13d56a267f37b4734bb426e5c1a58da371087680c4044530f931d10859ac6c68

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 21:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

98cbfe6dde97c5c3ac7bba78d28f0bc0N.exe
Size

41KB
MD5

98cbfe6dde97c5c3ac7bba78d28f0bc0
SHA1

9284c14fd03075d39caefcc7c90da173712ec0ea
SHA256

13d56a267f37b4734bb426e5c1a58da371087680c4044530f931d10859ac6c68
SHA512

a6fd1bacb86a945760a7c51dfcec9792103ca9aacfa6200f6971b18ea7b84e2e3e193b88ec049950719ef1ac6f8a02fd71361c7321732016e06001fa74d94385
SSDEEP

768:G26uYRQRSm8/mjHgetHHz5fl2MOF3h1R8kL:GVrRLveLgqnv2MYzR1L

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1812	kenis.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	98cbfe6dde97c5c3ac7bba78d28f0bc0N.exe
2504	98cbfe6dde97c5c3ac7bba78d28f0bc0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98cbfe6dde97c5c3ac7bba78d28f0bc0N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2504	98cbfe6dde97c5c3ac7bba78d28f0bc0N.exe
1812	kenis.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1812	2504	98cbfe6dde97c5c3ac7bba78d28f0bc0N.exe	30
PID 2504 wrote to memory of 1812	2504	98cbfe6dde97c5c3ac7bba78d28f0bc0N.exe	30
PID 2504 wrote to memory of 1812	2504	98cbfe6dde97c5c3ac7bba78d28f0bc0N.exe	30
PID 2504 wrote to memory of 1812	2504	98cbfe6dde97c5c3ac7bba78d28f0bc0N.exe	30

C:\Users\Admin\AppData\Local\Temp\98cbfe6dde97c5c3ac7bba78d28f0bc0N.exe
"C:\Users\Admin\AppData\Local\Temp\98cbfe6dde97c5c3ac7bba78d28f0bc0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\kenis.exe
  "C:\Users\Admin\AppData\Local\Temp\kenis.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\kenis.exe

Filesize
41KB

MD5
cc6b9c7220ddd856b569a59004f012c4

SHA1
ff795c8ada785d77f859c76350da3130babc2aac

SHA256
c2983771c798cd872e6c215dfde061759b8b2282ae9936ad88967dc8f466d131

SHA512
7e92bb4816568df7cc57d86e7f8502a6145654cc6a357068144d695d955dce11fb0f55a246ced30404e879a87d666ff0dd15351e607121536f0ce435cc6d916d

Download Submit
memory/1812-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-0-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2504-1-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2504-7-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download