c024b1cfe6e785a5dfadaac3ae967552ad9c899fd01a1eda80d4eddecaaecc16

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf745977f9eaee8aa6a47cdfae600331.exe
Size

11KB
MD5

bf745977f9eaee8aa6a47cdfae600331
SHA1

fd7b5322bd48d65b8825b09c633c904622c7045e
SHA256

c024b1cfe6e785a5dfadaac3ae967552ad9c899fd01a1eda80d4eddecaaecc16
SHA512

04070ca19809de33382d8fb9852f34dc54d0919bec41ae08ca9e02697ad700738c5a03ecf0623e813358856c24041fd336629e887196b40a06afa95aee500864
SSDEEP

192:E2AXq1se/llMlD02kHYHLZ+w0pu9OzPKF1WhSQgh9Y7ERa9xrGsS:Jwq1sglMy2kIZ+w0pu9OzCF1Wo127+aw

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2920	kandofnk.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	bf745977f9eaee8aa6a47cdfae600331.exe
2064	bf745977f9eaee8aa6a47cdfae600331.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2064-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000d000000015d59-3.dat	upx
behavioral1/memory/2920-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2064-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kandofnk.exe	bf745977f9eaee8aa6a47cdfae600331.exe
File opened for modification	C:\Windows\SysWOW64\kandofnk.exe	bf745977f9eaee8aa6a47cdfae600331.exe
File created	C:\Windows\SysWOW64\kandofn.dll	bf745977f9eaee8aa6a47cdfae600331.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2920	2064	bf745977f9eaee8aa6a47cdfae600331.exe	28
PID 2064 wrote to memory of 2920	2064	bf745977f9eaee8aa6a47cdfae600331.exe	28
PID 2064 wrote to memory of 2920	2064	bf745977f9eaee8aa6a47cdfae600331.exe	28
PID 2064 wrote to memory of 2920	2064	bf745977f9eaee8aa6a47cdfae600331.exe	28
PID 2064 wrote to memory of 2656	2064	bf745977f9eaee8aa6a47cdfae600331.exe	29
PID 2064 wrote to memory of 2656	2064	bf745977f9eaee8aa6a47cdfae600331.exe	29
PID 2064 wrote to memory of 2656	2064	bf745977f9eaee8aa6a47cdfae600331.exe	29
PID 2064 wrote to memory of 2656	2064	bf745977f9eaee8aa6a47cdfae600331.exe	29

C:\Users\Admin\AppData\Local\Temp\bf745977f9eaee8aa6a47cdfae600331.exe
"C:\Users\Admin\AppData\Local\Temp\bf745977f9eaee8aa6a47cdfae600331.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\kandofnk.exe
  C:\Windows\system32\kandofnk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\bf745977f9eaee8aa6a47cdfae600331.exe.bat
  2⤵
  - Deletes itself
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bf745977f9eaee8aa6a47cdfae600331.exe.bat

Filesize
182B

MD5
01902b410d748aa7087f5bcbf39afd23

SHA1
e18980946c023a9d3c989a573a5efa5b4dedee07

SHA256
1c2240e2329da991aa3c6c9845eed0508495968d7414625d369bdbf08720eed2

SHA512
872214c727f89568ec5e9b11d70df5b72ec01f9eba1d17d0a240e02390d765771a26243a19bd62bf6cc79977836eee5121f9f01d1a964b9e90f5d016feb8deff

Download Submit
\Windows\SysWOW64\kandofnk.exe

Filesize
11KB

MD5
bf745977f9eaee8aa6a47cdfae600331

SHA1
fd7b5322bd48d65b8825b09c633c904622c7045e

SHA256
c024b1cfe6e785a5dfadaac3ae967552ad9c899fd01a1eda80d4eddecaaecc16

SHA512
04070ca19809de33382d8fb9852f34dc54d0919bec41ae08ca9e02697ad700738c5a03ecf0623e813358856c24041fd336629e887196b40a06afa95aee500864

Download Submit
memory/2064-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2064-10-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2064-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2064-16-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2920-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download