Managed XDR

kaelmemniw.exe — malware analysis report

File info

Filename
kaelmemniw.exe
File type
PE32 executable (GUI) Intel 80386, for MS Windows
File size
725 KB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
31c6f4d0f81253782eb5099ea0bc24352844c5d9
SHA256
cb6828793da939f751e355a802c6c9b55f48864eb32f2072b590212a98a417a3
MD5
a10edb5dd51d23b38e4e4bbe1ebc6b8a

Signatures

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1497.001 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antivm_queries_computername: Retrieves the computer name

Discovery

T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1497.001 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1082 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules
unexpected_exception: Unexpected exception
static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names
create_rpc_bindings: Creates RPC connection
net_dumps_in_native: .Net dumps have been found in native PE
require_administrator: Requests administrator privileges
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
message_box: Displays a message
writes_data: Writes big amount of data to disk