Analysis
-
max time kernel
134s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-11-2024 14:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Kawaii.exe
Resource
win11-20241007-en
windows11-21h2-x64
34 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
Kawaii.exe
-
Size
5.8MB
-
MD5
006fe3fc14a6c1e45bf484878e69d8f8
-
SHA1
680ca4367f114a726ff9233fe942b8f615823968
-
SHA256
a7c98b50f8a332367c7bb72e1a4eacf6911a3ac3deaf8328b6645a62ededc08c
-
SHA512
0f3ffe6596a354e78993248372d67c8da89e585cf8854628a6541e8c1d70b752cf704900f511c49484ec0a6eaeccf65dc32268e9033fc8e4089572fe6a25a00d
-
SSDEEP
98304:ku3aEGA+Bf2ycevqJZUfYLceHQIJ/xvXEGAzBIcevqJZUfYLcN3HQIJ/xvf2:kD3cLrvLcqQIJ5TcLrvLc5QIJ
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Kawaii.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:/Windows/Temp/Windows.vbs\"" Kawaii.exe -
Processes:
Kawaii.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Kawaii.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
Kawaii.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kawaii.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
Kawaii.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kawaii.exe -
Processes:
Kawaii.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kawaii.exe -
Blocks application from running via registry modification 9 IoCs
Adds application to list of disallowed applications.
Processes:
Kawaii.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "notepad.exe" Kawaii.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "Autoruns64.exe" Kawaii.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "Autorunsc64.exe" Kawaii.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "ProcessHacker.exe" Kawaii.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "procexp64.exe" Kawaii.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "Autoruns.exe" Kawaii.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "Autorunsc.exe" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Kawaii.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun Kawaii.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Kawaii.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kawaii.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
Kawaii.exedescription ioc Process File created C:\Windows\System32\drivers\Kawaii.exe Kawaii.exe -
Possible privilege escalation attempt 6 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid Process 1492 icacls.exe 5704 takeown.exe 5828 takeown.exe 816 icacls.exe 5636 takeown.exe 1612 icacls.exe -
Deletes itself 1 IoCs
Processes:
Kawaii.exepid Process 4624 Kawaii.exe -
Executes dropped EXE 1 IoCs
Processes:
Kawaii.exepid Process 4624 Kawaii.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exepid Process 5704 takeown.exe 5828 takeown.exe 816 icacls.exe 5636 takeown.exe 1612 icacls.exe 1492 icacls.exe -
Processes:
Kawaii.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kawaii.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Kawaii.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Kawaii.exe -
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid Process 3584 bcdedit.exe -
Drops file in System32 directory 11 IoCs
Processes:
Kawaii.exedescription ioc Process File created C:\Windows\System32\Win32\Windows\Kawaii\Temp\Kawaii.exe Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\Kawaii.exe Kawaii.exe File created C:\Windows\System32\Kawaii.exe Kawaii.exe File created C:\Windows\System32\Win32\Windows\Kawaii\Temp\WindowsActual.txt Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\gemido.wav Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\icon.ico Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo.jpg Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\control.reg Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\flower_blue.ani Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo1.jpg Kawaii.exe File opened for modification C:\Windows\System32\Win32\Windows\Kawaii\Temp\fondo2.jpg Kawaii.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Kawaii.exedescription ioc Process File created C:\Program Files\Win32\Temp\Kawaii.exe Kawaii.exe -
Drops file in Windows directory 1 IoCs
Processes:
Kawaii.exedescription ioc Process File created C:\Windows\Kawaii.exe Kawaii.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Modifies Control Panel 1 IoCs
