Overview

overview

8

Static

static

3

ILoveKids.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ILoveKids.exe

  • Size

    90KB

  • MD5

    b6c4c49375cb3b54a63066deec0f23b5

  • SHA1

    4f8b5cbaf0e20875eccab2a6dc08b10bd4880fcf

  • SHA256

    76a4e97d29f23282682d4bf714d8a1a93ce954b3eda38d749a83552e990ecb4f

  • SHA512

    63c612a920e4350c1b91329c741022a3835d18d30ecf189f0ac9535f37efb28a34a86ed3a76d3a2575562b7525c7fd33df52d6e0dcb61045a95a65d4aa99601a

  • SSDEEP

    1536:P7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf2wNiixOQ:j7DhdC6kzWypvaQ0FxyNTBf2C

Score
8/10
defense_evasiondiscoverypersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Modifies file permissions 1 TTPs 12 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ILoveKids.exe
    "C:\Users\Admin\AppData\Local\Temp\ILoveKids.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8DB9.tmp\8DBA.tmp\8DBB.bat C:\Users\Admin\AppData\Local\Temp\ILoveKids.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5816
      • C:\Windows\system32\attrib.exe
        attrib +s +h +r "C:\Windows\System32\flare.bat"
        3⤵
        • Sets file to hidden
        • Drops file in System32 directory
        • Views/modifies file attributes
        PID:3632
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\flare.bat" /deny Everyone:(F)
        3⤵
        • Modifies file permissions
        PID:4640
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\flare.bat" /deny SYSTEM:(F)
        3⤵
        • Modifies file permissions
        PID:3208
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\flare.bat" /deny Administrators:(F)
        3⤵
        • Modifies file permissions
        PID:5564
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Security Update" /t REG_SZ /d "C:\Windows\System32\flare.bat" /f
        3⤵
        • Adds Run key to start application
        PID:5176
      • C:\Windows\system32\cmd.exe
        cmd.exe
        3⤵
          PID:3976
        • C:\Windows\system32\notepad.exe
          notepad "C:\Users\Admin\Desktop\flare_warning.txt"
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:3016
        • C:\Windows\system32\icacls.exe
          icacls "C:\Users\Admin\Desktop\CON" /deny Everyone:(F
          3⤵
          • Modifies file permissions
          PID:2772
        • C:\Windows\system32\icacls.exe
          icacls "C:\Users\Admin\Desktop\PRN" /deny Everyone:(F
          3⤵
          • Modifies file permissions
          PID:1812
        • C:\Windows\system32\icacls.exe
          icacls "C:\Users\Admin\Desktop\AUX" /deny Everyone:(F
          3⤵
          • Modifies file permissions
          PID:4460
        • C:\Windows\system32\icacls.exe
          icacls "C:\Users\Admin\Desktop\NUL" /deny Everyone:(F
          3⤵
          • Modifies file permissions
          PID:4084
        • C:\Windows\system32\icacls.exe
          icacls "C:\Users\Admin\Desktop\COM1" /deny Everyone:(F
          3⤵
          • Modifies file permissions
          PID:4916
        • C:\Windows\system32\icacls.exe
          icacls "C:\Users\Admin\Desktop\COM2" /deny Everyone:(F
          3⤵
          • Modifies file permissions
          PID:4620
        • C:\Windows\system32\icacls.exe
          icacls "C:\Users\Admin\Desktop\COM3" /deny Everyone:(F
          3⤵
          • Modifies file permissions
          PID:4612
        • C:\Windows\system32\icacls.exe
          icacls "C:\Users\Admin\Desktop\LPT1" /deny Everyone:(F
          3⤵
          • Modifies file permissions
          PID:4576
        • C:\Windows\system32\icacls.exe
          icacls "C:\Users\Admin\Desktop\LPT2" /deny Everyone:(F
          3⤵
          • Modifies file permissions
          PID:4668
        • C:\Windows\system32\attrib.exe
          attrib +s +h "C:\Users\Admin\Desktop\LPT2"
          3⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4740
        • C:\Windows\system32\notepad.exe
          notepad "C:\Users\Admin\Desktop\LPT2\lockfile.txt"
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:4756
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\flare.bat
      1⤵
        PID:5268
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /7
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3144

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\8DB9.tmp\8DBA.tmp\8DBB.bat
        Filesize

        1KB

        MD5

        946bf3b4f25650e511646d57cba89de6

        SHA1

        90dfe5ff9e2a5c23497a73ba8b79b3a298371b7e

        SHA256

        9e1533c484246349900386603717ebc57e568a6f366f7129497f4f8d80857741

        SHA512

        eeee3877f4011b90e1c06725bfed06a327df79ead15b57d34dbcf8f4405687f7915b1e088b9d90bd9eff4a2b99d9be887e2d94fce1a8d4e9a3398e0d2b093fdd

        Download Submit

      • C:\Users\Admin\Desktop\LPT2\lockfile.txt
        Filesize

        16B

        MD5

        35519859078faf1bb9ff9aa6d97e02f7

        SHA1

        f62fa3cba186ac4fc65321e5b24f3b3c6713e168

        SHA256

        c76a191235beca08d9290c53f8832be67b1b9671269674ece289e3162157d2b1

        SHA512

        674ed9c45e4070cd2de21e7a74fe8327ad3db7234a306988fd579e126f6c37ce5a39fa45cbf2da818c81bf7dfcf160f4f993f9fb3d3a85a1530101564ced9df9

        Download Submit

      • C:\Windows\System32\flare.bat
        Filesize

        90KB

        MD5

        b6c4c49375cb3b54a63066deec0f23b5

        SHA1

        4f8b5cbaf0e20875eccab2a6dc08b10bd4880fcf

        SHA256

        76a4e97d29f23282682d4bf714d8a1a93ce954b3eda38d749a83552e990ecb4f

        SHA512

        63c612a920e4350c1b91329c741022a3835d18d30ecf189f0ac9535f37efb28a34a86ed3a76d3a2575562b7525c7fd33df52d6e0dcb61045a95a65d4aa99601a

        Download Submit

      • memory/3144-18-0x00000208E37B0000-0x00000208E37B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3144-13-0x00000208E37B0000-0x00000208E37B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3144-12-0x00000208E37B0000-0x00000208E37B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3144-14-0x00000208E37B0000-0x00000208E37B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3144-24-0x00000208E37B0000-0x00000208E37B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3144-23-0x00000208E37B0000-0x00000208E37B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3144-22-0x00000208E37B0000-0x00000208E37B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3144-21-0x00000208E37B0000-0x00000208E37B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3144-20-0x00000208E37B0000-0x00000208E37B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3144-19-0x00000208E37B0000-0x00000208E37B1000-memory.dmp

        Filesize

        4KB

        Download