118929fa7bb48dd46b39a24144202096725293c56c310b56420ddf7976567710

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kirame.Loader/Kirame.Loader.exe
Size

779KB
MD5

341544d48dffd2ea814db70b1ab59868
SHA1

27eb7de97fd9aa568cab1c23483058c7ff78cc70
SHA256

88d9c1fde490e92f60b2ec1a3b31f73358449edc3f4a91702d206204be848fdc
SHA512

26adaea9fdc82e30cdd871bd6fa9e39aeb00f31a99449b1313235724a11fae928ae7602f8d61975a128d658b966cb4c735f5585197b7d23c7d5c82b7e427dc45
SSDEEP

6144:6rxmnlXOdKHVE+1KEVmYVZDbrsVLKxWe/s9qfvowhaAMV3eXgfQULGb3WOaZGwbi:eml1OAUYeKxWe0eJueQffLG7rPWoi89

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	YQJDS.exe

Executes dropped EXE 1 IoCs

pid	Process
3384	YQJDS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4288	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1100	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	Kirame.Loader.exe
Token: SeDebugPrivilege	3384	YQJDS.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 3668	2088	Kirame.Loader.exe	85
PID 2088 wrote to memory of 3668	2088	Kirame.Loader.exe	85
PID 3668 wrote to memory of 4288	3668	cmd.exe	87
PID 3668 wrote to memory of 4288	3668	cmd.exe	87
PID 3668 wrote to memory of 3384	3668	cmd.exe	93
PID 3668 wrote to memory of 3384	3668	cmd.exe	93
PID 3384 wrote to memory of 2984	3384	YQJDS.exe	95
PID 3384 wrote to memory of 2984	3384	YQJDS.exe	95
PID 2984 wrote to memory of 1100	2984	cmd.exe	97
PID 2984 wrote to memory of 1100	2984	cmd.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Kirame.Loader\Kirame.Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Kirame.Loader\Kirame.Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA1FD.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4288
- - C:\ProgramData\Cheat\YQJDS.exe
    "C:\ProgramData\Cheat\YQJDS.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "YQJDS" /tr "C:\ProgramData\Cheat\YQJDS.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "YQJDS" /tr "C:\ProgramData\Cheat\YQJDS.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Cheat\YQJDS.exe

Filesize
779KB

MD5
341544d48dffd2ea814db70b1ab59868

SHA1
27eb7de97fd9aa568cab1c23483058c7ff78cc70

SHA256
88d9c1fde490e92f60b2ec1a3b31f73358449edc3f4a91702d206204be848fdc

SHA512
26adaea9fdc82e30cdd871bd6fa9e39aeb00f31a99449b1313235724a11fae928ae7602f8d61975a128d658b966cb4c735f5585197b7d23c7d5c82b7e427dc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA1FD.tmp.bat

Filesize
139B

MD5
92ed03d297064b93a9014be200f29dba

SHA1
83394aa3556046898f1ba2276bff51948ef318a3

SHA256
af96a2f55b7d22f19531a958f0c0b80bc0038aa816923a57b3b661b55cf93fc6

SHA512
c69d065512df1802718a240dbff56d6b75d8e6e3e1fc634c0575ea9a32fa2afb9940226856207e6c06f28dd4ef4c7368aaab76985603fa18144709bcf1c3e156

Download Submit
memory/2088-0-0x00007FFE59593000-0x00007FFE59595000-memory.dmp

Filesize
8KB

Download
memory/2088-1-0x00000000008A0000-0x000000000096A000-memory.dmp

Filesize
808KB

Download
memory/2088-2-0x00007FFE59590000-0x00007FFE5A051000-memory.dmp

Filesize
10.8MB

Download
memory/2088-8-0x00007FFE59590000-0x00007FFE5A051000-memory.dmp

Filesize
10.8MB

Download
memory/3384-13-0x00007FFE57E83000-0x00007FFE57E85000-memory.dmp

Filesize
8KB

Download
memory/3384-14-0x00007FFE57E80000-0x00007FFE58941000-memory.dmp

Filesize
10.8MB

Download
memory/3384-18-0x00007FFE57E80000-0x00007FFE58941000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads