118929fa7bb48dd46b39a24144202096725293c56c310b56420ddf7976567710

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/11/2024, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kirame.Loader/Kirame.Loader.exe
Size

779KB
MD5

341544d48dffd2ea814db70b1ab59868
SHA1

27eb7de97fd9aa568cab1c23483058c7ff78cc70
SHA256

88d9c1fde490e92f60b2ec1a3b31f73358449edc3f4a91702d206204be848fdc
SHA512

26adaea9fdc82e30cdd871bd6fa9e39aeb00f31a99449b1313235724a11fae928ae7602f8d61975a128d658b966cb4c735f5585197b7d23c7d5c82b7e427dc45
SSDEEP

6144:6rxmnlXOdKHVE+1KEVmYVZDbrsVLKxWe/s9qfvowhaAMV3eXgfQULGb3WOaZGwbi:eml1OAUYeKxWe0eJueQffLG7rPWoi89

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
336	YQJDS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
624	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2820	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	Kirame.Loader.exe
Token: SeDebugPrivilege	336	YQJDS.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2376	1924	Kirame.Loader.exe	30
PID 1924 wrote to memory of 2376	1924	Kirame.Loader.exe	30
PID 1924 wrote to memory of 2376	1924	Kirame.Loader.exe	30
PID 2376 wrote to memory of 624	2376	cmd.exe	32
PID 2376 wrote to memory of 624	2376	cmd.exe	32
PID 2376 wrote to memory of 624	2376	cmd.exe	32
PID 2376 wrote to memory of 336	2376	cmd.exe	33
PID 2376 wrote to memory of 336	2376	cmd.exe	33
PID 2376 wrote to memory of 336	2376	cmd.exe	33
PID 336 wrote to memory of 2904	336	YQJDS.exe	34
PID 336 wrote to memory of 2904	336	YQJDS.exe	34
PID 336 wrote to memory of 2904	336	YQJDS.exe	34
PID 2904 wrote to memory of 2820	2904	cmd.exe	36
PID 2904 wrote to memory of 2820	2904	cmd.exe	36
PID 2904 wrote to memory of 2820	2904	cmd.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Kirame.Loader\Kirame.Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Kirame.Loader\Kirame.Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB423.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:624
- - C:\ProgramData\Cheat\YQJDS.exe
    "C:\ProgramData\Cheat\YQJDS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "YQJDS" /tr "C:\ProgramData\Cheat\YQJDS.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "YQJDS" /tr "C:\ProgramData\Cheat\YQJDS.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Cheat\YQJDS.exe

Filesize
779KB

MD5
341544d48dffd2ea814db70b1ab59868

SHA1
27eb7de97fd9aa568cab1c23483058c7ff78cc70

SHA256
88d9c1fde490e92f60b2ec1a3b31f73358449edc3f4a91702d206204be848fdc

SHA512
26adaea9fdc82e30cdd871bd6fa9e39aeb00f31a99449b1313235724a11fae928ae7602f8d61975a128d658b966cb4c735f5585197b7d23c7d5c82b7e427dc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB423.tmp.bat

Filesize
139B

MD5
5c7f76b7e1118966a47a06e4f48e60ab

SHA1
7996e4ccc27350fb01500f1143eb34f63a31aa3d

SHA256
39819faedf04c930268db4db3044ad9d0ee03c1db3cce6438b8e8efb00d34b75

SHA512
5ac79511213359e320fc3c965b13e80e483076f8bd5ab61fd1f36c12b54d4c060575d4e726ab43657b0fb3e90fdaf2b84e419fe4ddaa603c12023d8bad705828

Download Submit
memory/336-17-0x000007FEF4D13000-0x000007FEF4D14000-memory.dmp

Filesize
4KB

Download
memory/336-18-0x0000000001100000-0x00000000011CA000-memory.dmp

Filesize
808KB

Download
memory/336-19-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

Filesize
9.9MB

Download
memory/336-22-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-0-0x000007FEF5703000-0x000007FEF5704000-memory.dmp

Filesize
4KB

Download
memory/1924-1-0x0000000000CA0000-0x0000000000D6A000-memory.dmp

Filesize
808KB

Download
memory/1924-9-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-13-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads