Resubmissions
04-11-2024 03:20
241104-dv3zwasdnf 804-11-2024 03:16
241104-dsxp3svmeq 803-11-2024 23:56
241103-3zhxya1jer 3Analysis
-
max time kernel
75s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 03:20
Static task
static1
Behavioral task
behavioral1
Sample
Kawaii.exe
Resource
win7-20240903-en
Errors
General
-
Target
Kawaii.exe
-
Size
5.3MB
-
MD5
d9dabab21dc0ae729cd41a81850e8593
-
SHA1
afca150f0964df9bf4c9336465ed0ff3c7ed4900
-
SHA256
14c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6
-
SHA512
0caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3
-
SSDEEP
98304:X3u3YBR2ycevqJZUfYLceHQIJ/xvSBIcevqJZUfYLcN3HQIJ/xvf2:nvcLrvLcqQIJjcLrvLc5QIJ
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Drivers directory 1 IoCs
Processes:
Kawaii.exedescription ioc process File created C:\Windows\System32\drivers\Kawaii.exe Kawaii.exe -
Possible privilege escalation attempt 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 296 takeown.exe 1956 icacls.exe 2860 takeown.exe 1456 icacls.exe 2804 takeown.exe 2136 icacls.exe -
Executes dropped EXE 1 IoCs
Processes:
Kawaii.exepid process 2600 Kawaii.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 296 takeown.exe 1956 icacls.exe 2860 takeown.exe 1456 icacls.exe 2804 takeown.exe 2136 icacls.exe -
Drops file in System32 directory 10 IoCs
Processes:
Kawaii.exedescription ioc process File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo1.jpg Kawaii.exe File created C:\Windows\System32\Kawaii.exe Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\icon.ico Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo.jpg Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo2.jpg Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\control.reg Kawaii.exe File created C:\Windows\System32\Win32\Windows\Kawaii\Temp\Kawaii.exe Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\Kawaii.exe Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\flower_blue.ani Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\gemido.wav Kawaii.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Kawaii.exedescription ioc process File created C:\Program Files\Win32\Temp\Kawaii.exe Kawaii.exe -
Drops file in Windows directory 1 IoCs
Processes:
Kawaii.exedescription ioc process File created C:\Windows\Kawaii.exe Kawaii.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 1680 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Kawaii.exepid process 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1744 explorer.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
Kawaii.exeKawaii.exetakeown.exetakeown.exetakeown.exeexplorer.exeshutdown.exedescription pid process Token: SeDebugPrivilege 2092 Kawaii.exe Token: SeDebugPrivilege 2600 Kawaii.exe Token: SeTakeOwnershipPrivilege 2860 takeown.exe Token: SeTakeOwnershipPrivilege 2804 takeown.exe Token: SeTakeOwnershipPrivilege 296 takeown.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeShutdownPrivilege 940 shutdown.exe Token: SeRemoteShutdownPrivilege 940 shutdown.exe Token: SeShutdownPrivilege 2600 Kawaii.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
Kawaii.exeKawaii.exeexplorer.exenotepad.exepid process 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2092 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 2196 notepad.exe 1744 explorer.exe 1744 explorer.exe -
Suspicious use of SendNotifyMessage 33 IoCs
Processes:
Kawaii.exeKawaii.exeexplorer.exepid process 2092 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 2600 Kawaii.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Kawaii.execmd.execmd.execmd.exedescription pid process target process PID 2600 wrote to memory of 1660 2600 Kawaii.exe cmd.exe PID 2600 wrote to memory of 1660 2600 Kawaii.exe cmd.exe PID 2600 wrote to memory of 1660 2600 Kawaii.exe cmd.exe PID 1660 wrote to memory of 2860 1660 cmd.exe takeown.exe PID 1660 wrote to memory of 2860 1660 cmd.exe takeown.exe PID 1660 wrote to memory of 2860 1660 cmd.exe takeown.exe PID 1660 wrote to memory of 1456 1660 cmd.exe icacls.exe PID 1660 wrote to memory of 1456 1660 cmd.exe icacls.exe PID 1660 wrote to memory of 1456 1660 cmd.exe icacls.exe PID 1660 wrote to memory of 2804 1660 cmd.exe takeown.exe PID 1660 wrote to memory of 2804 1660 cmd.exe takeown.exe PID 1660 wrote to memory of 2804 1660 cmd.exe takeown.exe PID 1660 wrote to memory of 2136 1660 cmd.exe icacls.exe PID 1660 wrote to memory of 2136 1660 cmd.exe icacls.exe PID 1660 wrote to memory of 2136 1660 cmd.exe icacls.exe PID 1660 wrote to memory of 296 1660 cmd.exe takeown.exe PID 1660 wrote to memory of 296 1660 cmd.exe takeown.exe PID 1660 wrote to memory of 296 1660 cmd.exe takeown.exe PID 1660 wrote to memory of 1956 1660 cmd.exe icacls.exe PID 1660 wrote to memory of 1956 1660 cmd.exe icacls.exe PID 1660 wrote to memory of 1956 1660 cmd.exe icacls.exe PID 2600 wrote to memory of 1440 2600 Kawaii.exe cmd.exe PID 2600 wrote to memory of 1440 2600 Kawaii.exe cmd.exe PID 2600 wrote to memory of 1440 2600 Kawaii.exe cmd.exe PID 2600 wrote to memory of 1828 2600 Kawaii.exe cmd.exe PID 2600 wrote to memory of 1828 2600 Kawaii.exe cmd.exe PID 2600 wrote to memory of 1828 2600 Kawaii.exe cmd.exe PID 1440 wrote to memory of 1680 1440 cmd.exe regedit.exe PID 1440 wrote to memory of 1680 1440 cmd.exe regedit.exe PID 1440 wrote to memory of 1680 1440 cmd.exe regedit.exe PID 1828 wrote to memory of 2196 1828 cmd.exe notepad.exe PID 1828 wrote to memory of 2196 1828 cmd.exe notepad.exe PID 1828 wrote to memory of 2196 1828 cmd.exe notepad.exe PID 2600 wrote to memory of 940 2600 Kawaii.exe shutdown.exe PID 2600 wrote to memory of 940 2600 Kawaii.exe shutdown.exe PID 2600 wrote to memory of 940 2600 Kawaii.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2092
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\gpedit.msc && icacls C:\Windows\System32\gpedit.msc /grant %username%:F && takeown /f C:\Windows\System32\mmc.exe && icacls C:\Windows\System32\mmc.exe /grant %username%:F && takeown /f C:\Windows\System32\taskkill.exe && icacls C:\Windows\System32\taskkill.exe /grant %username%:F && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\gpedit.msc3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\gpedit.msc /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1456 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\mmc.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\mmc.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2136 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\taskkill.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:296 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\taskkill.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\regedit.exeregedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit"3⤵
- Runs .reg file with regedit
PID:1680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k notepad C:/Users/nota.txt && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\notepad.exenotepad C:/Users/nota.txt3⤵
- Suspicious use of FindShellTrayWindow
PID:2196 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -f -r -t 32⤵
- Suspicious use of AdjustPrivilegeToken
PID:940
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.3MB
MD5d9dabab21dc0ae729cd41a81850e8593
SHA1afca150f0964df9bf4c9336465ed0ff3c7ed4900
SHA25614c2553770ce1d8784cdd691d03f2d215c7112e29cc01701c9c5e8cd27b122f6
SHA5120caf4e854dd4458f8a2d730fe56d6a4c19cf1af5eb7e4b3534b34fd6758be15fbe320c4f823bd53d22d983a0f2fc14e4a8662d7d6c223e823ffa6423f617c5a3
-
Filesize
471B
MD50aea1502a4192f4fcd8d25d4172ec0e5
SHA1adcc286452580eee1a6d651c63f54cdaaadc23e0
SHA256acab5764875cdbb4a37299d32da3680ff66221072eb8a044375a872d3b1a9eee
SHA51233ed0647cd4a81e1aa71fa9faa3d548b6fd2596822315dc41eefde1e57dae4440476e128d79288c47636e3ceac0a435b532b6d2c7eefc52c5910385b57771edb