Overview

overview

10

Static

static

3

Kawaii.exe

windows10-ltsc 2021-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Kawaii.exe

  • Size

    2.6MB

  • Sample

    241123-262sysxraj

  • MD5

    80abe77c2c53371b5a39f2ded335c8c8

  • SHA1

    484e65248fe796cd9e66c04d087ec4d0217a83cc

  • SHA256

    e6f414475c95a5dc5b98c66b14b600c2be9cc796623b58897d3e3e9ac61749aa

  • SHA512

    a0bec295af51bfd54b0ae4fda7f830bbb28d817c9900fbef598898944d754ff74ec50e2cffde56b6c26549cc906826776711f899dd015d8fbe9015c188c5bfa7

  • SSDEEP

    49152:eZV9xBtVxACg6LTA55Xfmj+sUR1sDVZZHBkbnnTJmyKeG8nQauaBT85smxo9:I9fPfkXfmjW4Dgn0c8Wmxo

Score
10/10
discoveryevasionexploitpersistencetrojan

Malware Config

Targets

    • Target

      Kawaii.exe

    • Size

      2.6MB

    • MD5

      80abe77c2c53371b5a39f2ded335c8c8

    • SHA1

      484e65248fe796cd9e66c04d087ec4d0217a83cc

    • SHA256

      e6f414475c95a5dc5b98c66b14b600c2be9cc796623b58897d3e3e9ac61749aa

    • SHA512

      a0bec295af51bfd54b0ae4fda7f830bbb28d817c9900fbef598898944d754ff74ec50e2cffde56b6c26549cc906826776711f899dd015d8fbe9015c188c5bfa7

    • SSDEEP

      49152:eZV9xBtVxACg6LTA55Xfmj+sUR1sDVZZHBkbnnTJmyKeG8nQauaBT85smxo9:I9fPfkXfmjW4Dgn0c8Wmxo

    Score
    10/10
    discoveryevasionexploitpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Drops file in Drivers directory

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Modifies WinLogon

      persistence

    • Modifies boot configuration data using bcdedit

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

File and Directory Permissions Modification

1
T1222

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

9
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks