Resubmissions
04-11-2024 03:20
241104-dv3zwasdnf 804-11-2024 03:16
241104-dsxp3svmeq 803-11-2024 23:56
241103-3zhxya1jer 3Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-11-2024 03:16
Static task
static1
Behavioral task
behavioral1
Sample
Kawaii.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Kawaii.exe
Resource
win7-20240708-en
Errors
General
-
Target
Kawaii.exe
-
Size
5.3MB
-
MD5
d9dabab21dc0ae729cd41a81850e8593
-
SHA1
afca150f0964df9bf4c9336465ed0ff3c7ed4900
-
SHA256
14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6
-
SHA512
0caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3
-
SSDEEP
98304:X3u3YBR2ycevqJZUfYLceHQIJ/xvSBIcevqJZUfYLcN3HQIJ/xvf2:nvcLrvLcqQIJjcLrvLc5QIJ
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Drivers directory 1 IoCs
Processes:
Kawaii.exedescription ioc process File created C:\Windows\System32\drivers\Kawaii.exe Kawaii.exe -
Possible privilege escalation attempt 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2308 takeown.exe 4460 icacls.exe 476 takeown.exe 4888 icacls.exe 2052 takeown.exe 792 icacls.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2308 takeown.exe 4460 icacls.exe 476 takeown.exe 4888 icacls.exe 2052 takeown.exe 792 icacls.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Drops file in System32 directory 11 IoCs
Processes:
Kawaii.exedescription ioc process File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\gemido.wav Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\icon.ico Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo1.jpg Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo2.jpg Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\control.reg Kawaii.exe File created C:\Windows\System32\Kawaii.exe Kawaii.exe File created C:\Windows\System32\Win32\Windows\Kawaii\Temp\WindowsActual.txt Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\flower_blue.ani Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo.jpg Kawaii.exe File created C:\Windows\System32\Win32\Windows\Kawaii\Temp\Kawaii.exe Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\Kawaii.exe Kawaii.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Kawaii.exedescription ioc process File created C:\Program Files\Win32\Temp\Kawaii.exe Kawaii.exe -
Drops file in Windows directory 1 IoCs
Processes:
Kawaii.exedescription ioc process File created C:\Windows\Kawaii.exe Kawaii.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe -
Processes:
explorer.exeSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe -
Modifies registry class 14 IoCs
Processes:
explorer.exeSearchHost.exeStartMenuExperienceHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4249425805-3408538557-1766626484-1000\{2EA6D3DD-2292-4CF0-9ACB-276B928B2F98} explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 3032 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Kawaii.exepid process 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Kawaii.exetakeown.exetakeown.exetakeown.exeAUDIODG.EXEexplorer.exedescription pid process Token: SeDebugPrivilege 3900 Kawaii.exe Token: SeTakeOwnershipPrivilege 476 takeown.exe Token: SeTakeOwnershipPrivilege 2052 takeown.exe Token: SeTakeOwnershipPrivilege 2308 takeown.exe Token: 33 3876 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3876 AUDIODG.EXE Token: SeShutdownPrivilege 556 explorer.exe Token: SeCreatePagefilePrivilege 556 explorer.exe Token: SeShutdownPrivilege 556 explorer.exe Token: SeCreatePagefilePrivilege 556 explorer.exe Token: SeShutdownPrivilege 556 explorer.exe Token: SeCreatePagefilePrivilege 556 explorer.exe Token: SeShutdownPrivilege 556 explorer.exe Token: SeCreatePagefilePrivilege 556 explorer.exe Token: SeShutdownPrivilege 556 explorer.exe Token: SeCreatePagefilePrivilege 556 explorer.exe Token: SeShutdownPrivilege 556 explorer.exe Token: SeCreatePagefilePrivilege 556 explorer.exe Token: SeShutdownPrivilege 556 explorer.exe Token: SeCreatePagefilePrivilege 556 explorer.exe Token: SeShutdownPrivilege 556 explorer.exe Token: SeCreatePagefilePrivilege 556 explorer.exe Token: SeShutdownPrivilege 556 explorer.exe Token: SeCreatePagefilePrivilege 556 explorer.exe Token: SeShutdownPrivilege 556 explorer.exe Token: SeCreatePagefilePrivilege 556 explorer.exe Token: SeShutdownPrivilege 556 explorer.exe Token: SeCreatePagefilePrivilege 556 explorer.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
Kawaii.exeexplorer.exepid process 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
