Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
-
submitted
04-10-2024 07:55
General
-
Target
kuaiVPN.exe
-
Size
74.2MB
-
MD5
573927587a7168c33cf31984889017af
-
SHA1
242f99d7c496bd3a27a0ce1e2e02384d7b101372
-
SHA256
5fd024a9cb3e159863e82b6044cd0f2f539ca459d82445ba0e685a0400ee18e2
-
SHA512
3db41728cc31690be50a8d0132345c6f4778c206d27f4b5cdc73d4913633d483523a3df998223040c1d55c40f54aa1bfd4736f8895d50d34ac4567ebcb378f42
-
SSDEEP
1572864:S444444jUyRLelUyRLelUyRLelUyRLelUyRLelUyRLeTtOgjtOgjtOgjtOge4447:+t9jt9jt9jt9I+jkfA
Malware Config
Signatures
-
UAC bypass 3 TTPs 3 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 19 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 46 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\kuaiVPN.exe"C:\Users\Admin\AppData\Local\Temp\kuaiVPN.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5818402 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\kuaiVPN.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-2629364133-3182087385-364449604-1000"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\kuai\Kuai\tdata\emoji\kll.exe"C:\Program Files\kuai\Kuai\tdata\emoji\kll.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" -f C:\ProgramData\RVq92.xml4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\679r8.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F5⤵
- UAC bypass
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F5⤵
- UAC bypass
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F5⤵
- UAC bypass
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\h0K9o\ahKSo~16\s+C:\ProgramData\h0K9o\ahKSo~16\a C:\ProgramData\h0K9o\ahKSo~16\skin.dll4⤵
-
-
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\h0K9o\ahKSo~16\TestLogin.exe"C:\ProgramData\h0K9o\ahKSo~16\TestLogin.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\letsvpn-latest.exe"C:\ProgramData\letsvpn-latest.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD525fb525f7ada715c43acb7818466765f
SHA14133f43bce0b44547ecd1bece2097e72bbb35896
SHA25641f913678421575a6920a3ecc5f0daa80e1af701d96025aa9e5991ae3a173589
SHA512565b13a73a87124c11eef1bfb85b2cdc193fb420b76fd6c25f8dd5fa0e2a2e2d8b0cbe20384608363a264db744df4bd2b6f37e855100dffb38e98e20550983b9
-
Filesize
9.0MB
MD5be5628882d28ba1bdb9850dc4b7e7fa1
SHA16d37839c4b8ded05c0e8108696e1b794de59a2a8
SHA256def949e97a2a2d2e504f7c85a27a6f2fd44d3a898357398f4aaa7eb033dfb287
SHA51216037fd6ee2bb26e1014e9e69a2ee5d7290ebe5021ed1eedaa5908b73c39cc2ba6f66c553be9a39163b8831e8f519b10009e71fb94ce392c7229541192aa1c39
-
Filesize
2.7MB
MD58fbd870cf20e82ee18d852a8c5269dc3
SHA15e5f9def92fd488c262b307c474021309380fdd2
SHA2563236064ff8d342fff5d7635e42aac482c3a4736ba6609ede9be9d537e00c3d97
SHA5127e7a5422eb554a02da46f6275e20ad8119f17702c0e77a56ea4992c7e787bca93a7943573e00830ec9a6acec00dbcffedc0c16a2779e543a4267096b97b0abbe
-
Filesize
28.3MB
MD50019f0bc62b41bdc540a5349c71ecc33
SHA1b71674dfbd9b84f3c21c9937e0936f08a2fe70f3
SHA256cc88b5fd4515277dbda23a678905983aa32f6424b7676745fc1510a43ce1d104
SHA512ec9feee666b74d8ef2617f402e397355601901fd821318caf1168dbca442764bb689e3aaf5a134a4384c93f8604978b20d3ae8e2ab38bfe8d6ff4174c5eb834c
-
Filesize
1.0MB
MD5f35a584e947a5b401feb0fe01db4a0d7
SHA1664dc99e78261a43d876311931694b6ef87cc8b9
SHA2564da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32
SHA512b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4
-
Filesize
340KB
MD586f1895ae8c5e8b17d99ece768a70732
SHA1d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA2568094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA5123b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da
-
Filesize
204KB
MD5f8bf561bb2bbe3ab67f8fd0cf8bb76ef
SHA11d42f632527530595406a8d5edc876919fc14f4d
SHA2562ea38a7420e6f7eab5c3ae4a1330d4449c074e3f6d59e17764295b1f50970c4e
SHA51265d8b644afabf9f85a92c3fc44ad4e07358ac5793907ff621e5763b1eddbd87f9a8bfae546a8b77364b1c767cbd867ed58c970fa94505dd2ac1bfb97db4efb59
-
Filesize
156KB
MD5487cb11fc73357a51b1894eb7ca69fe6
SHA164bec0d339908d4a76366fb66f50f3754936605d
SHA2567ae6bae8c58df395f117934c1a5551ad0b8334ffdf9dd4bcc310fdd7be06e6a4
SHA5123f6c08e10936a3e2d468922ca3eba747221384368cac985867913256f45bacfc9a7a8f4c50cbc299852b83141829ee64f93f23dc4a6e97175a646ffaa3562ad1
-
Filesize
32KB
MD5ab5b02893b9c8711955506c2683640c5
SHA17db5e1b364abbe7b4bd31b178f8c982e4dfd700c
SHA256efcf26a91ab3b1943d4da8149d501f10e21fb6ba4e3b1d2363a92a5e9673095b
SHA512f90f469bba812c52cc96188ea66c9591222ea7b6b3e50347620c3a67476ad4ff504496257dc0215009231434ac0e9708dd0ffa6c8ae6659662d6decb75d12fcc
-
Filesize
993KB
MD5fe320337e9a528a256628eb24094d1ed
SHA15da17fff7b905e9bc82c7d062f689632af2e4d4a
SHA256d73553bafec4db637e1266ce83e69b4058fd3c1f9376fd042b7bdb64ee895364
SHA512cb1bbeb56718b79eb827c7233c9892427965dec063fd546860f0415c48c4b53909307dceea4e4229cdf87700f9e24d4a47f076e699bc934edb69a35a8a22351c
-
Filesize
184KB
MD5bd7d8e6e1ae79d65141e35addec9eb1b
SHA1d8d2aef2452d915198ea204aba07ade4ec6d8aa1
SHA256b6b8f1c27d076450d62a14003065df52555ba1a8f813ae699d1e8724b1b25916
SHA512ba60917ff1d9470bc9c1e541b567105d345a513afaa7edbedbc8d5fedb92290ced91e1dc8a41ce0b3ac10ec6dd892364ddaf2a7957e308de05a9918493ae7b4b
-
Filesize
144KB
MD5934e2973f8ecf20f8a7b6d890f35e260
SHA1e77fe2c2501190aacfebf145f01fe48c377b915b
SHA256567a7c3a50eb682332e5b715334ba270d34dee3af192e8d207fbcef671f801f2
SHA51276a6a2a7374333b26c47de2a551ecf86f524909ee0d171feef6b0c463dd4eb6e2af5fa207db490d7f99fedde04a6f07f491b97aae31c1a37f0631b440f2f783c
-
Filesize
488KB
MD5561fa2abb31dfa8fab762145f81667c2
SHA1c8ccb04eedac821a13fae314a2435192860c72b8
SHA256df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b
SHA5127d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43
-
Filesize
993KB
MD51fa7977aeb4e91fe3d4edaf251370c76
SHA147c278b2582b273f03efa9d2f405b959086169d5
SHA256498265ee963061ec8e5f96251beed1f3dc194ac92b70f1cdb588da9245debc06
SHA512a9eed9851f8ad5fde32ee46747f6e019d3602166a3f03b6bb4ceb20d3ec4db185a6e3c8afbd983d9a5d8e7e446b2afa7476bc8462df6e5d79878846271f3ba55
-
Filesize
44KB
MD53fdfb7a44b4cf669c0f409161a773291
SHA1ca2d7a7418665b5c7b78632afdc76d33ea2c8076
SHA25641cb973cce8d0b368edf5e5b0e98960a8ac9477de9beb41565ef5745366d4950
SHA5129859102cf685bb1f627bd2ffc98035960670d7718f778054b41b3a19974902bbebe5097010aea375322fc2b0d4021e2cf6544bf36ed972ef69c64e2ff750a252
-
Filesize
1.9MB
MD502a36631b81048355332009430b4aafe
SHA1f783d7da829ca301cbe00f3e132cd0c0651d1f91
SHA2567be2b72bed5bda14206ba5daf91e2a4a3a74bbe0637234f75356820eb2fbd3d7
SHA512e2f6f863f2e058e70e92694e51193cef0dee527aa076965d96abb8891ae5a9b3c70d2511b80ad754011062b80bd70af6a6d6daedccab61f91c827d7691742fd9
-
Filesize
332KB
MD5564f5ee5711556d672fe33467905ac96
SHA19d74adc087fd6a7c7b4c88dfd4bf64f2cd47b026
SHA256d5fa77e0bddb58145b302391c9e12c7337481711e5e44d825028f339aaf9c1ef
SHA512851a73af8c6fff5a3793d5a00f4a37d5d82b840753eb827d0eee8b2fea3b61a1b6a5c6f38b77bd96bdad4ccfeaaf0cf5a0f97e6eb4e871e62362631138114be4
-
Filesize
168KB
MD5e42c71451ed32f88764a745b19240fc6
SHA11177a66fe177d976ee2e96fd7a3c26b791b2b82e
SHA2560413797f8b7dc194dab53685f5fe9f27a53842d4272db6807d8b3f89c514591f
SHA512eb4704c25651e41e0bf9b293fc45d944b61a7d62dc643545e10eacfd174ac68e316fd56c149dd01f8cf25fb30629a9c2692994553d17b6f5d57dd269fba6ffa0
-
Filesize
14.5MB
MD594f6bd702b7a2e17c45d16eaf7da0d64
SHA145f8c05851bcf16416e087253ce962b320e9db8a
SHA25607f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776
SHA5127ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
203KB
MD531ed5c4791ae9d537e7310a268e174e1
SHA115ac90cb62deeb2cb0a3591e3524be5c4d56bae9
SHA2567ebb1645a2a7ef8002a1f2e27b87c9935ae2a606e51355e857f8a580f07d593c
SHA512446af7f8499f45c482e69dd20df73464d0235987ab8d79050276cf9782ffecca95eb51f176691f40827369b7332af42e71985c5597a6cea10d5e6397f2035adc
-
Filesize
203KB
MD55f4611602d0ce0a3f95a575006cb7a28
SHA1f2e54b59290e41c2722b72ae87e388f056324636
SHA25695a396e5e398873cd2310c4c1ec4272689ad74f348e8cfa2cd03e256d737c1a8
SHA512268778a786e5b06ca216ea5d98f7f6b047dcb38ab31bc575a6bee2c2534513fd4f0c5e921d6739a09bf3e87f791fc834696afb82b42ef932b31bf8c78bd5b8ae
-
Filesize
198KB
MD57da041a0f466005b30b06b92ccad3324
SHA1cd04c382777df86186a30a216b9c8fe10e0ef4e4
SHA2564434e648280343b693c5b115b69ecded72ca95ceae6d35f8982817fe742ab6be
SHA5120280a297b3ec594db40fd1c99d876f90a889042940ddc2debc84ae853bb20e1d44beb23b0884d11a90dfe8cfe676aadbd65ffd14200bd5569a75b96036b00b32
-
Filesize
4.9MB
MD5b0a1f1e0a106e1a62753c8a07fb3809b
SHA1b4bab82aa173a401a2f16f8b4ad91105a895b2d9
SHA256f7e07f7936269756bb73e91c8b280c2ab8532fb5bf15085d96eaebc7a05a8950
SHA512ffc97976471e26e938e0389b33c0143b4a55653f90ee35f8220663b2a78fc48a106a204dd25c990817a57f3670d41fd1361cbdbc3bc4894ded882b356649c083
-
Filesize
350KB
MD5c916c7815286c5233a49deac81f8543e
SHA1cb964c3c8eae8e7ce170f3ad3a55993f7a1918db
SHA2563d07466b8f5c18afc70c6a9746d43fa7daa39c9bd41e8bfb928c70e7d7458bf4
SHA5120d65283c41c30ee688bf02ec3eec7f6b17a750efc18fa6a66f26c7c6ef8bae860d270b31017f096d8d254c2769be2b7ed64d6b3dc659d1b57d466388271e2c78
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
Filesize
9KB
MD5ca95c9da8cef7062813b989ab9486201
SHA1c555af25df3de51aa18d487d47408d5245dba2d1
SHA256feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
SHA512a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9
-
Filesize
6KB
MD53d366250fcf8b755fce575c75f8c79e4
SHA12ebac7df78154738d41aac8e27d7a0e482845c57
SHA2568bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
SHA51267d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094
-
Filesize
392B
MD530d6eb22d6aeec10347239b17b023bf4
SHA1e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1
SHA256659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08
SHA512500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
168KB
-
Filesize
48KB
-
Filesize
184KB
-
Filesize
332KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
