4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8

General

Target

ksUu.exe
Size

1.9MB
MD5

1f2be558a74cb83afab86147e70d87d6
SHA1

67aa1ef5fca4e3e720feb6080d0f1ac20b503b26
SHA256

4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8
SHA512

5f8af4ea3bd3a5078b91d086ef1d4d1a9d88f2065621eb76ce21573e02144deab5f6e33d65a0525caff1387e5bbfa1ea4bb3f288e60045efcf7a82d5f57e87a9
SSDEEP

49152:33X/qQfkYzgrW/r1DNKHOkjSKwgRVRm9SMHGVa52a:nTfccDMRSKTVRmQi3

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2900	ksUu.tmp
2684	ksUu.tmp
1912	msedgewebview2.exe

Loads dropped DLL 6 IoCs

pid	Process
3064	ksUu.exe
2900	ksUu.tmp
2900	ksUu.tmp
2828	ksUu.exe
2684	ksUu.tmp
2684	ksUu.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksUu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksUu.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksUu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksUu.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2684	ksUu.tmp
2684	ksUu.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2684	ksUu.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2900	3064	ksUu.exe	30
PID 3064 wrote to memory of 2900	3064	ksUu.exe	30
PID 3064 wrote to memory of 2900	3064	ksUu.exe	30
PID 3064 wrote to memory of 2900	3064	ksUu.exe	30
PID 3064 wrote to memory of 2900	3064	ksUu.exe	30
PID 3064 wrote to memory of 2900	3064	ksUu.exe	30
PID 3064 wrote to memory of 2900	3064	ksUu.exe	30
PID 2900 wrote to memory of 2828	2900	ksUu.tmp	31
PID 2900 wrote to memory of 2828	2900	ksUu.tmp	31
PID 2900 wrote to memory of 2828	2900	ksUu.tmp	31
PID 2900 wrote to memory of 2828	2900	ksUu.tmp	31
PID 2900 wrote to memory of 2828	2900	ksUu.tmp	31
PID 2900 wrote to memory of 2828	2900	ksUu.tmp	31
PID 2900 wrote to memory of 2828	2900	ksUu.tmp	31
PID 2828 wrote to memory of 2684	2828	ksUu.exe	32
PID 2828 wrote to memory of 2684	2828	ksUu.exe	32
PID 2828 wrote to memory of 2684	2828	ksUu.exe	32
PID 2828 wrote to memory of 2684	2828	ksUu.exe	32
PID 2828 wrote to memory of 2684	2828	ksUu.exe	32
PID 2828 wrote to memory of 2684	2828	ksUu.exe	32
PID 2828 wrote to memory of 2684	2828	ksUu.exe	32

C:\Users\Admin\AppData\Local\Temp\ksUu.exe
"C:\Users\Admin\AppData\Local\Temp\ksUu.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\is-CCMIH.tmp\ksUu.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CCMIH.tmp\ksUu.tmp" /SL5="$60152,1610660,141312,C:\Users\Admin\AppData\Local\Temp\ksUu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\ksUu.exe
    "C:\Users\Admin\AppData\Local\Temp\ksUu.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\is-UB39O.tmp\ksUu.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-UB39O.tmp\ksUu.tmp" /SL5="$70152,1610660,141312,C:\Users\Admin\AppData\Local\Temp\ksUu.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2684
    - - C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\\NVIDIA app\\864\\msedgewebview2.exe"
        5⤵
        Executes dropped EXE
        
        PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe

Filesize
3.2MB

MD5
71fdf2d301949413f8b14e0f12c2e0f5

SHA1
c57e8eff6bfc0be6420e97cfd6de895c937fd5b7

SHA256
1e7e2c05c6c634aa7f11c8c217bf9c21fbe336f128d744fbaf3fc91d643925a0

SHA512
752fe30b893a1e0a0fbd93fb91dceea2b88f5e1c067e8f780fbedcf1fd4a11ec1317d65bbc3c11086926a2d37a49e5f519c40f7d65dba335079dc2044dd53f58

Download Submit
\Users\Admin\AppData\Local\Temp\is-CCMIH.tmp\ksUu.tmp

Filesize
1.1MB

MD5
8fdc58c7d4c59472615682d6dea9d190

SHA1
8e131fe09fd238493719b4fd92e6c833bf3596c1

SHA256
26a5be637ee680b1ec11d1adf2fd0972cc52078cbd200d9273f8bb826707c83b

SHA512
b05b9fd8ff3d627b562cbd2968466fb54adbc2fa5591ebe803300a3c5ef7887bc1761d8013b47aab0f5387265c8b7b15078a01abb75d4c3180671780181ebe24

Download Submit
\Users\Admin\AppData\Local\Temp\is-RAJK7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2684-49-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2828-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2828-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2828-51-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2900-8-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2900-20-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/3064-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/3064-1-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing