Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 01:17
Static task
static1
Behavioral task
behavioral1
Sample
1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe
Resource
win7-20240903-en
General
-
Target
1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe
-
Size
136.8MB
-
MD5
97c8ec5f8f8a330a8d130ac06369dea3
-
SHA1
62e2814a10161ad137935d568acafe60467861ad
-
SHA256
1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5
-
SHA512
2ef10ceae9c07f3b30adb71b9807565bde35c1e53f20aebfa70d97b68dc124d2962f2def2db27809e496a26fbd19003297c695cacb7e79ebc83ab18379e3e926
-
SSDEEP
3145728:ATOs6vohFseEWHuMko0zNUiV4vGwhZzAhau4kB5w+r:A6BvoTseEWORJg4auKY
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2908 nofkv.exe 2688 LineInst.exe 12684 Kbskb.exe 3140 Kbskb.exe -
Loads dropped DLL 8 IoCs
pid Process 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Kbskb.exe File opened (read-only) \??\Q: Kbskb.exe File opened (read-only) \??\T: Kbskb.exe File opened (read-only) \??\B: Kbskb.exe File opened (read-only) \??\I: Kbskb.exe File opened (read-only) \??\J: Kbskb.exe File opened (read-only) \??\X: Kbskb.exe File opened (read-only) \??\Y: Kbskb.exe File opened (read-only) \??\L: Kbskb.exe File opened (read-only) \??\R: Kbskb.exe File opened (read-only) \??\V: Kbskb.exe File opened (read-only) \??\S: Kbskb.exe File opened (read-only) \??\U: Kbskb.exe File opened (read-only) \??\W: Kbskb.exe File opened (read-only) \??\Z: Kbskb.exe File opened (read-only) \??\G: Kbskb.exe File opened (read-only) \??\H: Kbskb.exe File opened (read-only) \??\M: Kbskb.exe File opened (read-only) \??\O: Kbskb.exe File opened (read-only) \??\E: Kbskb.exe File opened (read-only) \??\K: Kbskb.exe File opened (read-only) \??\N: Kbskb.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kbskb.exe nofkv.exe File opened for modification C:\Windows\SysWOW64\Kbskb.exe nofkv.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs
pid Process 2908 nofkv.exe 2908 nofkv.exe 2908 nofkv.exe 2908 nofkv.exe 12684 Kbskb.exe 12684 Kbskb.exe 2908 nofkv.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbskb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbskb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LineInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nofkv.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3096 cmd.exe 6232 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Kbskb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Kbskb.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Kbskb.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Kbskb.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\Software Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum Kbskb.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Kbskb.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6232 PING.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe 3140 Kbskb.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2908 nofkv.exe Token: 33 3140 Kbskb.exe Token: SeIncBasePriorityPrivilege 3140 Kbskb.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2908 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 30 PID 2924 wrote to memory of 2908 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 30 PID 2924 wrote to memory of 2908 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 30 PID 2924 wrote to memory of 2908 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 30 PID 2924 wrote to memory of 2688 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 31 PID 2924 wrote to memory of 2688 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 31 PID 2924 wrote to memory of 2688 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 31 PID 2924 wrote to memory of 2688 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 31 PID 2924 wrote to memory of 2688 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 31 PID 2924 wrote to memory of 2688 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 31 PID 2924 wrote to memory of 2688 2924 1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe 31 PID 12684 wrote to memory of 3140 12684 Kbskb.exe 34 PID 12684 wrote to memory of 3140 12684 Kbskb.exe 34 PID 12684 wrote to memory of 3140 12684 Kbskb.exe 34 PID 12684 wrote to memory of 3140 12684 Kbskb.exe 34 PID 2908 wrote to memory of 3096 2908 nofkv.exe 33 PID 2908 wrote to memory of 3096 2908 nofkv.exe 33 PID 2908 wrote to memory of 3096 2908 nofkv.exe 33 PID 2908 wrote to memory of 3096 2908 nofkv.exe 33 PID 3096 wrote to memory of 6232 3096 cmd.exe 36 PID 3096 wrote to memory of 6232 3096 cmd.exe 36 PID 3096 wrote to memory of 6232 3096 cmd.exe 36 PID 3096 wrote to memory of 6232 3096 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe"C:\Users\Admin\AppData\Local\Temp\1f6907229ef8b63bff8befeab77a0393d8b1a0385718b1c480cfaedfe42298d5.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\nofkv.exe"C:\Users\Admin\AppData\Local\Temp\nofkv.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\nofkv.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6232
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\LineInst.exe"C:\Users\Admin\AppData\Local\Temp\LineInst.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688
-
-
C:\Windows\SysWOW64\Kbskb.exeC:\Windows\SysWOW64\Kbskb.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:12684 -
C:\Windows\SysWOW64\Kbskb.exeC:\Windows\SysWOW64\Kbskb.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.6MB
MD57a267dc934ef6484d157bfec4478071a
SHA15a8a4053e50a777c5f80fe3b3ddf310bb19e123a
SHA25690eec722f91e4bb4267d598d23d82e99f218972b4d9deb02843e4db4eed96642
SHA5121e633b8557dbd6ac91b201c69fcb4ed6aae27858b369f26d1244a75826f693ba46eb30f6fd4c4d5bd4a780453dc52f282c3d40289dec4902bd4b316fea5af645
-
Filesize
1004KB
MD5587e3bc21efaf428c87331decc9bfeb3
SHA1a5b8ebeab4e3968673a61a95350b7f0bf60d7459
SHA256b931c5686cc09b2183bba197dc151b8e95ca6151e39fb98954352340c0b31120
SHA512ffae2dab5caf16dc7dfd0a97a8ff6349a466bc57ee043d1ac4d53e011498e39b9a855295d10207ba578c6857abebd445d378e83aa2ff6ec247713d81b370d0ca
-
Filesize
27.4MB
MD51f966ad98da8e945a465dfd17be0d5d4
SHA173736700af96c7086e359d17f611dc9d135defca
SHA2568952d09c0acb5baa90c0418b35da93d623249194385983f2e3e402d51c77db7a
SHA5126138b636aacdbeb70fc9b4352b8b2dabe9d4c3fbbf457b0d7b88d2d4c922a22c3f95ef0d24ca0b407dfd447f202a8e6aa017dd2f249f3593ce0f7e668b764318