21ac9aa18b2a1986a963e11c09e21c0a4c526ed2c3ecbdfe07a43fc81bfac5a9

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 10:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e094a2e1f76453c7a396b852479b6f0N.exe
Size

6KB
MD5

0e094a2e1f76453c7a396b852479b6f0
SHA1

92318e41623aefd2a596324dee6c3b970e6ee784
SHA256

21ac9aa18b2a1986a963e11c09e21c0a4c526ed2c3ecbdfe07a43fc81bfac5a9
SHA512

cca7352dbcb644ce4e92e633ac7dc10474e56e56cc729e63688a4de780b4f09df2e35733ed1eec485d4335a3bca933f48c35661c775cfad592502d5d481f30a8
SSDEEP

96:mBe9TYtOvLGaSBzHdwAnQWRRUF2CqDnWNhHV6NFJqc:mBAYtlBzfQWRRM8g9c

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	0e094a2e1f76453c7a396b852479b6f0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2516	kenis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e094a2e1f76453c7a396b852479b6f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kenis.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 2516	3480	0e094a2e1f76453c7a396b852479b6f0N.exe	86
PID 3480 wrote to memory of 2516	3480	0e094a2e1f76453c7a396b852479b6f0N.exe	86
PID 3480 wrote to memory of 2516	3480	0e094a2e1f76453c7a396b852479b6f0N.exe	86

C:\Users\Admin\AppData\Local\Temp\0e094a2e1f76453c7a396b852479b6f0N.exe
"C:\Users\Admin\AppData\Local\Temp\0e094a2e1f76453c7a396b852479b6f0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\kenis.exe
  "C:\Users\Admin\AppData\Local\Temp\kenis.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kenis.exe

Filesize
6KB

MD5
d484deb83e381a58d2cc229188ff7340

SHA1
cd9636778b2ec9839b8e1c3452d82a67a02d83b8

SHA256
7a5c64178b28996e972d285367e43ce6b3d9f9c5ccd2a5900cbc60898ca4a445

SHA512
fc820e2355dcc5f49419a1402da98ce65d93cb8b27c6c0933e6d128ef04ddc56a456bbd20503c38a42f3e6d89ad28cdb7df953070d062150770f15ae621a6c35

Download Submit