Analysis
-
max time kernel
1800s -
max time network
1179s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 19:29
Behavioral task
behavioral1
Sample
KAKEInjector.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
4 signatures
1800 seconds
General
-
Target
KAKEInjector.exe
-
Size
13.5MB
-
MD5
f1053bd6f2f6b5dd74d81af9db452f1f
-
SHA1
aa5f30c818dd8196e569c39126e73fb277fdc787
-
SHA256
cfc350c17f9f21c3cee709494d8945190be0d4838698e9161094f53f52c1bd02
-
SHA512
fc7455866addddda8850994b7b14f3dc3ad565f0dc5b6005699ea2a85b849cc3c331039905b19705e42d5194d65cbb9a1d3040be84636db14ff79eea963c204c
-
SSDEEP
393216:LD1rmILrAI3XmgJyL/s2jeUaUXtnseecncyeaGNjRtP7J/2g:n1rTvBXmUwljCebcyfGzl9
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/3820-3-0x00007FF742240000-0x00007FF743BA8000-memory.dmp themida behavioral1/memory/3820-8-0x00007FF742240000-0x00007FF743BA8000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3820 KAKEInjector.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3820 KAKEInjector.exe 3820 KAKEInjector.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3820 wrote to memory of 3732 3820 KAKEInjector.exe 87 PID 3820 wrote to memory of 3732 3820 KAKEInjector.exe 87 PID 3732 wrote to memory of 2824 3732 cmd.exe 88 PID 3732 wrote to memory of 2824 3732 cmd.exe 88 PID 3732 wrote to memory of 3548 3732 cmd.exe 89 PID 3732 wrote to memory of 3548 3732 cmd.exe 89 PID 3732 wrote to memory of 2104 3732 cmd.exe 90 PID 3732 wrote to memory of 2104 3732 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\KAKEInjector.exe"C:\Users\Admin\AppData\Local\Temp\KAKEInjector.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\KAKEInjector.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\KAKEInjector.exe" MD53⤵PID:2824
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:3548
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2104
-
-