ea4b5b075808b5b2280ec76de0a67e3b94cb6bfd0370dd2facbd8e009eb45e7d

Analysis

max time kernel
30s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KNF Setup Installer.exe
Size

84.7MB
MD5

d90a0827e3bf236ef6296c9697188dc5
SHA1

4e32c60f55547c95d7b120efbfbdcf5638b9c3c3
SHA256

ea4b5b075808b5b2280ec76de0a67e3b94cb6bfd0370dd2facbd8e009eb45e7d
SHA512

382e892dc0440e35e7b32d83a4e2481ef7808b7f550bb132577d07f60737f548eafec9f41e7a8015e0434ce8b2ab0dbc09e02d2202c9f914c099fefbf9d8e50f
SSDEEP

1572864:AdJxuLk0HPSdJxuLk0HPSdJxuLk0HPSdJxuLk0HPSdJxuLk0HPSdJxuLk0HPSdJG:

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4056	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	KNF Setup Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4056	powershell.exe
4056	powershell.exe
3620	chrome.exe
3620	chrome.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe
Token: SeShutdownPrivilege	3620	chrome.exe
Token: SeCreatePagefilePrivilege	3620	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe
3620	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 4056	2936	KNF Setup Installer.exe	84
PID 2936 wrote to memory of 4056	2936	KNF Setup Installer.exe	84
PID 3620 wrote to memory of 2960	3620	chrome.exe	88
PID 3620 wrote to memory of 2960	3620	chrome.exe	88
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1432	3620	chrome.exe	89
PID 3620 wrote to memory of 1076	3620	chrome.exe	90
PID 3620 wrote to memory of 1076	3620	chrome.exe	90
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91
PID 3620 wrote to memory of 4752	3620	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\KNF Setup Installer.exe
"C:\Users\Admin\AppData\Local\Temp\KNF Setup Installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7fff293dab58,0x7fff293dab68,0x7fff293dab78
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1896,i,1960896821026998129,5252263539411047443,131072 /prefetch:2
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1896,i,1960896821026998129,5252263539411047443,131072 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1896,i,1960896821026998129,5252263539411047443,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1896,i,1960896821026998129,5252263539411047443,131072 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1896,i,1960896821026998129,5252263539411047443,131072 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4048 --field-trial-handle=1896,i,1960896821026998129,5252263539411047443,131072 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1896,i,1960896821026998129,5252263539411047443,131072 /prefetch:8
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1896,i,1960896821026998129,5252263539411047443,131072 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=1896,i,1960896821026998129,5252263539411047443,131072 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4628 --field-trial-handle=1896,i,1960896821026998129,5252263539411047443,131072 /prefetch:1
  2⤵
  PID:3204

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6a87a9ea8f92372d035b77d33e9173f0

SHA1
9def7b08748880c7a71ac30612f9a5712b566c98

SHA256
b4d621699d8ddbe5b74a5b0242e6ee4aa5c1e7258fe761e2434da278997f74ef

SHA512
19531a9d32b0eb3f55bccd7b1a3e00836d6831481bb007a37eacfa283a20731d4125f6ddd9e0fc73d442de3bf4e4569915898898e922e47cfe1420da0acb2068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9590c3cfb9172298522af3d2e8229519

SHA1
4d9eb5988e9149c4403bed8bf1e722860864fa3e

SHA256
41e110f812bbec71484f3209ee216277a8d99f7ae5c00f63014345017b89ea9a

SHA512
65b09e4ae2b30aa4092b2140911f36f944b8fbc8c1824c7372c9f740050da12e8b80105f84b4fdab016edf79559ed2b09f3b40b257f3df51862adea4193fd41b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
4865ddd23d4014de8c5dd900f795c273

SHA1
fdbd19c95a54773978041e9fcb5181ee65c62266

SHA256
963cb54cbf3c2661d6bb361c732f678e926dd11289b77ef493c667a530adfc20

SHA512
a88ca6a217c01d1c1aa1d3061457323f7a103734ec3abde96446b58991fcd1c247f8786146671c75867104666cf5f7ff3e8a501f80bf11871beb20f55e944ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5h4xujk0.ood.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2936-17-0x0000000000B50000-0x00000000013DD000-memory.dmp

Filesize
8.6MB

Download
memory/2936-0-0x0000019B85F50000-0x0000019B85F51000-memory.dmp

Filesize
4KB

Download
memory/4056-14-0x00007FFF19830000-0x00007FFF1A2F1000-memory.dmp

Filesize
10.8MB

Download
memory/4056-16-0x00007FFF19830000-0x00007FFF1A2F1000-memory.dmp

Filesize
10.8MB

Download
memory/4056-13-0x00007FFF19830000-0x00007FFF1A2F1000-memory.dmp

Filesize
10.8MB

Download
memory/4056-12-0x00007FFF19830000-0x00007FFF1A2F1000-memory.dmp

Filesize
10.8MB

Download
memory/4056-2-0x00000284FB690000-0x00000284FB6B2000-memory.dmp

Filesize
136KB

Download
memory/4056-1-0x00007FFF19833000-0x00007FFF19835000-memory.dmp

Filesize
8KB

Download