Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

kok.exe

windows7-x64

7

kok.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    kok.exe

  • Size

    37.6MB

  • Sample

    240810-zpwjha1hpg

  • MD5

    d3256eb5c7eecb0bb52fbf0ff48456ed

  • SHA1

    e65e7682a5cc1964b6c6934826b992ca52755c0b

  • SHA256

    e760bf30eaf149235f2709475d5bf3251b97fbd363c5b03a4041a7373a004f9f

  • SHA512

    69e53693b3d60a42c5bf48186f03fe9c9c52523dcec38d6319f2cc6b54138aa81c07500ac5ab9779f7ff64446571bda86ca2c4daaa13832051affa5ea2f46016

  • SSDEEP

    786432:M8j+F5XKXAq3xtR5ejbJGO0NT+AtO2wYOBAh2DYthBxgU3mN2joU4LCV8K:DjSdKDxtR5lO0J+AtwsQqgUCI8K

Score
10/10
discoveryevasionexecutionpersistenceransomwaretrojan

Malware Config

Targets

    • Target

      kok.exe

    • Size

      37.6MB

    • MD5

      d3256eb5c7eecb0bb52fbf0ff48456ed

    • SHA1

      e65e7682a5cc1964b6c6934826b992ca52755c0b

    • SHA256

      e760bf30eaf149235f2709475d5bf3251b97fbd363c5b03a4041a7373a004f9f

    • SHA512

      69e53693b3d60a42c5bf48186f03fe9c9c52523dcec38d6319f2cc6b54138aa81c07500ac5ab9779f7ff64446571bda86ca2c4daaa13832051affa5ea2f46016

    • SSDEEP

      786432:M8j+F5XKXAq3xtR5ejbJGO0NT+AtO2wYOBAh2DYthBxgU3mN2joU4LCV8K:DjSdKDxtR5lO0J+AtwsQqgUCI8K

    Score
    10/10
    discoveryevasionexecutionpersistenceransomwaretrojan

    • Disables service(s)

      evasionexecution

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Power Settings

1
T1653

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Service Stop

2
T1489

Tasks