Resubmissions

04-11-2024 03:20

241104-dv3zwasdnf 8

04-11-2024 03:16

241104-dsxp3svmeq 8

03-11-2024 23:56

241103-3zhxya1jer 3

Analysis

  • max time kernel
    51s
  • max time network
    53s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-11-2024 03:16

Errors

Reason
Machine shutdown

General

  • Target

    Kawaii.exe

  • Size

    5.3MB

  • MD5

    d9dabab21dc0ae729cd41a81850e8593

  • SHA1

    afca150f0964df9bf4c9336465ed0ff3c7ed4900

  • SHA256

    14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6

  • SHA512

    0caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3

  • SSDEEP

    98304:X3u3YBR2ycevqJZUfYLceHQIJ/xvSBIcevqJZUfYLcN3HQIJ/xvf2:nvcLrvLcqQIJjcLrvLc5QIJ

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 1 IoCs
  • Possible privilege escalation attempt 6 IoCs
  • Modifies file permissions 1 TTPs 6 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 36 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
  • Modifies registry class 14 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kawaii.exe
    "C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\gpedit.msc && icacls C:\Windows\System32\gpedit.msc /grant %username%:F && takeown /f C:\Windows\System32\mmc.exe && icacls C:\Windows\System32\mmc.exe /grant %username%:F && takeown /f C:\Windows\System32\taskkill.exe && icacls C:\Windows\System32\taskkill.exe /grant %username%:F && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3164
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\gpedit.msc
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:476
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\gpedit.msc /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4888
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\mmc.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2052
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\mmc.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:792
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\taskkill.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\taskkill.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4460
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit" && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Windows\regedit.exe
        regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit"
        3⤵
        • Runs .reg file with regedit
        PID:3032
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k notepad C:/Users/nota.txt && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\system32\notepad.exe
        notepad C:/Users/nota.txt
        3⤵
          PID:2168
      • C:\Windows\System32\shutdown.exe
        "C:\Windows\System32\shutdown.exe" -f -r -t 3
        2⤵
          PID:4928
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x0000000000000480
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3876
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:556
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
        1⤵
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3496
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:420
      • C:\Windows\System32\PickerHost.exe
        C:\Windows\System32\PickerHost.exe -Embedding
        1⤵
          PID:4884

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Win32\Temp\Kawaii.exe

          Filesize

          5.3MB

          MD5

          d9dabab21dc0ae729cd41a81850e8593

          SHA1

          afca150f0964df9bf4c9336465ed0ff3c7ed4900

          SHA256

          14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6

          SHA512

          0caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PQ45N7WT\www.bing[1].xml

          Filesize

          328B

          MD5

          217f1a3d72ead614f6b6707f20ecc593

          SHA1

          5b36f60c8e4ace34200464d1ab60d7747fcec6cd

          SHA256

          6bebd59cef3960dc7d54420084fb966dcd5dac30d430421f65f265af2b382fc8

          SHA512

          565720936a3089c80646dbbae00ab9c25a2ef70d4d2b8037fcb57b29e73a22e24b27a2b71d92575711663258c95e913a23e5775062a5b9080d94469c13ef4467

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PQ45N7WT\www.bing[1].xml

          Filesize

          15KB

          MD5

          730115c612db2c76be3fe54b45c49cc5

          SHA1

          a29eba595d0aeec1088bab0c2e4102efe5460b11

          SHA256

          f49595d14dac0d4f1afc0e1fbf53c75b6d0a0f69bc537a4a507fe51f52a96766

          SHA512

          ecfec19007428bd4d99521c18e3dfbe6fc260d2c2c7b8cd439dde956d812561cc551e05e0df77f152e292a8cef73cc60b244aecdaaee62ff75ddf069d1cb204c

        • C:\Users\nota.txt

          Filesize

          471B

          MD5

          0aea1502a4192f4fcd8d25d4172ec0e5

          SHA1

          adcc286452580eee1a6d651c63f54cdaaadc23e0

          SHA256

          acab5764875cdbb4a37299d32da3680ff66221072eb8a044375a872d3b1a9eee

          SHA512

          33ed0647cd4a81e1aa71fa9faa3d548b6fd2596822315dc41eefde1e57dae4440476e128d79288c47636e3ceac0a435b532b6d2c7eefc52c5910385b57771edb

        • memory/2568-386-0x00007FF7DF950000-0x00007FF7DF9BC000-memory.dmp

          Filesize

          432KB

        • memory/3496-261-0x00000226FD1D0000-0x00000226FD2D0000-memory.dmp

          Filesize

          1024KB

        • memory/3496-173-0x00000226F9430000-0x00000226F9450000-memory.dmp

          Filesize

          128KB

        • memory/3496-171-0x00000226F8830000-0x00000226F8850000-memory.dmp

          Filesize

          128KB

        • memory/3496-172-0x00000226F97C0000-0x00000226F98C0000-memory.dmp

          Filesize

          1024KB

        • memory/3900-5-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

          Filesize

          10.8MB

        • memory/3900-22-0x000000001C130000-0x000000001C139000-memory.dmp

          Filesize

          36KB

        • memory/3900-21-0x000000001C140000-0x000000001C186000-memory.dmp

          Filesize

          280KB

        • memory/3900-23-0x000000001C3E0000-0x000000001C3ED000-memory.dmp

          Filesize

          52KB

        • memory/3900-60-0x000000001C140000-0x000000001C186000-memory.dmp

          Filesize

          280KB

        • memory/3900-25-0x000000001C410000-0x000000001C41B000-memory.dmp

          Filesize

          44KB

        • memory/3900-24-0x000000001C3F0000-0x000000001C40E000-memory.dmp

          Filesize

          120KB

        • memory/3900-0-0x00007FFDAFF53000-0x00007FFDAFF55000-memory.dmp

          Filesize

          8KB

        • memory/3900-4-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

          Filesize

          10.8MB

        • memory/3900-3-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

          Filesize

          10.8MB

        • memory/3900-2-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

          Filesize

          10.8MB

        • memory/3900-385-0x00007FFDAFF50000-0x00007FFDB0A12000-memory.dmp

          Filesize

          10.8MB

        • memory/3900-1-0x00000000000C0000-0x000000000060C000-memory.dmp

          Filesize

          5.3MB