Kawaii.exeexplorer.exepid process 3900 Kawaii.exe 3900 Kawaii.exe 3900 Kawaii.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
explorer.exeSearchHost.exeStartMenuExperienceHost.exepid process 556 explorer.exe 3496 SearchHost.exe 420 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Kawaii.execmd.execmd.execmd.exedescription pid process target process PID 3900 wrote to memory of 3164 3900 Kawaii.exe cmd.exe PID 3900 wrote to memory of 3164 3900 Kawaii.exe cmd.exe PID 3164 wrote to memory of 476 3164 cmd.exe takeown.exe PID 3164 wrote to memory of 476 3164 cmd.exe takeown.exe PID 3164 wrote to memory of 4888 3164 cmd.exe icacls.exe PID 3164 wrote to memory of 4888 3164 cmd.exe icacls.exe PID 3164 wrote to memory of 2052 3164 cmd.exe takeown.exe PID 3164 wrote to memory of 2052 3164 cmd.exe takeown.exe PID 3164 wrote to memory of 792 3164 cmd.exe icacls.exe PID 3164 wrote to memory of 792 3164 cmd.exe icacls.exe PID 3164 wrote to memory of 2308 3164 cmd.exe takeown.exe PID 3164 wrote to memory of 2308 3164 cmd.exe takeown.exe PID 3164 wrote to memory of 4460 3164 cmd.exe icacls.exe PID 3164 wrote to memory of 4460 3164 cmd.exe icacls.exe PID 3900 wrote to memory of 3704 3900 Kawaii.exe cmd.exe PID 3900 wrote to memory of 3704 3900 Kawaii.exe cmd.exe PID 3900 wrote to memory of 2568 3900 Kawaii.exe cmd.exe PID 3900 wrote to memory of 2568 3900 Kawaii.exe cmd.exe PID 3704 wrote to memory of 3032 3704 cmd.exe regedit.exe PID 3704 wrote to memory of 3032 3704 cmd.exe regedit.exe PID 2568 wrote to memory of 2168 2568 cmd.exe notepad.exe PID 2568 wrote to memory of 2168 2568 cmd.exe notepad.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\gpedit.msc && icacls C:\Windows\System32\gpedit.msc /grant %username%:F && takeown /f C:\Windows\System32\mmc.exe && icacls C:\Windows\System32\mmc.exe /grant %username%:F && takeown /f C:\Windows\System32\taskkill.exe && icacls C:\Windows\System32\taskkill.exe /grant %username%:F && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\gpedit.msc3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:476 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\gpedit.msc /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4888 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\mmc.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\mmc.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:792 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\taskkill.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\taskkill.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\regedit.exeregedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit"3⤵
- Runs .reg file with regedit
PID:3032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k notepad C:/Users/nota.txt && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\system32\notepad.exenotepad C:/Users/nota.txt3⤵PID:2168
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -f -r -t 32⤵PID:4928
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004801⤵
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:556
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3496
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:420
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵PID:4884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.3MB
MD5d9dabab21dc0ae729cd41a81850e8593
SHA1afca150f0964df9bf4c9336465ed0ff3c7ed4900
SHA25614c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6
SHA5120caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PQ45N7WT\www.bing[1].xml
Filesize328B
MD5217f1a3d72ead614f6b6707f20ecc593
SHA15b36f60c8e4ace34200464d1ab60d7747fcec6cd
SHA2566bebd59cef3960dc7d54420084fb966dcd5dac30d430421f65f265af2b382fc8
SHA512565720936a3089c80646dbbae00ab9c25a2ef70d4d2b8037fcb57b29e73a22e24b27a2b71d92575711663258c95e913a23e5775062a5b9080d94469c13ef4467
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PQ45N7WT\www.bing[1].xml
Filesize15KB
MD5730115c612db2c76be3fe54b45c49cc5
SHA1a29eba595d0aeec1088bab0c2e4102efe5460b11
SHA256f49595d14dac0d4f1afc0e1fbf53c75b6d0a0f69bc537a4a507fe51f52a96766
SHA512ecfec19007428bd4d99521c18e3dfbe6fc260d2c2c7b8cd439dde956d812561cc551e05e0df77f152e292a8cef73cc60b244aecdaaee62ff75ddf069d1cb204c
-
Filesize
471B
MD50aea1502a4192f4fcd8d25d4172ec0e5
SHA1adcc286452580eee1a6d651c63f54cdaaadc23e0
SHA256acab5764875cdbb4a37299d32da3680ff66221072eb8a044375a872d3b1a9eee
SHA51233ed0647cd4a81e1aa71fa9faa3d548b6fd2596822315dc41eefde1e57dae4440476e128d79288c47636e3ceac0a435b532b6d2c7eefc52c5910385b57771edb