3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19

Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

06-08-2024 13:01

06-08-2024 12:52

06-08-2024 12:29

06-08-2024 12:26

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
Size

5.7MB
MD5

40a22356fd06bc9a4fd4ddedf5286666
SHA1

32ee28a964557f6e1effd28ed8c91328e7698e23
SHA256

ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474
SHA512

d67256c51af065f58e7d037387cba7fdde6b55b0e10f24572bb039033a406450b079d32e62450570202305ffee2991b9c6fc74ce72bae48217c984c9cbcfeb97
SSDEEP

98304:NLIAMmuuNkfUo2EwVPBh4i02bt+xznOywv+r4oYIxu1i2e56SM2F9jE37HethOKd:WyNkfr29VPBhh0p5ngve4lIQe5UM9jqK

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2116	KKMAgent.exe

Loads dropped DLL 29 IoCs

pid	Process
1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\KKMAgent = "C:\\Users\\Admin\\AppData\\Roaming\\KkmAgent\\KKMAgent.exe"	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\KKMAgent = "C:\\Users\\Admin\\AppData\\Roaming\\KkmAgent\\KKMAgent.exe"	KKMAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKMAgent.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	KKMAgent.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe
2116	KKMAgent.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2116	1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe	30
PID 1304 wrote to memory of 2116	1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe	30
PID 1304 wrote to memory of 2116	1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe	30
PID 1304 wrote to memory of 2116	1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe	30
PID 1304 wrote to memory of 2116	1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe	30
PID 1304 wrote to memory of 2116	1304	ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe	30

C:\Users\Admin\AppData\Local\Temp\1\ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
"C:\Users\Admin\AppData\Local\Temp\1\ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Roaming\KkmAgent\KKMAgent.exe
  C:\Users\Admin\AppData\Roaming\KkmAgent\KKMAgent.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Sushkof\KKMAgent.exe_Url_nzfaxrp0lkh3cjia20ze40344dfjopaz\2.4.2.3\mh2k5ig3.newcfg

Filesize
729B

MD5
a18b0d2f51a8e2dbabd44027325dadc4

SHA1
d7694468ed5d00ec6313baaf969596b72be2ff23

SHA256
89310dfef9694a6ff078e087ff1c02076537a46c32b2b35740d3021e6c74af51

SHA512
ff387fe0c79c53c11387e801502e1ef964c0b9031deea7674361d1dde1862cbe904ebbaf76ec57f9665deddd54f2dc04add4acc3f95b09979fbb722ed8ae241c

Download Submit
C:\Users\Admin\AppData\Local\Sushkof\KKMAgent.exe_Url_nzfaxrp0lkh3cjia20ze40344dfjopaz\2.4.2.3\user.config

Filesize
324B

MD5
b1dbcf1157c264239ec26b6ebb616c67

SHA1
9434b62ab9c73ec0a837b85b503c062538a3ff79

SHA256
99b76533b7d71cdf2029a9fee066a05870c294f555699bb3732e4d4e614a5d2c

SHA512
659e766fc6deb100c07be97c657136cd491d0651a815410951af9473eec929f04260d5b4fc62caa95d38b2720d1c8731426866f776f74a63a9dfbd39def36082

Download Submit
C:\Users\Admin\AppData\Local\Sushkof\KKMAgent.exe_Url_nzfaxrp0lkh3cjia20ze40344dfjopaz\2.4.2.3\user.config

Filesize
453B

MD5
c011a64555d93fea74ea3c0e026816c1

SHA1
e32bd422f6650c5d3cbdb46a383837df54306e2f

SHA256
4ae02c56bc1a5a1a18d8ad1b321a392ec7971194872366fb21d26e16562010aa

SHA512
d9023dfb3dcfd8e76b13725d523b6329478e76e18ac116ce5e92cab24b32c2903941788cf74843cef3766729c3e044a95a658ca9349c9578641a319a8051ebb8

Download Submit
C:\Users\Admin\AppData\Local\Sushkof\KKMAgent.exe_Url_nzfaxrp0lkh3cjia20ze40344dfjopaz\2.4.2.3\user.config

Filesize
602B

MD5
03b42de551dec05549b67c22fa67086c

SHA1
6d6a3d2013faf071219b53261f2effbeeaa41f31

SHA256
29ced946b073a36f595cedd6686026955ee2d2507ca23e2b480b4e647c12768d

SHA512
45130c1b99581c5d3650ee5d671e9908fd39a8ea5f07cedfccdf36010c474e5e1d64fe094539dc89dede3cb54d5cc11dfe21f491f7922be2b2c67a7e6c12147c

