Overview

overview

8

Static

static

3

7f3987c0e6...5e.exe

windows7-x64

8

7f3987c0e6...5e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f3987c0e62a0f3b39848202c79fb95e.exe

  • Size

    1.3MB

  • MD5

    7f3987c0e62a0f3b39848202c79fb95e

  • SHA1

    61bb8efc59d4b85262f123a5a5199abf1907121d

  • SHA256

    dd4ed634c3494ae83f56337d774ba00a0617fc0fd27b1a5c7185ed5bf526ec76

  • SHA512

    b83196292ec8a02ec7d401f070c1aa6a473a08083841ffb30aa18c9f50dc329f197d0457f3d44c616b8d7fcc6a7368b05865993c61b4ecc34921ec3297207515

  • SSDEEP

    24576:3DSmDdU+YdDm0UaIwhgTJz6qP4lpEZXzTnby1ZU2vgxLy7Nt/M:pdfBatod6qP4DEdX+RvELy7N

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 16 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f3987c0e62a0f3b39848202c79fb95e.exe
    "C:\Users\Admin\AppData\Local\Temp\7f3987c0e62a0f3b39848202c79fb95e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\KAgentSilent.exe
      KAgentSilent.exe /a /k /g PLLT9905823878822487 /l "C:\Users\Admin\AppData\Local\Temp\KASetup.log"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Users\Admin\AppData\Local\Temp\pft737D.tmp\KASetup.exe
        "C:\Users\Admin\AppData\Local\Temp\pft737D.tmp\KASetup.exe" /k /g PLLT9905823878822487 /l "C:\Users\Admin\AppData\Local\Temp\KASetup.log" /s
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:2648
    • C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaUsrTsk.exe
      KaUsrTsk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2472
    • C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe
      agentmon.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:1320
  • C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe
    "C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in Program Files directory
    PID:1148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe
    Filesize

    192KB

    MD5

    f3ccb1bf0ff71f07ae1f58e0d62036d7

    SHA1

    fa05b46e44619e50ee779479543a408596438282

    SHA256

    c845a1a401e3c323c542fe00e9f0c15601664a8f60394c956b4dd61e6ebd7b3e

    SHA512

    e518eb38116dd47acb4df59d34af5583f556fcecbcff9d1f294a8cb5cdae66dd1b2857f67e466b97ecb47cb6c391f222b9efd72ecc38c99f6972d0a3c382751c

    Download Submit

  • C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe
    Filesize

    128KB

    MD5

    dc8417c616031edb1b83f1ab2ec44ce9

    SHA1

    40cdd6356929b78367829981281fd5ab58e99a0a

    SHA256

    0b75a4525030e63dd0dab96897e7400b774c492aa98ba54c2ba75838a3b2f77c

    SHA512

    a19462ebdf9bc52435275ad512ab08ef3dcf6843e96b85551366b81b38eb1ac676d37518830d6eb3a3b38ba7654b570b3938f6f9543d4e027fb8da79d0bf0b52

    Download Submit

  • C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe
    Filesize

    728KB

    MD5

    ddeb42b13cdb7b05521edb45c25a0151

    SHA1

    eaaf15fa2f31dc9881b0f50bf0b9fa6472be774a

    SHA256

    58b6392eef742b2420c8f5ee2b97d25f16e67fcaaf124ef2a751d324e51898cd

    SHA512

    596b4b351d8fc2d4bf5cbc5a0262d22fbcc58d87a04219e5ce9441e5553c73562fabb5ca68fcada88d7a33bcd7262a1d71493e70b7503b1c0e98d525f8ad503f

    Download Submit

  • C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.log
    Filesize

    113B

    MD5

    b2ec2c7091bf451a7c8fa79c5470afa6

    SHA1

    783fc12f6c36364f804ee24aa386888e730a3843

    SHA256

    6df809c2561177a9b5feac2dfd2142175062f1705f3abaf1a6b901289ae92feb

    SHA512

    06f831a5de9814acf539003aca6ff6777cb08f595570f674cf71bbdab7b3e0b4b07d33f0e62096b80ba9ea51558fa02087f1166cd0b4fb16b46e418d2c389e1e

