Resubmissions

04-11-2024 03:20

241104-dv3zwasdnf 8

04-11-2024 03:16

241104-dsxp3svmeq 8

03-11-2024 23:56

241103-3zhxya1jer 3

Analysis

  • max time kernel
    75s
  • max time network
    57s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 03:20

Errors

Reason
Machine shutdown

General

  • Target

    Kawaii.exe

  • Size

    5.3MB

  • MD5

    d9dabab21dc0ae729cd41a81850e8593

  • SHA1

    afca150f0964df9bf4c9336465ed0ff3c7ed4900

  • SHA256

    14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6

  • SHA512

    0caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3

  • SSDEEP

    98304:X3u3YBR2ycevqJZUfYLceHQIJ/xvSBIcevqJZUfYLcN3HQIJ/xvf2:nvcLrvLcqQIJjcLrvLc5QIJ

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 1 IoCs
  • Possible privilege escalation attempt 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 6 IoCs
  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 62 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kawaii.exe
    "C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2092
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2920
    • C:\Users\Admin\AppData\Local\Temp\Kawaii.exe
      "C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"
      1⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\gpedit.msc && icacls C:\Windows\System32\gpedit.msc /grant %username%:F && takeown /f C:\Windows\System32\mmc.exe && icacls C:\Windows\System32\mmc.exe /grant %username%:F && takeown /f C:\Windows\System32\taskkill.exe && icacls C:\Windows\System32\taskkill.exe /grant %username%:F && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\gpedit.msc
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2860
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\gpedit.msc /grant Admin:F
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1456
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\mmc.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2804
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\mmc.exe /grant Admin:F
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2136
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\taskkill.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:296
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\taskkill.exe /grant Admin:F
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1956
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /k regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Windows\regedit.exe
          regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit"
          3⤵
          • Runs .reg file with regedit
          PID:1680
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /k notepad C:/Users/nota.txt && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Windows\system32\notepad.exe
          notepad C:/Users/nota.txt
          3⤵
          • Suspicious use of FindShellTrayWindow
          PID:2196
      • C:\Windows\System32\shutdown.exe
        "C:\Windows\System32\shutdown.exe" -f -r -t 3
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:940
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Kawaii.exe

      Filesize

      5.3MB

      MD5

      d9dabab21dc0ae729cd41a81850e8593

      SHA1

      afca150f0964df9bf4c9336465ed0ff3c7ed4900

      SHA256

      14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6

      SHA512

      0caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3

    • C:\Users\nota.txt

      Filesize

      471B

      MD5

      0aea1502a4192f4fcd8d25d4172ec0e5

      SHA1

      adcc286452580eee1a6d651c63f54cdaaadc23e0

      SHA256

      acab5764875cdbb4a37299d32da3680ff66221072eb8a044375a872d3b1a9eee

      SHA512

      33ed0647cd4a81e1aa71fa9faa3d548b6fd2596822315dc41eefde1e57dae4440476e128d79288c47636e3ceac0a435b532b6d2c7eefc52c5910385b57771edb

    • memory/2092-0-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

      Filesize

      4KB

    • memory/2092-1-0x0000000000AC0000-0x000000000100C000-memory.dmp

      Filesize

      5.3MB

    • memory/2092-2-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

      Filesize

      9.9MB

    • memory/2092-3-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

      Filesize

      9.9MB

    • memory/2092-4-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

      Filesize

      9.9MB

    • memory/2092-5-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

      Filesize

      9.9MB

    • memory/2600-7-0x0000000000040000-0x000000000058C000-memory.dmp

      Filesize

      5.3MB