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\Atol.Drivers10.Fptr.dll

Filesize
78KB

MD5
3c46c36b845b1da2c2bd9e0667df0f60

SHA1
570dcc02f0cfb97c352363943285212c833229fe

SHA256
d0f9b82de64219e37556834fb2a7491468d2cbe1d324880c23a3bda8851b9e5c

SHA512
68d24d34813b98ffb4cbc3e8175a19d601a530631f118326101d77a71b1419e8c0915d955ca80ad43c4e54339e43eca6b5c1d8d79050af90e2eea31f06fbe9bc

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\AutoUpdater.NET.dll

Filesize
416KB

MD5
4919c59e98c927eb902a9370a45e71b8

SHA1
4c08f77658d33e5aec0c8873f02779a87ed09334

SHA256
0f2b1c726e47166cfe30f0edbd0939b3723bf3e63fc4dd9d8d178d85a4bcc72f

SHA512
99af63dcce2b058e425fe6eb5d1a3480aabb18a6db9a98d001e81624b492b176a3cd9355c4ad30877adba5a5a65a9a400a3df206500f3c8b76a06cdf492b03ea

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\KKMAgent.exe.config

Filesize
6KB

MD5
660e547f3981c5a3e677335f951ec852

SHA1
fe766d3b216c60bfe0b0d1b78bb9bc20d32e8929

SHA256
36f1e041954de9ac06d1c087920453c85591d0c680065e00c7dc23628c4da284

SHA512
a0240959d0b12215e4909b4e63256be48a7010e37c151c79c538a11491a9904e3cb019452eb6409bd9c8971b8dc9ed458403da82188bd08694707fec313eda0c

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\KKMCommon.dll

Filesize
56KB

MD5
42813b472279298a39ee42d2ad899f33

SHA1
5b4a9e5adc7a8633e851673a35abde1c3ece67a6

SHA256
9eb1255d7601626ac4b96110542bc1b620430eecaad12f75d3eebba0fbd9827f

SHA512
7bf9e031bfa64e46db5de4062200c76ad8646ef45c4096d40b661c625153837b18ca98e4f00135729fd03a56b801f3c6585597dca2c1a34ed8ddab7988dd4b31

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\KKMLib.dll

Filesize
252KB

MD5
e6bf0d7475a311d0f48a3d3dc58b173d

SHA1
76acf2f32519fd5c4802b3fea6f9e2e0fbd8a946

SHA256
bb7869b0eec0c61f084108595546f1d3ab6e516716fa1d60099edf0dd9a37af3

SHA512
425f881b12535084778017d2fc5ceb860e81f1bce5da35fc295945052df228adcceb5bc4523e2e487dc74951113bd99d47ffc4608626ef2b97f9fba9204382aa

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\KKMLib.pdb

Filesize
519KB

MD5
6b2f2f2ce926e2e9770ffce04e89d0c4

SHA1
201477371dac72f474c3b1eb03a15268b4ff77cb

SHA256
f17cc8fafc8a0aac6fca4adf818a8f797412b5407d427072079535f79cad6ee7

SHA512
7aa2b670fefacef55fc7bf92d6d7e63928e76aa4220ca78fa074dcf767bb8fe0b2473156fd4af31d9894c5ee11afc569f9f217c6f386fa29232009a66615b1b6

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\NLog.config

Filesize
887B

MD5
8c6a2547d1f701d2ea2e717d0e232eb8

SHA1
11581190da4311f9174071ad54ad1260e76c008f

SHA256
aa474e0e9be665f2c008cb704086e8f712c349b585208be9e9aa6ece05ac6e60

SHA512
910ad7ff79a765c9d5e8e7f93f07e0b346f3ef9b4487b298e714963d3e6207e38cf3e713031d444ea585f40cd6114d7bfd0ee83a51fc7e63f18fd95b8097b563

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\PilotNtSharp.dll

Filesize
8KB

MD5
050f359cbb074e55d505506b4b35bb7d

SHA1
e80cd3036c045c90548fef5fe1566aa3d8050289

SHA256
c9dae5e8b3150d4d993ced26cfede0c305a5ae6329a3c80f61ffac53185e3b90

SHA512
2a0a2777852eed3ef1d9b0aa5ab6306757491eb6ed3a78b7eb5849aea1ae29cb46e56624f4e456774f1bf6c2f6d3cb160c67938faeee670314a74793fde24f78

