3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19

Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

06-08-2024 13:01

06-08-2024 12:52

06-08-2024 12:29

06-08-2024 12:26

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Size

2.1MB
MD5

ab6ca8e3d0c7967c6372a96334e6bb19
SHA1

58a2142787ffae164d4c78d97102ff652fecfc86
SHA256

6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5
SHA512

a50b4935510a1e6a7100b8eaed8301c8436138960c0932e54d7b59e79da3a0e60b702ccde2388b9c2d6f70d1cff8143bb055e0382b7af6d9788f498f2773c445
SSDEEP

49152:6aUQl+AM2inT6xlAT78y5hIl8JZ7a07xznKMj5RyXE1ID1u17:nLIAM2uumTIft+xznKMj58aIxu17

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2764	KKMAgent.exe

Loads dropped DLL 29 IoCs

pid	Process
2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\KKMAgent = "C:\\Users\\Admin\\AppData\\Roaming\\KkmAgent\\KKMAgent.exe"	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\KKMAgent = "C:\\Users\\Admin\\AppData\\Roaming\\KkmAgent\\KKMAgent.exe"	KKMAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKMAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	KKMAgent.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe
2764	KKMAgent.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2764	2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe	31
PID 2984 wrote to memory of 2764	2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe	31
PID 2984 wrote to memory of 2764	2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe	31
PID 2984 wrote to memory of 2764	2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe	31
PID 2984 wrote to memory of 2764	2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe	31
PID 2984 wrote to memory of 2764	2984	6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe	31

C:\Users\Admin\AppData\Local\Temp\1\6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
"C:\Users\Admin\AppData\Local\Temp\1\6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Roaming\KkmAgent\KKMAgent.exe
  C:\Users\Admin\AppData\Roaming\KkmAgent\KKMAgent.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Sushkof\KKMAgent.exe_Url_nzfaxrp0lkh3cjia20ze40344dfjopaz\2.4.1.7\5dum0v5w.newcfg

Filesize
729B

MD5
a18b0d2f51a8e2dbabd44027325dadc4

SHA1
d7694468ed5d00ec6313baaf969596b72be2ff23

SHA256
89310dfef9694a6ff078e087ff1c02076537a46c32b2b35740d3021e6c74af51

SHA512
ff387fe0c79c53c11387e801502e1ef964c0b9031deea7674361d1dde1862cbe904ebbaf76ec57f9665deddd54f2dc04add4acc3f95b09979fbb722ed8ae241c

Download Submit
C:\Users\Admin\AppData\Local\Sushkof\KKMAgent.exe_Url_nzfaxrp0lkh3cjia20ze40344dfjopaz\2.4.1.7\user.config

Filesize
324B

MD5
b1dbcf1157c264239ec26b6ebb616c67

SHA1
9434b62ab9c73ec0a837b85b503c062538a3ff79

SHA256
99b76533b7d71cdf2029a9fee066a05870c294f555699bb3732e4d4e614a5d2c

SHA512
659e766fc6deb100c07be97c657136cd491d0651a815410951af9473eec929f04260d5b4fc62caa95d38b2720d1c8731426866f776f74a63a9dfbd39def36082

Download Submit
C:\Users\Admin\AppData\Local\Sushkof\KKMAgent.exe_Url_nzfaxrp0lkh3cjia20ze40344dfjopaz\2.4.1.7\user.config

Filesize
453B

MD5
c011a64555d93fea74ea3c0e026816c1

SHA1
e32bd422f6650c5d3cbdb46a383837df54306e2f

SHA256
4ae02c56bc1a5a1a18d8ad1b321a392ec7971194872366fb21d26e16562010aa

SHA512
d9023dfb3dcfd8e76b13725d523b6329478e76e18ac116ce5e92cab24b32c2903941788cf74843cef3766729c3e044a95a658ca9349c9578641a319a8051ebb8

Download Submit
C:\Users\Admin\AppData\Local\Sushkof\KKMAgent.exe_Url_nzfaxrp0lkh3cjia20ze40344dfjopaz\2.4.1.7\user.config

Filesize
602B

MD5
03b42de551dec05549b67c22fa67086c

SHA1
6d6a3d2013faf071219b53261f2effbeeaa41f31

SHA256
29ced946b073a36f595cedd6686026955ee2d2507ca23e2b480b4e647c12768d

SHA512
45130c1b99581c5d3650ee5d671e9908fd39a8ea5f07cedfccdf36010c474e5e1d64fe094539dc89dede3cb54d5cc11dfe21f491f7922be2b2c67a7e6c12147c

