b4bb497039f2c1ca8c7eaf592bf32566b8fbb2f657f23555bb14c4d24db3c622

Resubmissions

09/08/2024, 21:36

240809-1f9kfatgrg 6

09/08/2024, 21:26

240809-1an2jstend 8

Analysis

max time kernel
136s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KASU PACK V.3/Disable Telematry/WPD.exe
Size

576KB
MD5

65325f636ac238568a21f389387f0299
SHA1

acf8022648f3eab3b6da50e0f90301eefe64a3f7
SHA256

c21e9de5b28de8edfb6b2264b33846e842f7954ad70fa07b3c652feb5f0a09d7
SHA512

9580e5f040f7adb0cfd5dc8749ddc501c97c849fd7bde4b2d66af6beb5d4a2505546b053723d53009ece3014ee87723bbc23729e43c6aec0698ff514c2ac33a2
SSDEEP

6144:TRQucww8JJQLbRYX3XJ7Sjt52vljOwsxVDC5Mq7Zj2R7beOW2wmIyWk5QoBN6Z61:1cwoQkl2JI

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	WPD.exe
File opened for modification	C:\Windows\System32\GroupPolicy	WPD.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "0"	WPD.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5016	WPD.exe
5016	WPD.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5016	WPD.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\KASU PACK V.3\Disable Telematry\WPD.exe
"C:\Users\Admin\AppData\Local\Temp\KASU PACK V.3\Disable Telematry\WPD.exe"
1⤵
- Drops file in System32 directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5016-0-0x00007FFFC50A3000-0x00007FFFC50A5000-memory.dmp

Filesize
8KB

Download
memory/5016-1-0x000002BF752F0000-0x000002BF75384000-memory.dmp

Filesize
592KB

Download
memory/5016-2-0x00007FFFC50A0000-0x00007FFFC5B61000-memory.dmp

Filesize
10.8MB

Download
memory/5016-5-0x00007FFFC50A0000-0x00007FFFC5B61000-memory.dmp

Filesize
10.8MB

Download
memory/5016-8-0x00007FFFC50A0000-0x00007FFFC5B61000-memory.dmp

Filesize
10.8MB

Download
memory/5016-7-0x000002BF7BD30000-0x000002BF7BD38000-memory.dmp

Filesize
32KB

Download
memory/5016-6-0x000002BF7BD20000-0x000002BF7BD28000-memory.dmp

Filesize
32KB

Download
memory/5016-9-0x00007FFFC50A0000-0x00007FFFC5B61000-memory.dmp

Filesize
10.8MB

Download
memory/5016-11-0x000002BF7BD80000-0x000002BF7BD8E000-memory.dmp

Filesize
56KB

Download
memory/5016-10-0x000002BF7BDB0000-0x000002BF7BDE8000-memory.dmp

Filesize
224KB

Download
memory/5016-12-0x000002BF780E0000-0x000002BF780F2000-memory.dmp

Filesize
72KB

Download
memory/5016-13-0x00007FFFC50A0000-0x00007FFFC5B61000-memory.dmp

Filesize
10.8MB

Download