59d2b568b9c69661c37762a9c6a9968cabfd47167f659df070f6a6c29d892288

Analysis

max time kernel
31s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v1.exe
Size

468KB
MD5

dc5962e1fbd5b5c9e6046e150d0cc928
SHA1

3b30871d1474c6c60e964b343734de2f0b7abeb1
SHA256

59d2b568b9c69661c37762a9c6a9968cabfd47167f659df070f6a6c29d892288
SHA512

056fdbb07ceb866fc1b9f7b7f4e8e999d5f5c3141be96979139af6618937d1fffd6ebb7baabea822b3fd3fe5f58bb1b0747292afde37f11ddbcc62e0e2137add
SSDEEP

6144:GJD+RwqoQptRT0bo2n50vDT7TO1ngbmnVDWGuJQXCzbYzB5xNFv0YQ1HJnY6dDtm:GJ0n0bngTenaUzBE1HJnYH1sU

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VwikPOUvWQcs\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\VwikPOUvWQcs"	kdmapper_Release.exe

Executes dropped EXE 1 IoCs

pid	Process
960	kdmapper_Release.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\VNT.sys	v1.exe
File created	C:\Program Files\kdmapper_Release.exe	v1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3564	v1.exe
3564	v1.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
960	kdmapper_Release.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	960	kdmapper_Release.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 4628	3564	v1.exe	88
PID 3564 wrote to memory of 4628	3564	v1.exe	88
PID 3564 wrote to memory of 1924	3564	v1.exe	89
PID 3564 wrote to memory of 1924	3564	v1.exe	89
PID 3564 wrote to memory of 1592	3564	v1.exe	94
PID 3564 wrote to memory of 1592	3564	v1.exe	94
PID 1592 wrote to memory of 960	1592	cmd.exe	95
PID 1592 wrote to memory of 960	1592	cmd.exe	95
PID 3564 wrote to memory of 4056	3564	v1.exe	96
PID 3564 wrote to memory of 4056	3564	v1.exe	96
PID 3564 wrote to memory of 2848	3564	v1.exe	99
PID 3564 wrote to memory of 2848	3564	v1.exe	99

C:\Users\Admin\AppData\Local\Temp\v1.exe
"C:\Users\Admin\AppData\Local\Temp\v1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd C:\Program Files && kdmapper_Release.exe VNT.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Program Files\kdmapper_Release.exe
    kdmapper_Release.exe VNT.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\kdmapper_Release.exe

Filesize
140KB

MD5
0b57fb7f0711c4ab650d2cf49d480a8a

SHA1
7ca0555962a07e92c751ea2ad8e7fbd942e736c4

SHA256
0cceb7ddf5f315e13058632a703228ef071bce918c260584f75199733c6c6aeb

SHA512
1d88d57ee22eaeea806abf8be615ad15069fea32e4be697fb3dada6cc4c0f8ac283a8e2988c54b7449e8fef9187fb29273225968eef7e30b5ad6c666ca2d4ffa

Download Submit