Analysis

  • max time kernel
    138s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 23:15

General

  • Target

    killer.exe

  • Size

    166KB

  • MD5

    7b3a7907f0489945935bd78d6a8c8df7

  • SHA1

    09baf051a0fcbfec678f5962678ef1041d06b325

  • SHA256

    16512770eb74b8a655e747a260302126936ca1d426ed79d9fd7aadd371317579

  • SHA512

    c6da2f2d19b1f195ba738b619daf0db54d1384678c2b97a13760f6e72315b10dfe0eed228b0a777e2ba7e487306a400d202d48b16271c5880e2e4ad6030f5082

  • SSDEEP

    3072:oahKyd2n3175GWp1icKAArDZz4N9GhbkrNEk+5fJ3qa1qtzF:oahOTp0yN90QE0

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\killer.exe
    "C:\Users\Admin\AppData\Local\Temp\killer.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "killer.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4364
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3868
        • C:\Windows\system32\curl.exe
          curl -s ipinfo.io/1.1.1.1
          3⤵
            PID:4236
          • C:\Windows\system32\findstr.exe
            findstr /R /C:"\"city\":" /C:"\"postal\":" /C:"\"country\":" /C:"\"loc\":" /C:"\"timezone\":"
            3⤵
              PID:2248
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo "
              3⤵
                PID:1680
              • C:\Windows\system32\findstr.exe
                findstr /r /i /c:"^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}$"
                3⤵
                  PID:1324
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo "
                  3⤵
                    PID:2400
                  • C:\Windows\system32\findstr.exe
                    findstr /r /i /c:"^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}$"
                    3⤵
                      PID:2312
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo "
                      3⤵
                        PID:3412
                      • C:\Windows\system32\findstr.exe
                        findstr /r /i /c:"^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}$"
                        3⤵
                          PID:1492
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo "
                          3⤵
                            PID:2216
                          • C:\Windows\system32\findstr.exe
                            findstr /r /i /c:"^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}$"
                            3⤵
                              PID:3504
                        • C:\Windows\System32\rundll32.exe
                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                          1⤵
                            PID:3048
                          • C:\Windows\System32\NOTEPAD.EXE
                            "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\killer.bat
                            1⤵
                            • Opens file in notepad (likely ransom note)
                            • Suspicious use of FindShellTrayWindow
                            PID:4656

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\killer.bat

                            Filesize

                            12KB

                            MD5

                            8ca095c00bed0f626ecfeb9d008b47cc

                            SHA1

                            582a3ffa8e1daa39b724af58abba84b679b4c937

                            SHA256

                            8c53f3acac40a6269c54c7428828f550dd7c3ce5eea5ff51bf54bd3e7db42032

                            SHA512

                            afc87aad633305c812ed03fb1f3da02e4f9f49c3d5a3a467cde25ce855ba0db86f75ac4f393f5e8f07b3694dd412ab63a70afc986e7ccfcd348f5624622a6936