9c9043fc217ad2dffc662e74354280936d9295735ee186db5912ee43db62c8fc

General

Target

cd3e2e5db407027a2e220895e56cea9d.exe
Size

1.2MB
MD5

cd3e2e5db407027a2e220895e56cea9d
SHA1

9b7f73950140ffe44faf303d9f939ffe0e831ca1
SHA256

9c9043fc217ad2dffc662e74354280936d9295735ee186db5912ee43db62c8fc
SHA512

cb13555db384feaf62c64840d368147f37dc2227f2161782cfaa39a4ab08b2bd910e8ce07ac0f5b4e35ebe8d50ab1c10add111d1a08fb2a17e9cc06a4f25566b
SSDEEP

24576:vXSdS7fpASLVbL/9qPmlNqfsOFxibcN0VsNHxz6K6m4:PSd+fqebLwPoJmfNJT2/m4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2776	KGH.exe

Loads dropped DLL 2 IoCs

pid	Process
2720	cd3e2e5db407027a2e220895e56cea9d.exe
2776	KGH.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KGH Start = "C:\\Windows\\SysWOW64\\CFAAQI\\KGH.exe"	KGH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CFAAQI\KGH.004	cd3e2e5db407027a2e220895e56cea9d.exe
File created	C:\Windows\SysWOW64\CFAAQI\KGH.001	cd3e2e5db407027a2e220895e56cea9d.exe
File created	C:\Windows\SysWOW64\CFAAQI\KGH.002	cd3e2e5db407027a2e220895e56cea9d.exe
File created	C:\Windows\SysWOW64\CFAAQI\AKV.exe	cd3e2e5db407027a2e220895e56cea9d.exe
File created	C:\Windows\SysWOW64\CFAAQI\KGH.exe	cd3e2e5db407027a2e220895e56cea9d.exe
File opened for modification	C:\Windows\SysWOW64\CFAAQI\	KGH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2776	KGH.exe
Token: SeIncBasePriorityPrivilege	2776	KGH.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2488	cd3e2e5db407027a2e220895e56cea9d.exe
2776	KGH.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28
PID 2488 wrote to memory of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28
PID 2488 wrote to memory of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28
PID 2488 wrote to memory of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28
PID 2488 wrote to memory of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28
PID 2488 wrote to memory of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28
PID 2488 wrote to memory of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28
PID 2488 wrote to memory of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28
PID 2488 wrote to memory of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28
PID 2488 wrote to memory of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28
PID 2488 wrote to memory of 2720	2488	cd3e2e5db407027a2e220895e56cea9d.exe	28
PID 2720 wrote to memory of 2776	2720	cd3e2e5db407027a2e220895e56cea9d.exe	29
PID 2720 wrote to memory of 2776	2720	cd3e2e5db407027a2e220895e56cea9d.exe	29
PID 2720 wrote to memory of 2776	2720	cd3e2e5db407027a2e220895e56cea9d.exe	29
PID 2720 wrote to memory of 2776	2720	cd3e2e5db407027a2e220895e56cea9d.exe	29

C:\Users\Admin\AppData\Local\Temp\cd3e2e5db407027a2e220895e56cea9d.exe
"C:\Users\Admin\AppData\Local\Temp\cd3e2e5db407027a2e220895e56cea9d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\cd3e2e5db407027a2e220895e56cea9d.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\CFAAQI\KGH.exe
    "C:\Windows\system32\CFAAQI\KGH.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CFAAQI\AKV.exe

Filesize
500KB

MD5
5a45ea24cce078dcf28664856734565d

SHA1
7e38e0649eae4b0f382c182d0483d9e4c0be26fa

SHA256
385f990c5fb25dc42a5f5a1128c8d20b9956a0790461c62c56607600c8ba7d5a

SHA512
7c466effc080db3c082a3a81cd22a1ee039104ebc9588921124490ceab84b2d5c1b1f4f82dfba95114661311276448297946296b2c4ad9d55cee2e3b710c12e5

Download Submit
C:\Windows\SysWOW64\CFAAQI\KGH.001

Filesize
69KB

MD5
c7fbfdd2d7ded71b4b6281efa26eeede

SHA1
f2f31ff2fab0c96ce978543ec741c6c82dfb7dbc

SHA256
f06fc708de125585f9bfb0c768e1d76f24b6e888875aafdc8c2b670663492737

SHA512
768cd3f899c7d68b426a5bcb5befd4570032ded9a40ceb0cbde618c23016c59e32b03b6b6963b207f7e58621fca2e3ea6d144c1457f69a0b9ef94ed03e83d041

Download Submit
C:\Windows\SysWOW64\CFAAQI\KGH.002

Filesize
54KB

MD5
e7879e2f301a885bb46ec1782a6d6278

SHA1
1aa00ac15c7748432b448be0f8a0d760222024bd

SHA256
9a65b644da2a50ebebaab51c46e8748587d08aaad64102c3df19d996d12dfcef

SHA512
7aa02f3bc0e87ea1afb0b42664891e5198b38796b3fac0deaeff0e92c59892b8a5b985e5d834c713868818a1be6f82cebabab1ac79a286f88c1d57452143a8ed

Download Submit
C:\Windows\SysWOW64\CFAAQI\KGH.004

Filesize
1KB

MD5
9cdba6e525eeadada6af06e4ab9ec298

SHA1
ccf4ffcdc78831eb7b6496f231aa5ec1aa1b8322

SHA256
4ed9987cae8b95355a54056363e14c2bd2d7c5717cceb6a23dd9061cf53ba776

SHA512
94f7519f5c34cc7bdd3a1d55b050a8dffefffaad018deb4aa955569bbdfd8922425aa6dc60db50d0e0235e0e9296a9d2d20e94be02b5a374219f088e04608b91

Download Submit
\Windows\SysWOW64\CFAAQI\KGH.exe

Filesize
1.7MB

MD5
e4bb483573e6bc82f09578f0b48324a5

SHA1
9a60cf20d832af49fb8ae6c484d0f39028d93d04

SHA256
30b3f04eb8b0820b33c8bc50c159ade06a4a29e4361f917b13bdd9323f4a3127

SHA512
8461aefddde57e467601928789f301c0c5bc42e7c7e4aaaf2dcb7ac6a2aea0d5be51db3daf6c9b11f1d78304de72ae8cf71dd8697d636db4f1767a8f8c6ab35b

Download Submit
memory/2720-10-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2720-14-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2720-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-16-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2720-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2720-11-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2720-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2720-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2720-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2720-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2720-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2776-35-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2776-37-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads