Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 10:22
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run DB.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Otrpg = "C:\\Windows\\SysWOW64\\KBDKORN.exe" DB.EXE -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts KBDKORN.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DB.EXE -
Executes dropped EXE 6 IoCs
pid Process 1236 AV.EXE 3480 AV2.EXE 4000 DB.EXE 4460 EN.EXE 3464 SB.EXE 3608 KBDKORN.exe -
resource yara_rule behavioral1/files/0x000300000000073d-23.dat upx behavioral1/files/0x0003000000000741-36.dat upx behavioral1/memory/4460-42-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/4000-33-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/4000-60-0x0000000000520000-0x00000000005B3000-memory.dmp upx behavioral1/memory/4000-59-0x0000000000520000-0x00000000005B3000-memory.dmp upx behavioral1/memory/4000-56-0x0000000000520000-0x00000000005B3000-memory.dmp upx behavioral1/memory/4460-63-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DB.EXE -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 50 camo.githubusercontent.com 51 camo.githubusercontent.com 119 raw.githubusercontent.com 120 raw.githubusercontent.com 121 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\physicaldrive0 SB.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\KBDKORN.exe DB.EXE File opened for modification C:\Windows\SysWOW64\KBDKORN.exe DB.EXE -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4000 DB.EXE 4000 DB.EXE 4000 DB.EXE 4000 DB.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4000 DB.EXE Token: SeShutdownPrivilege 3464 SB.EXE Token: SeDebugPrivilege 3480 AV2.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3608 KBDKORN.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3256 wrote to memory of 1236 3256 [email protected] 114 PID 3256 wrote to memory of 1236 3256 [email protected] 114 PID 3256 wrote to memory of 1236 3256 [email protected] 114 PID 3256 wrote to memory of 3480 3256 [email protected] 115 PID 3256 wrote to memory of 3480 3256 [email protected] 115 PID 3256 wrote to memory of 3480 3256 [email protected] 115 PID 3256 wrote to memory of 4000 3256 [email protected] 116 PID 3256 wrote to memory of 4000 3256 [email protected] 116 PID 3256 wrote to memory of 4000 3256 [email protected] 116 PID 3256 wrote to memory of 4460 3256 [email protected] 117 PID 3256 wrote to memory of 4460 3256 [email protected] 117 PID 3256 wrote to memory of 4460 3256 [email protected] 117 PID 3256 wrote to memory of 3464 3256 [email protected] 118 PID 3256 wrote to memory of 3464 3256 [email protected] 118 PID 3256 wrote to memory of 3464 3256 [email protected] 118 PID 4000 wrote to memory of 3608 4000 DB.EXE 120 PID 4000 wrote to memory of 3608 4000 DB.EXE 120 PID 4000 wrote to memory of 3608 4000 DB.EXE 120 PID 2400 wrote to memory of 212 2400 msedge.exe 121 PID 2400 wrote to memory of 212 2400 msedge.exe 121
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase1⤵PID:380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4608 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:11⤵PID:4184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4928 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:11⤵PID:5080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:3180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5404 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:11⤵PID:4748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5600 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:3392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=3588 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4548 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:3800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=3868 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:4612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5904 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:11⤵PID:4424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6164 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:4408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6364 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:4596
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]"1⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\AV.EXE"C:\Users\Admin\AppData\Local\Temp\AV.EXE"2⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8283⤵PID:3764
-
-
-
C:\Users\Admin\AppData\Local\Temp\AV2.EXE"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-
C:\Users\Admin\AppData\Local\Temp\DB.EXE"C:\Users\Admin\AppData\Local\Temp\DB.EXE"2⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\KBDKORN.exeC:\Windows\SysWOW64\KBDKORN.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3608
-
-
C:\Windows\SysWOW64\cmd.exe/c C:\Users\Admin\AppData\Local\Temp\~unins1125.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"3⤵PID:1068
-
-
-
C:\Users\Admin\AppData\Local\Temp\EN.EXE"C:\Users\Admin\AppData\Local\Temp\EN.EXE"2⤵
- Executes dropped EXE
PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\SB.EXE"C:\Users\Admin\AppData\Local\Temp\SB.EXE"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffdb24e2e98,0x7ffdb24e2ea4,0x7ffdb24e2eb02⤵PID:212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=1356 --field-trial-handle=1760,i,4905016191781728441,256372885350321130,262144 --variations-seed-version /prefetch:32⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=1700 --field-trial-handle=1760,i,4905016191781728441,256372885350321130,262144 --variations-seed-version /prefetch:32⤵PID:1824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5d4979ddc709e21dddeb3e15482085154
SHA13b7d391936cfd76330104a8b6101bf1cd5f996e2
SHA2563d7582a8ff9c98481f069304bdc138d2e01697dd91c6f92604826ab7e0925c19
SHA51243cb57707b5f0fd99c11566ce279eda55015b4e8f8db1b72b3a9137fb797261022dcb5624e9c7482c63e76eb81ae90ec00d9fdd36ab1f2b3eda40168698b09b4
-
Filesize
280B
MD5ee08c726ac4e2999fe95093475f9592b
SHA10d147f536546e0f057c992baca80ada4d364238e
SHA256b71871bbdd8a94c9f3339de607046dd441a821e37c67d32fdb9710b23453ec35
SHA512426c92b002a6b7ae6cb01fbfe7091f42484eb61c5354c11b369330372fcf8de60da569e8f2cd3f1995be0d0d70a0f88ebc5cf3fce8c63689a948c97631e9a0d0
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
12KB
MD59ff0f0f4362bf737ccb8d7af26abf466
SHA1edaacf8ad0fefe049885f221ad4153ab0389ed03
SHA2561eb6c6cb661e25bb5a291df8cfb5db1a550c358a88436c8d03586ce99d36266a
SHA512850c35da8a49ae53fab7ae5f915a846023f28aae1eecef0a4a0b7ecacf560912dae9d1ccd78dcce0a61eef6a12f985e65683a90a45bfc1add4f53333e448321c
-
Filesize
62KB
MD5a233d97d406915e79d3b672ea8969f61
SHA1f58c3928d994a21fe54f6878971c189f8bf6fff9
SHA256bfc65c3df545aa799856bca6c7d44551c8306ea5acad3e3f88ab8ca5e2993d1b
SHA512e6623e193bf03286510fd0ffc0174e9b0a6c2dc749ea7e7907783519679d60c7e761dc9cbbea287c3c31004ec9a67b5ec9930896bd058ef2e84913f59cd39285
-
Filesize
1.1MB
MD5f284568010505119f479617a2e7dc189
SHA1e23707625cce0035e3c1d2255af1ed326583a1ea
SHA25626c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf
-
Filesize
208B
MD5d5ddc6a8454e9f5798ab83586db20364
SHA13dae9586cc2e42f0b0a5342a5235addefa07a9fa
SHA256dc2620fd367ad103afc7073053caca5e5c3bd865ec11b22e0a350790f5773406
SHA5126c7bccacfd1be24d32fe8cf62d27725e5877cdf8136e37405ef8ded346d23b5c05954e185fd7224b128ee4f5215614aa61d416612a9f67bf1ff3d8798dc68408
-
Filesize
368KB
MD5014578edb7da99e5ba8dd84f5d26dfd5
SHA1df56d701165a480e925a153856cbc3ab799c5a04
SHA2564ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068
-
Filesize
243KB
MD5c6746a62feafcb4fca301f606f7101fa
SHA1e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642
-
Filesize
6KB
MD5621f2279f69686e8547e476b642b6c46
SHA166f486cd566f86ab16015fe74f50d4515decce88
SHA256c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e
-
Filesize
149KB
MD5fe731b4c6684d643eb5b55613ef9ed31
SHA1cfafe2a14f5413278304920154eb467f7c103c80
SHA256e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496
SHA512f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e
-
Filesize
224KB
MD59252e1be9776af202d6ad5c093637022
SHA16cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA51298b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea
-
Filesize
101KB
MD5a796780f3083f3d98d1e660015d07428
SHA1fc79a558c98a64aa151f506a147f8131f62caec0
SHA256b085e424ae43356a42f9a30cf9d68dd6ce4c0404f5781a700d1e18c81b8fb46c
SHA512d9875aa63332dc2a12605c27ea35fcd6c5a2ce9453c242ab1ae30800c3214e5573f61038b85ba14168ff0f51372968744b8fc09b887af424bf22aa989e21b2e6
-
Filesize
1KB
MD5def6145b0bbbc4ac9defa1910312f7d2
SHA106b52011ec650d10389808395f9889581402a6cd
SHA256a0189643725002123bc648e1e9bf571b06577db9b8edea3cf54eab2d779df5f3
SHA5123c39d1bfec076c6aa6d3a0787c78742a4c4259a018069f02a3842606fb85518b95067320310756881ab0d7f5b0305325402b10902497e01e5431384f0e6f0b75