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\Atol.Drivers10.Fptr.dll

Filesize
78KB

MD5
3c46c36b845b1da2c2bd9e0667df0f60

SHA1
570dcc02f0cfb97c352363943285212c833229fe

SHA256
d0f9b82de64219e37556834fb2a7491468d2cbe1d324880c23a3bda8851b9e5c

SHA512
68d24d34813b98ffb4cbc3e8175a19d601a530631f118326101d77a71b1419e8c0915d955ca80ad43c4e54339e43eca6b5c1d8d79050af90e2eea31f06fbe9bc

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\AutoUpdater.NET.dll

Filesize
416KB

MD5
4919c59e98c927eb902a9370a45e71b8

SHA1
4c08f77658d33e5aec0c8873f02779a87ed09334

SHA256
0f2b1c726e47166cfe30f0edbd0939b3723bf3e63fc4dd9d8d178d85a4bcc72f

SHA512
99af63dcce2b058e425fe6eb5d1a3480aabb18a6db9a98d001e81624b492b176a3cd9355c4ad30877adba5a5a65a9a400a3df206500f3c8b76a06cdf492b03ea

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\KKMAgent.exe.config

Filesize
6KB

MD5
da144852e42c8d1936c19ec981783fb0

SHA1
0557a0f9bbe1ab981d6d39686a4db3e0b3579300

SHA256
7ad8aa2d2d4949b8f61c695f4953d3ec3fa06400d36c799ae8541187033924bb

SHA512
43df17386461f9915af606b57ac860cf3c9fc7f26e6d07277d163aa4fb15827c8e95fb00e0aa0d72ecf606ccb4e4d0bf27ed3c0a3b01c66624f2ae60ccf9410e

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\KKMCommon.dll

Filesize
55KB

MD5
a7a37d9622898e7e552585941f1b6c49

SHA1
81bcc45c19dc53ef47a3c09f9eeec8fd058f71ba

SHA256
9eedeeaa7954bab5638f9bf8c3e1b9660ed3fbcd189fa3e1d12c89f283387345

SHA512
c4622704f2ae25fa5cafb48055f2a7dfb0dbbcfb0a1d3708f077e55d877a395a0f46b994396b81533d145c39e1fe0cabfe4f6e4f898ddb5e16da2d1474f79e82

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\KKMLib.dll

Filesize
232KB

MD5
7d94dbdc67089901fc5dbaf484282a12

SHA1
106487fc8102747102f0f9b3f7c517051116af07

SHA256
830a6ddccd484e6215931eb03dec1c9e9b3b9b67cbe57732ddc8438edcb27fdf

SHA512
747e57c57f57779c52928c3f5d1a46c3a295ad941e9ed022ddb8a14b4614fe24394c7d38d37be3bac6dc5bca571694b55dbb99642fd2381decf0f0616e2cb1e5

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\KKMLib.pdb

Filesize
491KB

MD5
bd4216dce8360884a7327344f2f1bc6e

SHA1
56143cbaf858ec0b63a67ca4900ce87905553594

SHA256
3391fbe402f188d08e1f32230a0e11b2afef37a4096b248045d8a146dcb5e4f6

SHA512
5a96326c4bc1910a7cb39265a46316bf1a1e502cd9f22a08263c9651b33f14b951a7b8cc3646fe3f1051bbd1ac2546f5337b0d72292c1d5a12a55896c9cf26f0

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\Microsoft.Diagnostics.Tracing.EventSource.dll

Filesize
166KB

MD5
ad9250c9725e55e11729256336accd56

SHA1
793fe7f04a7b39aa88ebf77deb9cf896d5136f68

SHA256
f9836c19b55583433141cbc1ae4542e65919abb0753e806b29740a732526b685

SHA512
37f85341324343fc1d783d0c8b850c143985d3e39516154979c9cc4ee1bd3440d0fd6f5c457f5de2653288edf24443f7f63b2447728a1323b31267f1697fa300

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\NLog.config

Filesize
887B

MD5
8c6a2547d1f701d2ea2e717d0e232eb8

SHA1
11581190da4311f9174071ad54ad1260e76c008f

SHA256
aa474e0e9be665f2c008cb704086e8f712c349b585208be9e9aa6ece05ac6e60

SHA512
910ad7ff79a765c9d5e8e7f93f07e0b346f3ef9b4487b298e714963d3e6207e38cf3e713031d444ea585f40cd6114d7bfd0ee83a51fc7e63f18fd95b8097b563

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\NLog.dll

Filesize
831KB

MD5
fdcaf6060e7644dbaa96ecfe59c0eacb

SHA1
a8ed5031b70ac682ea850abee07c4f436259cf88

SHA256
29d3a32476a25817f80d64d64bed42d9e0eafa1adf2687cbb51dca12c27503f3

SHA512
12786f33c5d6f5f06bd513fb04af1d8a6226863d51c89c0e481eabc08f7658bffc008629b10b7a0afa87d81b816ccdf7c61a395276e58034a1855ce9f4e81a8b

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\Newtonsoft.Json.dll

Filesize
560KB

MD5
8f81c9520104b730c25d90a9dd511148

SHA1
7cf46cb81c3b51965c1f78762840eb5797594778

SHA256
f1f01b3474b92d6e1c3d6adfae74ee0ea0eba6e9935565fe2317686d80a2e886

SHA512
b4a66389bf06a6611df47e81b818cc2fcd0a854324a2564a4438866953f148950f59cd4c07c9d40cc3a9043b5ce12b150c8a56cccdf98d5e3f0225edf8c516f3

Download Submit
C:\Users\Admin\AppData\Roaming\KkmAgent\RabbitMQ.Client.dll

Filesize
273KB

MD5
5477f26fc30271354c594fd156a6c53f

SHA1
e163fec209e3b12df34745f59bbee6f16dc4c0db

SHA256
9c1d6b531e0ee905f5a66e792adc7dead9fc46590ad9d9a8cc955fc9d821c678

SHA512
adf3cf60d120dc74c41c7e3b0da48802c41be0b021a3f44906b4ba52a715f432563f50de7bd11c4b6ee90019f8c7f724f00414403699771c1d3162df703d8299

Download Submit
\Users\Admin\AppData\Local\Temp\nsjCD6E.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Roaming\KkmAgent\KKMAgent.exe

Filesize
92KB

MD5
88e66c7e4276c4dace9d55d4e3727f4a

SHA1
73009c6da6b86c76959df9decf46f6289df1ad2c

SHA256
7424421b2a805f5ecdd94a970fe6597ecc713c2da71b2b79d73719a5c3585cdd

SHA512
24fd763932444adfa7a00484211ca23db96ce58349995bb3fbf2eec509802e5351dcbe127e962aae9b832b7ba9189f53ee2433b3d826a1fd5b92863477c9e9ed

Download Submit
\Users\Admin\AppData\Roaming\KkmAgent\PilotNtSharp.dll

Filesize
8KB

MD5
050f359cbb074e55d505506b4b35bb7d

SHA1
e80cd3036c045c90548fef5fe1566aa3d8050289

SHA256
c9dae5e8b3150d4d993ced26cfede0c305a5ae6329a3c80f61ffac53185e3b90

SHA512
2a0a2777852eed3ef1d9b0aa5ab6306757491eb6ed3a78b7eb5849aea1ae29cb46e56624f4e456774f1bf6c2f6d3cb160c67938faeee670314a74793fde24f78

Download Submit
memory/2764-70-0x0000000000300000-0x0000000000314000-memory.dmp

Filesize
80KB

Download
memory/2764-92-0x00000000066E0000-0x0000000006770000-memory.dmp

Filesize
576KB

Download
memory/2764-97-0x0000000004BB0000-0x0000000004BDC000-memory.dmp

Filesize
176KB

Download
memory/2764-101-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/2764-88-0x0000000004FB0000-0x0000000004FFA000-memory.dmp

Filesize
296KB

Download
memory/2764-105-0x0000000005810000-0x000000000582A000-memory.dmp

Filesize
104KB

Download
memory/2764-84-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/2764-76-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/2764-74-0x0000000001E20000-0x0000000001E60000-memory.dmp

Filesize
256KB

Download
memory/2764-64-0x00000000042D0000-0x00000000043A4000-memory.dmp

Filesize
848KB

Download
memory/2764-60-0x00000000002E0000-0x00000000002FE000-memory.dmp

Filesize
120KB

Download
memory/2764-58-0x0000000073DDE000-0x0000000073DDF000-memory.dmp

Filesize
4KB

Download
memory/2764-145-0x0000000005B00000-0x0000000005B6E000-memory.dmp

Filesize
440KB

Download
memory/2764-146-0x0000000073DDE000-0x0000000073DDF000-memory.dmp

Filesize
4KB

Download
memory/2764-147-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/2764-148-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download