989978a43440adc74dae5699a12a33213569f1549b92c8e873caf7b8db7eeb31

Analysis

max time kernel
38s
max time network
3s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
06-06-2024 18:55

Target

Kulo Proxy.exe
Size

2.3MB
MD5

f7aaffa9a85cd5b2b147b1c2a117dfd9
SHA1

336ca5e628cf57ba5c4701918ada06bf908d3753
SHA256

4f3728da388cc647f39d12c330ff81b4068d7c908668d56d6e6f0d87631085d9
SHA512

5368be56ced8d1abca50848430755e927cca92a726ded5d609f4fba2cbd93946b1e4c68b235f0e612bd52a025643fcfab3309afbce5ec1e39f3ba5e7e09c564c
SSDEEP

49152:T17U1ozWrLIgUi5o3/rdcVs+xg/MwoieUrduY6:JdSnq6

Score

1^/10

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\discord-1102550822702813184\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Kulo Proxy.exe"	Kulo Proxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\discord-1102550822702813184\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Kulo Proxy.exe"	Kulo Proxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\discord-1102550822702813184\ = "URL:Run game 1102550822702813184 protocol"	Kulo Proxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\discord-1102550822702813184\URL Protocol	Kulo Proxy.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\discord-1102550822702813184\shell\open\command	Kulo Proxy.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\discord-1102550822702813184\shell	Kulo Proxy.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\discord-1102550822702813184\shell\open	Kulo Proxy.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\discord-1102550822702813184	Kulo Proxy.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\discord-1102550822702813184\DefaultIcon	Kulo Proxy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 3876	3372	Kulo Proxy.exe	79
PID 3372 wrote to memory of 3876	3372	Kulo Proxy.exe	79
PID 3372 wrote to memory of 2300	3372	Kulo Proxy.exe	80
PID 3372 wrote to memory of 2300	3372	Kulo Proxy.exe	80
PID 2300 wrote to memory of 1352	2300	cmd.exe	81
PID 2300 wrote to memory of 1352	2300	cmd.exe	81
PID 2300 wrote to memory of 1240	2300	cmd.exe	82
PID 2300 wrote to memory of 1240	2300	cmd.exe	82
PID 2300 wrote to memory of 772	2300	cmd.exe	83
PID 2300 wrote to memory of 772	2300	cmd.exe	83
PID 3372 wrote to memory of 732	3372	Kulo Proxy.exe	84
PID 3372 wrote to memory of 732	3372	Kulo Proxy.exe	84

C:\Users\Admin\AppData\Local\Temp\Kulo Proxy.exe
"C:\Users\Admin\AppData\Local\Temp\Kulo Proxy.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Color 0A
  2⤵
  PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Kulo Proxy.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Kulo Proxy.exe" MD5
    3⤵
    PID:1352
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1240
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:732