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\RabbitMQ.Client.dll

Filesize
273KB

MD5
5477f26fc30271354c594fd156a6c53f

SHA1
e163fec209e3b12df34745f59bbee6f16dc4c0db

SHA256
9c1d6b531e0ee905f5a66e792adc7dead9fc46590ad9d9a8cc955fc9d821c678

SHA512
adf3cf60d120dc74c41c7e3b0da48802c41be0b021a3f44906b4ba52a715f432563f50de7bd11c4b6ee90019f8c7f724f00414403699771c1d3162df703d8299

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\Resources\xml-kz.xml

Filesize
3KB

MD5
3f95090534c18f6094a4033e1033d84c

SHA1
315cf10df06e373791e6b803fe8e7db991754863

SHA256
3fa090a372292775998a53c2cc50035cc1081842090dfeba8a5d43275b62dddc

SHA512
aeef144a94b1a4efdcd91a880e4bf291166514a1108454085b04421d1af88036d89d8b8a2b04bc4c5f9e6642b252389aee985ae79b7263248dbe9b076579a166

Download Submit
\Users\Admin\AppData\Local\Temp\nso22DD.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Roaming\KkmAgent\KKMAgent.exe

Filesize
101KB

MD5
d91a0690e171fb98a798b70e1561a8ec

SHA1
ffeac2eff14fbd5a19736ae3a2323ee82c40a9ca

SHA256
b7b1535f6c7bc044e86090915ecff230e2e661cdb55d8ee5ab23c211b3153ca5

SHA512
4b8b6943582a6d4366fd25d29b4d16934bc306c8ea1642b1a9fc6822e6cefe52e8b7053856775a78aa4217f1c585077022629a2102ea6999227082b5dc89e9a0

Download Submit
\Users\Admin\AppData\Roaming\KkmAgent\Microsoft.Diagnostics.Tracing.EventSource.dll

Filesize
166KB

MD5
ad9250c9725e55e11729256336accd56

SHA1
793fe7f04a7b39aa88ebf77deb9cf896d5136f68

SHA256
f9836c19b55583433141cbc1ae4542e65919abb0753e806b29740a732526b685

SHA512
37f85341324343fc1d783d0c8b850c143985d3e39516154979c9cc4ee1bd3440d0fd6f5c457f5de2653288edf24443f7f63b2447728a1323b31267f1697fa300

Download Submit
\Users\Admin\AppData\Roaming\KkmAgent\NLog.dll

Filesize
831KB

MD5
fdcaf6060e7644dbaa96ecfe59c0eacb

SHA1
a8ed5031b70ac682ea850abee07c4f436259cf88

SHA256
29d3a32476a25817f80d64d64bed42d9e0eafa1adf2687cbb51dca12c27503f3

SHA512
12786f33c5d6f5f06bd513fb04af1d8a6226863d51c89c0e481eabc08f7658bffc008629b10b7a0afa87d81b816ccdf7c61a395276e58034a1855ce9f4e81a8b

Download Submit
memory/2116-119-0x0000000000980000-0x0000000000994000-memory.dmp

Filesize
80KB

Download
memory/2116-150-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-147-0x0000000005540000-0x000000000556C000-memory.dmp

Filesize
176KB

Download
memory/2116-141-0x00000000068F0000-0x00000000069A2000-memory.dmp

Filesize
712KB

Download
memory/2116-154-0x00000000056A0000-0x00000000056BA000-memory.dmp

Filesize
104KB

Download
memory/2116-137-0x0000000004B30000-0x0000000004B7A000-memory.dmp

Filesize
296KB

Download
memory/2116-133-0x0000000004870000-0x0000000004878000-memory.dmp

Filesize
32KB

Download
memory/2116-125-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-123-0x0000000000EE0000-0x0000000000F26000-memory.dmp

Filesize
280KB

Download
memory/2116-113-0x0000000000E00000-0x0000000000ED4000-memory.dmp

Filesize
848KB

Download
memory/2116-109-0x0000000001390000-0x00000000013B0000-memory.dmp

Filesize
128KB

Download
memory/2116-107-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/2116-195-0x0000000008810000-0x000000000887E000-memory.dmp

Filesize
440KB

Download
memory/2116-196-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/2116-197-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-198-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download