Analysis
-
max time kernel
92s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2024 21:30
Behavioral task
behavioral1
Sample
kohjaekdfth.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
kohjaekdfth.exe
Resource
win10v2004-20241007-en
General
-
Target
kohjaekdfth.exe
-
Size
1.1MB
-
MD5
4992863093cb396628acfb86b56af1e6
-
SHA1
4f61861be36c992e420dd387997322130ba2164d
-
SHA256
c4fcb04af557153060abc9488b017c3875074dcda7a84c59a18cee798e95ef56
-
SHA512
d6dd52bdd607837ba685ee672410db23d3cc0a1de2a01ef5ad46e55401e205ac14795591fb03e3deb330a93c1a587d6e4d5a065a42d7b2da5ad069ae60cae8fc
-
SSDEEP
24576:kMcsnSHziAtR/JTSje9XB0Jh0lhSMXl5jRxIKy9a:kM/nSHN7/Aj0XB0QpjfIKy9a
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
kohjaekdfth.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation kohjaekdfth.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
Processes:
kohjaekdfth.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kohjaekdfth.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kohjaekdfth.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kohjaekdfth.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kohjaekdfth.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kohjaekdfth.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
kohjaekdfth.execmd.exePING.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kohjaekdfth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid Process 4724 cmd.exe 2268 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
kohjaekdfth.exepid Process 2024 kohjaekdfth.exe 2024 kohjaekdfth.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kohjaekdfth.exedescription pid Process Token: SeDebugPrivilege 2024 kohjaekdfth.exe Token: SeImpersonatePrivilege 2024 kohjaekdfth.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
kohjaekdfth.execmd.exedescription pid Process procid_target PID 2024 wrote to memory of 4724 2024 kohjaekdfth.exe 89 PID 2024 wrote to memory of 4724 2024 kohjaekdfth.exe 89 PID 2024 wrote to memory of 4724 2024 kohjaekdfth.exe 89 PID 4724 wrote to memory of 2268 4724 cmd.exe 91 PID 4724 wrote to memory of 2268 4724 cmd.exe 91 PID 4724 wrote to memory of 2268 4724 cmd.exe 91 -
outlook_office_path 1 IoCs
Processes:
kohjaekdfth.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kohjaekdfth.exe -
outlook_win_path 1 IoCs
Processes:
kohjaekdfth.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kohjaekdfth.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kohjaekdfth.exe"C:\Users\Admin\AppData\Local\Temp\kohjaekdfth.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\kohjaekdfth.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2268
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1