Overview
overview
9Static
static
7hacked cli...et.exe
windows10-1703-x64
7hacked cli...mi.exe
windows10-1703-x64
1hacked cli...te.exe
windows10-1703-x64
1hacked cli...v2.exe
windows10-1703-x64
7hacked cli...sy.exe
windows10-1703-x64
6hacked cli...ic.exe
windows10-1703-x64
1hacked cli...ea.exe
windows10-1703-x64
1hacked cli...id.exe
windows10-1703-x64
1hacked cli...on.exe
windows10-1703-x64
9hacked cli...ra.exe
windows10-1703-x64
9hacked cli...ga.exe
windows10-1703-x64
1hacked cli...in.exe
windows10-1703-x64
1Analysis
-
max time kernel
24s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-05-2024 00:51
Behavioral task
behavioral1
Sample
hacked client (rats) LMAO/Hermotet.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
hacked client (rats) LMAO/Itami.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
hacked client (rats) LMAO/Lithium-Lite.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
hacked client (rats) LMAO/axentav2.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
hacked client (rats) LMAO/ectasy.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
hacked client (rats) LMAO/epic.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
hacked client (rats) LMAO/icetea.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
hacked client (rats) LMAO/koid.exe
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
hacked client (rats) LMAO/krypton.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
hacked client (rats) LMAO/kura.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
hacked client (rats) LMAO/vega.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
hacked client (rats) LMAO/zoomin.exe
Resource
win10-20240404-en
General
-
Target
hacked client (rats) LMAO/kura.exe
-
Size
3.3MB
-
MD5
208a92b2100ef3dc268b709e7a9aa3e2
-
SHA1
2825a5777445dd584289fe35e41c836f8743dbcb
-
SHA256
5e8394b44ba1373b36214d09b16a43ada6d001e55509de72c1f85928481422b0
-
SHA512
fa64f5ab44d63ee3963dfbc4c49f089fb9395c55a4847096c7791935876bfdb91af6653dc27db6a012cfba02ef97b7e5ac278a5145f1ad3b80fa735f1d86699a
-
SSDEEP
98304:UXoNdtf6+hovlWtuCZM8vNdvj1mJcEep/gG:UQL/mvHcMo9EeyG
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
kura.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ kura.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
kura.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kura.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kura.exe -
Processes:
resource yara_rule behavioral10/memory/4988-0-0x00007FF622770000-0x00007FF623074000-memory.dmp themida behavioral10/memory/4988-3-0x00007FF622770000-0x00007FF623074000-memory.dmp themida behavioral10/memory/4988-2-0x00007FF622770000-0x00007FF623074000-memory.dmp themida behavioral10/memory/4988-5-0x00007FF622770000-0x00007FF623074000-memory.dmp themida behavioral10/memory/4988-4-0x00007FF622770000-0x00007FF623074000-memory.dmp themida behavioral10/memory/4988-6-0x00007FF622770000-0x00007FF623074000-memory.dmp themida -
Processes:
kura.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kura.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
kura.exepid process 4988 kura.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
kura.exedescription pid process target process PID 4988 wrote to memory of 4600 4988 kura.exe cmd.exe PID 4988 wrote to memory of 4600 4988 kura.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hacked client (rats) LMAO\kura.exe"C:\Users\Admin\AppData\Local\Temp\hacked client (rats) LMAO\kura.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4988-0-0x00007FF622770000-0x00007FF623074000-memory.dmpFilesize
9.0MB
-
memory/4988-1-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmpFilesize
1.9MB
-
memory/4988-3-0x00007FF622770000-0x00007FF623074000-memory.dmpFilesize
9.0MB
-
memory/4988-2-0x00007FF622770000-0x00007FF623074000-memory.dmpFilesize
9.0MB
-
memory/4988-5-0x00007FF622770000-0x00007FF623074000-memory.dmpFilesize
9.0MB
-
memory/4988-4-0x00007FF622770000-0x00007FF623074000-memory.dmpFilesize
9.0MB
-
memory/4988-6-0x00007FF622770000-0x00007FF623074000-memory.dmpFilesize
9.0MB
-
memory/4988-8-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmpFilesize
1.9MB