Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 08:27
Behavioral task
behavioral1
Sample
KkKL23yz.exe
Resource
win7-20240903-en
General
-
Target
KkKL23yz.exe
-
Size
475KB
-
MD5
ce0c97958ef707811df63fe93dba943a
-
SHA1
2aaa0f40c33a0eccd51a2a26d0a118c7e2797e41
-
SHA256
3cf3e4125f55986bd7bfc6d52890fbd40b2444397ebd798f72b90ba9ed597c57
-
SHA512
f9e1ed8c70b91d4029c78e810bb066f7e97c910909da230e44ece29d97b7c0842701875552af2b134d6689191e1254d6134c139b0e580eafa36c7088fa1443bf
-
SSDEEP
12288:gNrhTLpMP+R+QDCfA832AtBYmz6af0F7Z1QVjSOsJ/c:gthTiP+ffCfB5Lf0F7Z1EDsVc
Malware Config
Signatures
-
Processes:
KkKL23yz.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" KkKL23yz.exe -
Processes:
resource yara_rule behavioral2/memory/4968-0-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral2/memory/4968-26-0x0000000000400000-0x000000000053F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
KkKL23yz.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KkKL23yz.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
KkKL23yz.exepid Process 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe 4968 KkKL23yz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
KkKL23yz.exepid Process 4968 KkKL23yz.exe 4968 KkKL23yz.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
KkKL23yz.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System KkKL23yz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" KkKL23yz.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2