f3c449d522a04ddd64647e147b72f00d087959e5f5bbf497e1ff66d310589632

Analysis

max time kernel
142s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 15:04

Target

kmkob.exe
Size

1.5MB
MD5

f304415571579ccff22972f8b238eb08
SHA1

fe1be35feab28e46192e7857d4840ff51c6df17d
SHA256

f3c449d522a04ddd64647e147b72f00d087959e5f5bbf497e1ff66d310589632
SHA512

911e29eb4f7531d102248fc2ac5a5e41bc17c230d74ad94dfee95989e89a0715246290201ce2cfee31da3c7fb04f3c91b31d79ee6777f8bcf329beea59d1eb71
SSDEEP

24576:LsZEljjaBq0LxdFxlRoNrBFDBQJ0PeeBz9OVseACAIu6iOvIjvr9:LHWBq2xbxlRoRBQJez9Oee5AI9hMvr

Score

8^/10

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	kqubo.exe
File created	C:\Windows\System32\drivers\etc\hosts	kqubo.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.ics	kqubo.exe
File created	C:\Windows\System32\drivers\etc\hosts.ics	kqubo.exe

Deletes itself 1 IoCs

pid	Process
1388	kqubo.exe

Executes dropped EXE 1 IoCs

pid	Process
1388	kqubo.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 1388	3892	kmkob.exe	85
PID 3892 wrote to memory of 1388	3892	kmkob.exe	85
PID 3892 wrote to memory of 1388	3892	kmkob.exe	85

C:\Users\Admin\AppData\Local\Temp\kmkob.exe
"C:\Users\Admin\AppData\Local\Temp\kmkob.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\kqubo.exe
  "C:\Users\Admin\AppData\Local\Temp\kmkob.exe"
  2⤵
  - Drops file in Drivers directory
  - Deletes itself
  - Executes dropped EXE
  PID:1388

C:\Users\Admin\AppData\Local\Temp\kqubo.exe

Filesize
312KB

MD5
dfbf1d7d0b35100c6bd8d9d964ca6da6

SHA1
e48d452f2fe6abcb6c93a2f3a2d1f78648a7bd0a

SHA256
f6d54399590169b31ce64137de806b32a902644ee40f71e98c8becec5fa99eaa

SHA512
aa84a1be96fd088a9c32e7a69f7bb13d06457307e50e0f220556782313cb23bb6f5642a9b62212015bb41bf33ae75d181d9d7c0967b59d4162883c346bec871f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqubo.exe

Filesize
226KB

MD5
06d85840a40f5123f55c0d206ff1dd47

SHA1
0d27b73fd847a8b60b24478ab4a45fe15f8aa94a

SHA256
3c8e5083da6348d900dfb2c333e022a7a67bcb42d18c70daf7d809c500168bc7

SHA512
96ff6dad4973f7564d4f21ee867aa88b81c53d32ca9bd5ae2d74096b698b12625bad0c23e83c67956f357846a2cb063ca24c05e893e4deaef60475de44224001

Download Submit
memory/1388-8-0x0000000000D50000-0x0000000001108000-memory.dmp

Filesize
3.7MB

Download
memory/1388-15-0x0000000000D50000-0x0000000001108000-memory.dmp

Filesize
3.7MB

Download
memory/3892-0-0x0000000000530000-0x00000000008E8000-memory.dmp

Filesize
3.7MB

Download
memory/3892-6-0x0000000000530000-0x00000000008E8000-memory.dmp

Filesize
3.7MB

Download