

    • C:\Users\Admin\AppData\Local\Temp\o1o2o3o4

      Filesize

      2KB

      MD5

      a8706dbcb096323e00a0c140a70ab6fe

      SHA1

      a8aea12473dd4890f41ef5038b534b043ec31c49

      SHA256

      9168cfe12ff35d2ebe2443b06e0794f8ecd203deeb1bc5f7641f5550d5e806da

      SHA512

      ae6743e0b0e37b7040a2a63f58cfadad7ffa061ca9b0bb93acc105cec0791433620fdf8ec04da068b731147893b51ba88d589a594fce39b1f9f4137965b0476e

    • C:\Users\Admin\AppData\Local\Temp\o1o2o3o4

      Filesize

      2KB

      MD5

      c42c6aec3a7e77dc835762e07d1f63a6

      SHA1

      2d05adc3c157ef34dbf2d1e974dd53a01d77855b

      SHA256

      602b3880c21ee9f8a30de1ff88aa8155884ca8b338bf9fa8278b1bb1a85d5277

      SHA512

      67e85b0a8ec1816862a0defbc9b86adab77627d25eca86e273b575851727cfbf12f88e71ea860c33449354657a3c64b9134fb7eeeafe9e58bbd64054b0ba0e58

    • C:\Users\Admin\AppData\Local\Temp\o1o2o3o4

      Filesize

      2KB

      MD5

      b748fdba5fc832c0f5285bafae6ba415

      SHA1

      6b02bc48b0612a6d1197e6b0e5c14a19f6500458

      SHA256

      93372385f92c64c14c6464ed35fd47bc44ac2073679ce9eb8d34e15fe5f93174

      SHA512

      840ec69f286334017e5bf999572ac1da6191b37489b980f4e86bfa9d43301746e74a3609b38f5cf2e106757958f94a76bf6364b8bbdf15deba50d3b445044325

    • C:\Users\Admin\AppData\Local\Temp\org.reg

      Filesize

      143B

      MD5

      0953624657209297b2ce4f1ccd89be44

      SHA1

      08e83ccfd0c164774a7b8ed4d4bf023eb39d5b6c

      SHA256

      d3ec8c767a5e5be2c2f53b6f8e9080b42e38524e4c746b058ad2ef2e04c07ff5

      SHA512

      b82d843f46f25ecbfa21826b3dfac67735d78fcd704cc807d3878ac11ea7d3f90d061ab23d8bda74d734d5bca11171f6c201e38a66c897d6a092dd548a73c988

    • C:\Users\Admin\AppData\Local\Temp\org.reg

      Filesize

      286B

      MD5

      b07256e23013dc4555d2aceb8b7caf0f

      SHA1

      9d21bdada1e93d3b29343fd341675c5466721fdd

      SHA256

      85a61cec94852847df76f9d88410372d19a6d3cb2395a16324f046f6e0f6e5ca

      SHA512

      ee2d6d7022658726119e9d30811fd59c62748a860b89c28a3bf9a4250527558e06d4e4850fc1ef2aba35afff3fb8b05459d5a402b93f6ef509de88a5f39d28d5

    • C:\Users\Admin\AppData\Local\Temp\org.reg

      Filesize

      78B

      MD5

      8486f938bd4b5f19b99deaa3adf11cc6

      SHA1

      f2e3d4d6c079aca6e6c65321746f5c3821e61c5b

      SHA256

      f787297d7fe98a19a173dde83d5c5379629162a587304be466f1bb699362aa1e

      SHA512

      9ae5f48301e18b2d506616d351fe81dc94d9bb75bd7f7b98b765c8f591627e68ae474eecf2611e61a355dcacbebb29e0074731d4917753f3de9c2c29d99e17a2

    • memory/2928-244-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-291-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-226-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-231-0x0000000000690000-0x00000000006A0000-memory.dmp

      Filesize

      64KB

    • memory/2928-211-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-0-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-258-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-158-0x0000000000690000-0x00000000006A0000-memory.dmp

      Filesize

      64KB

    • memory/2928-272-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-225-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-304-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-318-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-336-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-350-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-364-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-383-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-396-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

    • memory/2928-410-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB