b65977c186a5f2dffb4fe8b0e57850efb9f2207ae168368bddd9976a12d80e3f

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

K-Lite_Codec_Pack_1310_Basic.exe
Size

13.6MB
MD5

76b82fd24f9707d812a0083d95afd1b5
SHA1

262f7e8a5458cc422bee394a56274fe809d9e497
SHA256

b65977c186a5f2dffb4fe8b0e57850efb9f2207ae168368bddd9976a12d80e3f
SHA512

6d8fc3f8d4bab6f1e544266653678d2936376770fd48c312e85324fe6dcb7f37f7dad31cc5fcf75af111e0cbf0d93470f0c2e520cea2313c0b5fbc8cf0b97544
SSDEEP

393216:c3Qj+X8WU9afAnvBwz/etkyW0elOiJgVJt:cgX7ofAvqz6WWiJgVJt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation	K-Lite_Codec_Pack_1310_Basic.tmp

Executes dropped EXE 1 IoCs

pid	Process
2840	K-Lite_Codec_Pack_1310_Basic.tmp

Loads dropped DLL 4 IoCs

pid	Process
2460	K-Lite_Codec_Pack_1310_Basic.exe
2840	K-Lite_Codec_Pack_1310_Basic.tmp
2840	K-Lite_Codec_Pack_1310_Basic.tmp
2840	K-Lite_Codec_Pack_1310_Basic.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	K-Lite_Codec_Pack_1310_Basic.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	K-Lite_Codec_Pack_1310_Basic.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	K-Lite_Codec_Pack_1310_Basic.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2840	2460	K-Lite_Codec_Pack_1310_Basic.exe	28
PID 2460 wrote to memory of 2840	2460	K-Lite_Codec_Pack_1310_Basic.exe	28
PID 2460 wrote to memory of 2840	2460	K-Lite_Codec_Pack_1310_Basic.exe	28
PID 2460 wrote to memory of 2840	2460	K-Lite_Codec_Pack_1310_Basic.exe	28
PID 2460 wrote to memory of 2840	2460	K-Lite_Codec_Pack_1310_Basic.exe	28
PID 2460 wrote to memory of 2840	2460	K-Lite_Codec_Pack_1310_Basic.exe	28
PID 2460 wrote to memory of 2840	2460	K-Lite_Codec_Pack_1310_Basic.exe	28

C:\Users\Admin\AppData\Local\Temp\K-Lite_Codec_Pack_1310_Basic.exe
"C:\Users\Admin\AppData\Local\Temp\K-Lite_Codec_Pack_1310_Basic.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\is-KOSQC.tmp\K-Lite_Codec_Pack_1310_Basic.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KOSQC.tmp\K-Lite_Codec_Pack_1310_Basic.tmp" /SL5="$40108,13695168,259072,C:\Users\Admin\AppData\Local\Temp\K-Lite_Codec_Pack_1310_Basic.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-JGG21.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-JGG21.tmp\klcp_detect.dll

Filesize
70KB

MD5
d66f5cb867234099e717109f4b8a2888

SHA1
4857a9629e8ffa807df5f1dbeb286b11f1d730ec

SHA256
ee0a1551a72599042683084ca88782abbf8f26c9484fb448035058e80d08a5e3

SHA512
b5c25542b2428a2ecf5c265089367061db45c845cdd4c1d7d9b8510baebe0375e72fe9f297bcadfba55353c66c9ce438ad8153c0996966b0b11aeab29752c3e5

Download Submit
\Users\Admin\AppData\Local\Temp\is-JGG21.tmp\klcp_detect2.dll

Filesize
145KB

MD5
67c7c8ec61094d0d5e59e7cac8a39808

SHA1
2ee29e434f5a030f14c864dbb0eb21ba186971e2

SHA256
d72e5d2a5368dd9ce70c7eccfc0d637baa433b571e2466bca696d7e23f4dfeb4

SHA512
e7447f3426f923d6212907d148ec96d18e56d4f4bd7636f1351510f6da952d1eadc92a43eaab1405c9ad34f6f9aa9f7d229e13c051effcf8baa8affaa15c607a

Download Submit
\Users\Admin\AppData\Local\Temp\is-KOSQC.tmp\K-Lite_Codec_Pack_1310_Basic.tmp

Filesize
1.3MB

MD5
0f85f217fa49597d023de2251eb01afe

SHA1
03e408128b9f176e404a1b16468b6c4a84432253

SHA256
59bb2f266ec5a0180bf7060c0c8ce3559e3a688ef86924ea0bc0de10cbae2915

SHA512
3fa4d9b0b87d0d55834610389027d460e51c3b0a0d772c66fb2f865d0079ae69b8d9b16ea0591aa2e0a404812f2b33d30760f16106d4e34ce712cda6a7ef58ef

Download Submit
memory/2460-1-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2460-25-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2840-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2840-26-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2840-29-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads