Overview
overview
9Static
static
7hacked cli...et.exe
windows10-1703-x64
7hacked cli...mi.exe
windows10-1703-x64
1hacked cli...te.exe
windows10-1703-x64
1hacked cli...v2.exe
windows10-1703-x64
7hacked cli...sy.exe
windows10-1703-x64
6hacked cli...ic.exe
windows10-1703-x64
1hacked cli...ea.exe
windows10-1703-x64
1hacked cli...id.exe
windows10-1703-x64
1hacked cli...on.exe
windows10-1703-x64
9hacked cli...ra.exe
windows10-1703-x64
9hacked cli...ga.exe
windows10-1703-x64
1hacked cli...in.exe
windows10-1703-x64
1Analysis
-
max time kernel
24s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-05-2024 00:51
Behavioral task
behavioral1
Sample
hacked client (rats) LMAO/Hermotet.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
hacked client (rats) LMAO/Itami.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
hacked client (rats) LMAO/Lithium-Lite.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
hacked client (rats) LMAO/axentav2.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
hacked client (rats) LMAO/ectasy.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
hacked client (rats) LMAO/epic.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
hacked client (rats) LMAO/icetea.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
hacked client (rats) LMAO/koid.exe
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
hacked client (rats) LMAO/krypton.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
hacked client (rats) LMAO/kura.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
hacked client (rats) LMAO/vega.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
hacked client (rats) LMAO/zoomin.exe
Resource
win10-20240404-en
General
-
Target
hacked client (rats) LMAO/krypton.exe
-
Size
3.8MB
-
MD5
a7beb58e9507171e44455f1f823286ab
-
SHA1
3689b44d42583008d5d158968bf7e81c3c0ccf3c
-
SHA256
e781c6915a983883f16ed22a1236e9bc93af081fb5cd3b8ec4c554ceb18183db
-
SHA512
35b7714979773d60296d81f57c4805cc0160db8b881a27ef4370718049949940f9d5734566b6398d5ab7b32800bf50e6f54bdd23150ad02ac60f2b7b55bd4b2b
-
SSDEEP
98304:wpT46CmfHy/AnF2sq2F2LpwgYd8781v4yc3r:w5nCt4F2sq25jq73yc7
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
krypton.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ krypton.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
krypton.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion krypton.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion krypton.exe -
Processes:
resource yara_rule behavioral9/memory/4596-0-0x00007FF734540000-0x00007FF734F57000-memory.dmp themida behavioral9/memory/4596-4-0x00007FF734540000-0x00007FF734F57000-memory.dmp themida behavioral9/memory/4596-3-0x00007FF734540000-0x00007FF734F57000-memory.dmp themida behavioral9/memory/4596-2-0x00007FF734540000-0x00007FF734F57000-memory.dmp themida behavioral9/memory/4596-5-0x00007FF734540000-0x00007FF734F57000-memory.dmp themida behavioral9/memory/4596-6-0x00007FF734540000-0x00007FF734F57000-memory.dmp themida behavioral9/memory/4596-7-0x00007FF734540000-0x00007FF734F57000-memory.dmp themida behavioral9/memory/4596-8-0x00007FF734540000-0x00007FF734F57000-memory.dmp themida behavioral9/memory/4596-9-0x00007FF734540000-0x00007FF734F57000-memory.dmp themida -
Processes:
krypton.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA krypton.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
krypton.exepid process 4596 krypton.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
krypton.exepid process 4596 krypton.exe 4596 krypton.exe 4596 krypton.exe 4596 krypton.exe 4596 krypton.exe 4596 krypton.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
krypton.exepid process 4596 krypton.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
krypton.exepid process 4596 krypton.exe 4596 krypton.exe 4596 krypton.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hacked client (rats) LMAO\krypton.exe"C:\Users\Admin\AppData\Local\Temp\hacked client (rats) LMAO\krypton.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4596-0-0x00007FF734540000-0x00007FF734F57000-memory.dmpFilesize
10.1MB
-
memory/4596-1-0x00007FFFD94A0000-0x00007FFFD967B000-memory.dmpFilesize
1.9MB
-
memory/4596-4-0x00007FF734540000-0x00007FF734F57000-memory.dmpFilesize
10.1MB
-
memory/4596-3-0x00007FF734540000-0x00007FF734F57000-memory.dmpFilesize
10.1MB
-
memory/4596-2-0x00007FF734540000-0x00007FF734F57000-memory.dmpFilesize
10.1MB
-
memory/4596-5-0x00007FF734540000-0x00007FF734F57000-memory.dmpFilesize
10.1MB
-
memory/4596-6-0x00007FF734540000-0x00007FF734F57000-memory.dmpFilesize
10.1MB
-
memory/4596-7-0x00007FF734540000-0x00007FF734F57000-memory.dmpFilesize
10.1MB
-
memory/4596-8-0x00007FF734540000-0x00007FF734F57000-memory.dmpFilesize
10.1MB
-
memory/4596-9-0x00007FF734540000-0x00007FF734F57000-memory.dmpFilesize
10.1MB
-
memory/4596-10-0x00007FFFD94A0000-0x00007FFFD967B000-memory.dmpFilesize
1.9MB