Resubmissions

04-11-2024 03:20

241104-dv3zwasdnf 8

04-11-2024 03:16

241104-dsxp3svmeq 8

03-11-2024 23:56

241103-3zhxya1jer 3

Analysis

  • max time kernel
    179s
  • max time network
    181s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 03:16

Errors

Reason
Machine shutdown

General

  • Target

    Kawaii.exe

  • Size

    5.3MB

  • MD5

    d9dabab21dc0ae729cd41a81850e8593

  • SHA1

    afca150f0964df9bf4c9336465ed0ff3c7ed4900

  • SHA256

    14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6

  • SHA512

    0caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3

  • SSDEEP

    98304:X3u3YBR2ycevqJZUfYLceHQIJ/xvSBIcevqJZUfYLcN3HQIJ/xvf2:nvcLrvLcqQIJjcLrvLc5QIJ

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 1 IoCs
  • Possible privilege escalation attempt 6 IoCs
  • Modifies file permissions 1 TTPs 6 IoCs
  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kawaii.exe
    "C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\gpedit.msc && icacls C:\Windows\System32\gpedit.msc /grant %username%:F && takeown /f C:\Windows\System32\mmc.exe && icacls C:\Windows\System32\mmc.exe /grant %username%:F && takeown /f C:\Windows\System32\taskkill.exe && icacls C:\Windows\System32\taskkill.exe /grant %username%:F && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\gpedit.msc
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2128
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\gpedit.msc /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1740
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\mmc.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:340
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\mmc.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2424
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\taskkill.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1640
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\taskkill.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1972
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit" && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\regedit.exe
        regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit"
        3⤵
        • Runs .reg file with regedit
        PID:2076
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k notepad C:/Users/nota.txt && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\system32\notepad.exe
        notepad C:/Users/nota.txt
        3⤵
          PID:1904
      • C:\Windows\System32\shutdown.exe
        "C:\Windows\System32\shutdown.exe" -f -r -t 3
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2208
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x504
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:604
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1676
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Win32\Temp\Kawaii.exe

        Filesize

        5.3MB

        MD5

        d9dabab21dc0ae729cd41a81850e8593

        SHA1

        afca150f0964df9bf4c9336465ed0ff3c7ed4900

        SHA256

        14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6

        SHA512

        0caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3

      • C:\Users\nota.txt

        Filesize

        471B

        MD5

        0aea1502a4192f4fcd8d25d4172ec0e5

        SHA1

        adcc286452580eee1a6d651c63f54cdaaadc23e0

        SHA256

        acab5764875cdbb4a37299d32da3680ff66221072eb8a044375a872d3b1a9eee

        SHA512

        33ed0647cd4a81e1aa71fa9faa3d548b6fd2596822315dc41eefde1e57dae4440476e128d79288c47636e3ceac0a435b532b6d2c7eefc52c5910385b57771edb

      • memory/1676-24-0x0000000004760000-0x0000000004770000-memory.dmp

        Filesize

        64KB

      • memory/2000-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

        Filesize

        4KB

      • memory/2000-1-0x0000000001230000-0x000000000177C000-memory.dmp

        Filesize

        5.3MB

      • memory/2000-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

        Filesize

        9.9MB

      • memory/2000-3-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

        Filesize

        9.9MB

      • memory/2000-4-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

        Filesize

        9.9MB

      • memory/2000-5-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

        Filesize

        4KB

      • memory/2000-6-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

        Filesize

        9.9MB

      • memory/2000-7-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

        Filesize

        9.9MB

      • memory/2000-25-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

        Filesize

        9.9MB