92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe
Size

224KB
MD5

7124dcef46c91490e5ebe768f96a3179
SHA1

9764fe3c4ba6cb73a46a02e234213659cebeb16a
SHA256

92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c
SHA512

8bf2957bd2bd69d9ac034b786e2d0b204b53da90c8ab417fecb7d13c6db8ab96a8222e8b17987ab787612e7d0f894ca3a1cdfae6b1c2fa00ad0e7dfa993175a9
SSDEEP

3072:hiYBN7aWbqDImDrT+UvtkvnNBLieMyiayNe2XKrJlZmNlDY:hFBvuImDrT+U1QtMyiaO6mS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kmlaf.exe

Executes dropped EXE 1 IoCs

pid	Process
2008	kmlaf.exe

Loads dropped DLL 2 IoCs

pid	Process
1572	92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe
1572	92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /h"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /o"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /K"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /y"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /E"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /I"	kmlaf.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /s"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /F"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /q"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /d"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /V"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /l"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /x"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /r"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /Y"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /e"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /u"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /R"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /Q"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /X"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /L"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /J"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /U"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /v"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /G"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /i"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /P"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /b"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /A"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /m"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /D"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /H"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /a"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /p"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /M"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /Z"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /n"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /g"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /T"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /t"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /f"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /z"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /c"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /W"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /B"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /y"	92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /C"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /j"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /w"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /N"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /k"	kmlaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmlaf = "C:\\Users\\Admin\\kmlaf.exe /O"	kmlaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1572	92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe
2008	kmlaf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1572	92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe
2008	kmlaf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2008	1572	92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe	27
PID 1572 wrote to memory of 2008	1572	92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe	27
PID 1572 wrote to memory of 2008	1572	92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe	27
PID 1572 wrote to memory of 2008	1572	92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe	27

C:\Users\Admin\AppData\Local\Temp\92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe
"C:\Users\Admin\AppData\Local\Temp\92195d2e3f40e5251f95d052d282986d9f54f04f8ea90103f61829ce02cb724c.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\kmlaf.exe
  "C:\Users\Admin\kmlaf.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\kmlaf.exe

Filesize
224KB

MD5
8a92d13fd45be2426cbfcec3d40201fd

SHA1
ae2dacfa7d9016150ddb9f839939137b390ed016

SHA256
ef80871610180d1e6eca5ebd1d720a3358d1171c7c557c6af7c3f96dcd03404a

SHA512
b588fb8e5b23b7e48cde2942978e707953710e9542dc9859bc2985b71d92dd1f4007c8f8b7164cd859d3bc03bb6d8a6d6f2115aa9d121b34980006a0762262bd

Download Submit
C:\Users\Admin\kmlaf.exe

Filesize
224KB

MD5
8a92d13fd45be2426cbfcec3d40201fd

SHA1
ae2dacfa7d9016150ddb9f839939137b390ed016

SHA256
ef80871610180d1e6eca5ebd1d720a3358d1171c7c557c6af7c3f96dcd03404a

SHA512
b588fb8e5b23b7e48cde2942978e707953710e9542dc9859bc2985b71d92dd1f4007c8f8b7164cd859d3bc03bb6d8a6d6f2115aa9d121b34980006a0762262bd

Download Submit
\Users\Admin\kmlaf.exe

Filesize
224KB

MD5
8a92d13fd45be2426cbfcec3d40201fd

SHA1
ae2dacfa7d9016150ddb9f839939137b390ed016

SHA256
ef80871610180d1e6eca5ebd1d720a3358d1171c7c557c6af7c3f96dcd03404a

SHA512
b588fb8e5b23b7e48cde2942978e707953710e9542dc9859bc2985b71d92dd1f4007c8f8b7164cd859d3bc03bb6d8a6d6f2115aa9d121b34980006a0762262bd

Download Submit
\Users\Admin\kmlaf.exe

Filesize
224KB

MD5
8a92d13fd45be2426cbfcec3d40201fd

SHA1
ae2dacfa7d9016150ddb9f839939137b390ed016

SHA256
ef80871610180d1e6eca5ebd1d720a3358d1171c7c557c6af7c3f96dcd03404a

SHA512
b588fb8e5b23b7e48cde2942978e707953710e9542dc9859bc2985b71d92dd1f4007c8f8b7164cd859d3bc03bb6d8a6d6f2115aa9d121b34980006a0762262bd

Download Submit
memory/1572-56-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download