Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 07:04
Static task
static1
Behavioral task
behavioral1
Sample
kayo.exe
Resource
win7v20201028
General
-
Target
kayo.exe
-
Size
29KB
-
MD5
7b9af96c1828d52a8d6380b02ef72c18
-
SHA1
28a32a49f3d857ba4e869901e85328b2fa2cdc10
-
SHA256
7aeaa9cbabc54c36844d5852172c449865bf4c524693ae7aa9909b87627052fa
-
SHA512
c50ed68634623a85754c32b79ee3a264b327892867e21888b6d9d14b2ef57a2782fa588446b650c29ba0b795dc1291546c40aea27fb5ec8d85ff9226bc87e04f
Malware Config
Extracted
lokibot
http://amrp.tw/kayo/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
kayo.exepid process 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe 428 kayo.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kayo.exedescription pid process target process PID 428 set thread context of 2772 428 kayo.exe kayo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 420 428 WerFault.exe kayo.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3508 timeout.exe -
Processes:
kayo.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 kayo.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 kayo.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 kayo.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
kayo.exeWerFault.exepid process 428 kayo.exe 428 kayo.exe 428 kayo.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
kayo.exepid process 2772 kayo.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
kayo.exeWerFault.exekayo.exedescription pid process Token: SeDebugPrivilege 428 kayo.exe Token: SeRestorePrivilege 420 WerFault.exe Token: SeBackupPrivilege 420 WerFault.exe Token: SeDebugPrivilege 420 WerFault.exe Token: SeDebugPrivilege 2772 kayo.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
kayo.execmd.exedescription pid process target process PID 428 wrote to memory of 2292 428 kayo.exe cmd.exe PID 428 wrote to memory of 2292 428 kayo.exe cmd.exe PID 428 wrote to memory of 2292 428 kayo.exe cmd.exe PID 2292 wrote to memory of 3508 2292 cmd.exe timeout.exe PID 2292 wrote to memory of 3508 2292 cmd.exe timeout.exe PID 2292 wrote to memory of 3508 2292 cmd.exe timeout.exe PID 428 wrote to memory of 2772 428 kayo.exe kayo.exe PID 428 wrote to memory of 2772 428 kayo.exe kayo.exe PID 428 wrote to memory of 2772 428 kayo.exe kayo.exe PID 428 wrote to memory of 2772 428 kayo.exe kayo.exe PID 428 wrote to memory of 2772 428 kayo.exe kayo.exe PID 428 wrote to memory of 2772 428 kayo.exe kayo.exe PID 428 wrote to memory of 2772 428 kayo.exe kayo.exe PID 428 wrote to memory of 2772 428 kayo.exe kayo.exe PID 428 wrote to memory of 2772 428 kayo.exe kayo.exe PID 428 wrote to memory of 2772 428 kayo.exe kayo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kayo.exe"C:\Users\Admin\AppData\Local\Temp\kayo.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\kayo.exe"C:\Users\Admin\AppData\Local\Temp\kayo.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 26602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/420-14-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/428-2-0x0000000073160000-0x000000007384E000-memory.dmpFilesize
6.9MB
-
memory/428-3-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/428-5-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/428-6-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/428-7-0x0000000005780000-0x00000000057AB000-memory.dmpFilesize
172KB
-
memory/428-10-0x00000000062F0000-0x00000000062F1000-memory.dmpFilesize
4KB
-
memory/2292-8-0x0000000000000000-mapping.dmp
-
memory/2772-11-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/2772-12-0x00000000004139DE-mapping.dmp
-
memory/2772-13-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/3508-9-0x0000000000000000-mapping.dmp