Analysis

  • max time kernel
    81s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-08-2024 05:29

General

  • Target

    41521fd54fe2b33bb7e5fa73c170c660N.exe

  • Size

    94KB

  • MD5

    41521fd54fe2b33bb7e5fa73c170c660

  • SHA1

    fccb2857d49437eec068f86c6ee60e260c3de2c6

  • SHA256

    56fd07483550ff364725fa4d1d704e0d0d46e21a3ca8b3744d5ce0e2f5638e4e

  • SHA512

    4f70e625008b04150655ffe35a77e16fc6da12547a298a86ecd6dcd990896071b319faa001acfb63fd19e367ccb378ce3f5027505d9923a46b93f7bb5f04c142

  • SSDEEP

    1536:FQ2lT0Q4OgsMMraZ/cc55k/rUhzCpn2LoS5DUHRbPa9b6i+sImo71+jqx:FrOOUdZ1DkohzKMoS5DSCopsIm81+jqx

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41521fd54fe2b33bb7e5fa73c170c660N.exe
    "C:\Users\Admin\AppData\Local\Temp\41521fd54fe2b33bb7e5fa73c170c660N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Windows\SysWOW64\Kjihalag.exe
      C:\Windows\system32\Kjihalag.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\Klhemhpk.exe
        C:\Windows\system32\Klhemhpk.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 140
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Klhemhpk.exe

    Filesize

    94KB

    MD5

    04ec22301be6616191683c1702ecc32a

    SHA1

    0d1d94c8aec9ea40c0efafb4f11fb6fff502bcd9

    SHA256

    99e528e9bb1c0e9d794698e2420e382d49eeac03a4f460c00bf649c6641688fa

    SHA512

    e9d96b321f55d42b4c425365cf52944017fa07263c76969ec874239349363f73384398ffa03a229ca651e5d4acda4d65bf673b9d7dd1e906e1a390f8cbe5ef4f

  • \Windows\SysWOW64\Kjihalag.exe

    Filesize

    94KB

    MD5

    6ff584c5942b568dfb366506f7db91cc

    SHA1

    5b83f3fb81bb0b6a1dd8f8de3d5edda2ef4b1a9b

    SHA256

    b96514b9f230c696ff3c788bf061c9dc667e4ca5da43e1ded1c04d9518e566ab

    SHA512

    f55b1670c06d8a1df40b2ea5b3e51503d9829ea45911594eff9b9100db7c9aac442e4bacee3471c49c68d40da1f2a8e3e81b4aeb4562d430debb336306347293

  • memory/1696-32-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/1800-19-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/1800-21-0x0000000000260000-0x000000000029E000-memory.dmp

    Filesize

    248KB

  • memory/3060-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/3060-17-0x00000000002D0000-0x000000000030E000-memory.dmp

    Filesize

    248KB

  • memory/3060-31-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB