e760bf30eaf149235f2709475d5bf3251b97fbd363c5b03a4041a7373a004f9f

Analysis

max time kernel
152s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kok.exe
Size

37.6MB
MD5

d3256eb5c7eecb0bb52fbf0ff48456ed
SHA1

e65e7682a5cc1964b6c6934826b992ca52755c0b
SHA256

e760bf30eaf149235f2709475d5bf3251b97fbd363c5b03a4041a7373a004f9f
SHA512

69e53693b3d60a42c5bf48186f03fe9c9c52523dcec38d6319f2cc6b54138aa81c07500ac5ab9779f7ff64446571bda86ca2c4daaa13832051affa5ea2f46016
SSDEEP

786432:M8j+F5XKXAq3xtR5ejbJGO0NT+AtO2wYOBAh2DYthBxgU3mN2joU4LCV8K:DjSdKDxtR5lO0J+AtwsQqgUCI8K

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2600	kok.tmp

Loads dropped DLL 1 IoCs

pid	Process
1752	kok.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kok.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2600	1752	kok.exe	30
PID 1752 wrote to memory of 2600	1752	kok.exe	30
PID 1752 wrote to memory of 2600	1752	kok.exe	30
PID 1752 wrote to memory of 2600	1752	kok.exe	30
PID 1752 wrote to memory of 2600	1752	kok.exe	30
PID 1752 wrote to memory of 2600	1752	kok.exe	30
PID 1752 wrote to memory of 2600	1752	kok.exe	30

C:\Users\Admin\AppData\Local\Temp\kok.exe
"C:\Users\Admin\AppData\Local\Temp\kok.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\is-S5QGT.tmp\kok.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S5QGT.tmp\kok.tmp" /SL5="$60150,38426029,797184,C:\Users\Admin\AppData\Local\Temp\kok.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-S5QGT.tmp\kok.tmp

Filesize
3.1MB

MD5
541784bf0485ef25907b525f71e70e45

SHA1
2bdba2f302cf368dbca01d51d216655a63019e7b

SHA256
2b7c3ef1f2786ed89b69eaa9a0e14f38d88914e588faeb17e161eeaf9f76e1b5

SHA512
b4c256aaa7ee0ab6617abae58fa4d606c8a5044d863c807cc232fa4c514178af3343c7bd3fb18dde215908f4e15a1bd6520d3a7fc621884cfe31b10d530de683

Download Submit
memory/1752-0-0x0000000001100000-0x00000000011D1000-memory.dmp

Filesize
836KB

Download
memory/1752-2-0x0000000001101000-0x00000000011A9000-memory.dmp

Filesize
672KB

Download
memory/1752-10-0x0000000001100000-0x00000000011D1000-memory.dmp

Filesize
836KB

Download
memory/2600-9-0x0000000000F10000-0x0000000001240000-memory.dmp

Filesize
3.2MB

Download
memory/2600-11-0x0000000000F10000-0x0000000001240000-memory.dmp

Filesize
3.2MB

Download