Resubmissions
03-01-2022 15:51
220103-tagh5sbdh2 10Analysis
-
max time kernel
1200s -
max time network
1047s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-04-2024 13:36
Static task
static1
Behavioral task
behavioral1
Sample
kr.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
kr.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
kr.exe
Resource
win10v2004-20240412-en
General
-
Target
kr.exe
-
Size
786KB
-
MD5
899dc9cc6e7516536bf5e816e8cecf55
-
SHA1
6c07fc00ed2202798194749aa8037bb0ad38bb00
-
SHA256
5f84ad4413ad6dcdea0cb3aa206cc4df29e1bad9d9598912c323c931d568ac90
-
SHA512
445016f0e37ee3ecec319b73713d083711608c044f855e16268f89c88d460e95d85b79d375534ac6b7a4a0e869c49470d49b7e325ff0507c550107d593ae688c
-
SSDEEP
12288:vyxPJa2s86jofrWEuxjcZxyPq8tf8sQ+PRtj3lDsmMHj3N6eiaFmhL+JigR:vyxPJ/s86szWEuKiflOmMDhPEhL+lR
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ultrasearch.lnk kr.exe -
Executes dropped EXE 1 IoCs
pid Process 2296 GetX64BTIT.exe -
Loads dropped DLL 1 IoCs
pid Process 2840 kr.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe 2840 kr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2840 kr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2296 2840 kr.exe 30 PID 2840 wrote to memory of 2296 2840 kr.exe 30 PID 2840 wrote to memory of 2296 2840 kr.exe 30 PID 2840 wrote to memory of 2296 2840 kr.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\kr.exe"C:\Users\Admin\AppData\Local\Temp\kr.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:2296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28B
MD57ad4dc61b8b3dfcebe9741190b3fd4fa
SHA13840b22d40a1ee95fc61aadff831cb30c1b80df4
SHA2568967fa5b04d149697539716db8ba0268bb3f0e6eac924b4c3398a5767fe61a92
SHA512fa7dbfb0372123a04a4255fc0401bede663fa7a5ca3b72c165983b91c7b579973e1be46db3a18e3d6c72ca869c305fb749bd1550996f9d85474a4739bd9efb3e
-
Filesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e