Processes:
Kawaii.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\AutoColorization = "1" Kawaii.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
Kawaii.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://github.com/Joseantonio2354/Kawaii" Kawaii.exe -
Modifies registry class 1 IoCs
Processes:
Kawaii.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings Kawaii.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 948 NOTEPAD.EXE -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid Process 1336 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Taskmgr.exeKawaii.exepid Process 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe 4624 Kawaii.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Kawaii.exeKawaii.exeTaskmgr.exeKawaii.exeKawaii.exetakeown.exetakeown.exetakeown.exeAUDIODG.EXEtaskkillH1BUmuE4gUjeryUQt6yB.exeshutdown.exedescription pid Process Token: SeDebugPrivilege 5788 Kawaii.exe Token: SeDebugPrivilege 5480 Kawaii.exe Token: SeDebugPrivilege 5040 Taskmgr.exe Token: SeSystemProfilePrivilege 5040 Taskmgr.exe Token: SeCreateGlobalPrivilege 5040 Taskmgr.exe Token: SeDebugPrivilege 4424 Kawaii.exe Token: SeDebugPrivilege 4624 Kawaii.exe Token: SeTakeOwnershipPrivilege 5828 takeown.exe Token: SeTakeOwnershipPrivilege 5636 takeown.exe Token: SeTakeOwnershipPrivilege 5704 takeown.exe Token: 33 6008 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 6008 AUDIODG.EXE Token: SeDebugPrivilege 3544 taskkillH1BUmuE4gUjeryUQt6yB.exe Token: SeShutdownPrivilege 4280 shutdown.exe Token: SeRemoteShutdownPrivilege 4280 shutdown.exe Token: SeShutdownPrivilege 4624 Kawaii.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
Taskmgr.exeKawaii.exepid Process 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 4624 Kawaii.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 4624 Kawaii.exe 4624 Kawaii.exe -
Suspicious use of SendNotifyMessage 62 IoCs
Processes:
Taskmgr.exeKawaii.exepid Process 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 4624 Kawaii.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 5040 Taskmgr.exe 4624 Kawaii.exe 4624 Kawaii.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PickerHost.exepid Process 1568 PickerHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
Kawaii.exeKawaii.execmd.execmd.execmd.exedescription pid Process procid_target PID 4424 wrote to memory of 4624 4424 Kawaii.exe 91 PID 4424 wrote to memory of 4624 4424 Kawaii.exe 91 PID 4624 wrote to memory of 948 4624 Kawaii.exe 92 PID 4624 wrote to memory of 948 4624 Kawaii.exe 92 PID 4624 wrote to memory of 4480 4624 Kawaii.exe 94 PID 4624 wrote to memory of 4480 4624 Kawaii.exe 94 PID 4480 wrote to memory of 5828 4480 cmd.exe 96 PID 4480 wrote to memory of 5828 4480 cmd.exe 96 PID 4480 wrote to memory of 816 4480 cmd.exe 97 PID 4480 wrote to memory of 816 4480 cmd.exe 97 PID 4480 wrote to memory of 5636 4480 cmd.exe 98 PID 4480 wrote to memory of 5636 4480 cmd.exe 98 PID 4480 wrote to memory of 1612 4480 cmd.exe 99 PID 4480 wrote to memory of 1612 4480 cmd.exe 99 PID 4480 wrote to memory of 5704 4480 cmd.exe 100 PID 4480 wrote to memory of 5704 4480 cmd.exe 100 PID 4480 wrote to memory of 1492 4480 cmd.exe 101 PID 4480 wrote to memory of 1492 4480 cmd.exe 101 PID 4624 wrote to memory of 5256 4624 Kawaii.exe 103 PID 4624 wrote to memory of 5256 4624 Kawaii.exe 103 PID 4624 wrote to memory of 3544 4624 Kawaii.exe 105 PID 4624 wrote to memory of 3544 4624 Kawaii.exe 105 PID 4624 wrote to memory of 4272 4624 Kawaii.exe 107 PID 4624 wrote to memory of 4272 4624 Kawaii.exe 107 PID 4624 wrote to memory of 1456 4624 Kawaii.exe 109 PID 4624 wrote to memory of 1456 4624 Kawaii.exe 109 PID 4272 wrote to memory of 4572 4272 cmd.exe 112 PID 4272 wrote to memory of 4572 4272 cmd.exe 112 PID 1456 wrote to memory of 3584 1456 cmd.exe 113 PID 1456 wrote to memory of 3584 1456 cmd.exe 113 PID 4624 wrote to memory of 4280 4624 Kawaii.exe 114 PID 4624 wrote to memory of 4280 4624 Kawaii.exe 114 -
System policy modification 1 TTPs 11 IoCs
Processes:
Kawaii.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kawaii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" Kawaii.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5788
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5480
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5040
-
C:\Users\Admin\Desktop\Kawaii.exe"C:\Users\Admin\Desktop\Kawaii.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"C:\Users\Admin\AppData\Local\Temp\Kawaii.exe"2⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4624 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt3⤵
- Opens file in notepad (likely ransom note)
PID:948
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\gpedit.msc && icacls C:\Windows\System32\gpedit.msc /grant %username%:F && takeown /f C:\Windows\System32\mmc.exe && icacls C:\Windows\System32\mmc.exe /grant %username%:F && takeown /f C:\Windows\System32\taskkill.exe && icacls C:\Windows\System32\taskkill.exe /grant %username%:F && exit3⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\gpedit.msc4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5828
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\gpedit.msc /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:816
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\mmc.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5636
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\mmc.exe /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1612
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\taskkill.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5704
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\taskkill.exe /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k regedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit" && exit3⤵PID:5256
-
C:\Windows\regedit.exeregedit /s "C:/Windows/System32/Win32/Windows/Kawaii/Temp/control.reg && exit"4⤵
- Runs .reg file with regedit
PID:1336
-
-
-
C:\Windows\System32\taskkillH1BUmuE4gUjeryUQt6yB.exe"C:\Windows\System32\taskkillH1BUmuE4gUjeryUQt6yB.exe" -f -im explorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k notepad C:/Users/nota.txt && exit3⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\system32\notepad.exenotepad C:/Users/nota.txt4⤵PID:4572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k bcdedit /deletevalue {current} safeboot3⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\system32\bcdedit.exebcdedit /deletevalue {current} safeboot4⤵
- Modifies boot configuration data using bcdedit
PID:3584
-
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -f -r -t 33⤵
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004B81⤵
- Suspicious use of AdjustPrivilegeToken
PID:6008
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1568
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660B
MD5284393596fdd49bebd7b861bf339b82d
SHA1a36767dfc423b3c7fd3ff439b616862743a053c8
SHA2560e692bcbba51ca4e766a427c9f28a7a4a9e326d2cf835493e57a9dc2121326b5
SHA5128d3247ee0c3bf9a9fceea23eb5c646dbd8b3d954f4d62622f49070629e642d6a13bfb0d27949e2355c081d45f5a1101f05a9972782a0f0a478ed90f551d2efeb
-
Filesize
5.8MB
MD5006fe3fc14a6c1e45bf484878e69d8f8
SHA1680ca4367f114a726ff9233fe942b8f615823968
SHA256a7c98b50f8a332367c7bb72e1a4eacf6911a3ac3deaf8328b6645a62ededc08c
SHA5120f3ffe6596a354e78993248372d67c8da89e585cf8854628a6541e8c1d70b752cf704900f511c49484ec0a6eaeccf65dc32268e9033fc8e4089572fe6a25a00d
-
Filesize
33B
MD596e37f60fd45018f8cc3584b8039c24a
SHA12074fc66db6e2b3a479b2db51b7e12e72de0c298
SHA2565bdf6be01d3cedc700aa3fb0af683647572e9397772df37dee655c2922f7039f
SHA5127060cf41861c9643ebcb92ac3609a0eebaf77ae32eef20d43647b23406055e3d674d059857832e3a5986835cc8d005bd5bc67849961aec95ffd29c79c93e43da
-
Filesize
3KB
MD5e112806beda4a929cbe26940cb822ebc
SHA1fc98b9590dea8d27e522fe9db219b2a179b89d4b
SHA2567f0f487d9225c70725e84b1fcb74b7256647435ebc07af36f19225d1fb9f2713
SHA512c13629ce1ab7f54bc5e44d8242ca2f6761238812a8151edfd866ae81216783624c26c26f94065f277fef7d245ee90886c62eaa1c76f1ab8b4494488e5c13af7f
-
Filesize
2KB
MD5ef6a786076b3909cec81413787b03ba9
SHA19ab1f856e9c6edef7c64dd69e1738eb850b86495
SHA256c092c58b668b11997ded36cd9d729a30125c62d4acdc5baf926cc8d59f7ad8e0
SHA5124063820e477ba43710bd6a0a01655165c1e238af21ec1ec2bc5737ee97744bf12b6696408a8183d1ea6ff01188a8283bc0685510f73c45aff9b39fc526911598
-
Filesize
452B
MD57262703d3cae9563bd0aa9358f12d879
SHA1e69d2d8c84fbb54f448ed3f8631008351d7062dd
SHA2562958f669e7336fae71f4679a440b0915b941fa7b10ca37467cdb5d0e3d8d7042
SHA51233eadb284ea91b2a8c9285afe261232537b64b03656faf26ab90f139b6fc592fc9346dae93045bfda2c1ea07f2f9661bd4aae9cf62dc5b36b7ce7b6d6ee5bded