    Download Submit

  • C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaUsrTsk.exe
    Filesize

    316KB

    MD5

    61e0870e8352fc42a42e414ed55bf837

    SHA1

    b0ef19d08f40c77b2d31e9dd9aad087fd847a294

    SHA256

    501caa9f031da6a00bfefb5fe1123c730838e5d16476c103218b625935594e82

    SHA512

    aa52a44135095223ae4c0c00deffdba34ceebb693e3877af20d08cccc4d4270cab78b63ca6834e02b9abe676eb09a361a1a17dc5882c6d1aa072db7b1296b12d

    Download Submit

  • C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaUsrTsk.exe
    Filesize

    192KB

    MD5

    c294a458a74b57d679307f51f72a22c4

    SHA1

    8935aabbd66557956378066c72ea6dc1cd7ee4a5

    SHA256

    61d003402266c86b86180922bf57745424cac42a96770ad3a3b5ae37f8e1948d

    SHA512

    0e7f15ff80b4ef33b5e9665c6d8e87a859630f58bd0b76677b8cd7b238ed0f6dc72ca059def40aae2f34df9abadb7f47a45642f710615b7dfe0231e8debe4160

    Download Submit

  • C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaseyaFW.ini
    Filesize

    2KB

    MD5

    110bcfd4a9b3ace873e40d41ad039b72

    SHA1

    5f652ecfb90311a8a2e5a52424d333cc6234f0e0

    SHA256

    04e0218852ef83d415f1497c56088ec001e3fb72af3b487dbe171be13c636c04

    SHA512

    fe9f8c2062f4c2280fd6aaab244d97047e53989ba5817911580744d86177fd42f812a402a740c346e891bdd2b95d2086de19b9822239da025860dfd263616f6a

    Download Submit

  • C:\Program Files (x86)\Kaseya\PLLT9905823878822487\Package.xml
    Filesize

    130B

    MD5

    91b53fe6d4112c8e2902b2503b77b34f

    SHA1

    8c5d9afecde2dcbab3d7fca1a72a71419e0fe175

    SHA256

    832c7239546815495b5e1a2676030cfa9999d97278a115db007b6a1a4de36aa2

    SHA512

    4cb779a64fc9aeeb7f08f1bfe11be812e8cfa2a719829a081299ef6b9b039e9cbd92fecdbcb640e15cc117adfe0ae06ed01a2a484db02f6cbda9c173b6cf28cc

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaseya\Kaseya Agent.lnk
    Filesize

    1KB

    MD5

    fbb96c4e7dea859f38b3b63770a95dc8

    SHA1

    adbeebda919089da9d1a7d7176d95c10f9b93588

    SHA256

    4a441b371b7b4f8395cfec3929ef7d776b67780daa3aec3ccf39d1117ab52e7a

    SHA512

    ef7ea131662c2e8435abdaae5db8e4299107d1210746599fbf8524836c5a83ccce2144a85ad41c206e1cd8eb1097099b306eee047b4fdb7dcabdae699fdf3f6f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KASetup.log
    Filesize

    10KB

    MD5

    b92aee1727dcfd51ec72c2e0ea48be78

    SHA1

    1a7473c4467d0f3c2b38ba13e3461ea8107c357f

    SHA256

    f0ea8bece08e98af97cd1097e0d087284ee6af855ac489e58c969e495499dda9

    SHA512

    a932eb0fef58b0b376429c9a587c2aba28917286961be9b3f447a401478b6be68f2e34825c751cfee5e28941393c897f3677b5a3def591d2f754e99469b983bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KAgentSilent.exe
    Filesize

    768KB

    MD5

    35937a6b09c3bf0030f8e2f1e3d384f9

    SHA1

    2f1ff4503a80065b024ff32c735397b11ff7d044

    SHA256

    738b97ffb0502272b9fbdf1901878b9c1a07e0ff8560939102dacbf4167de3cf

    SHA512

    b75e7e2d490a34a9bfd5d104f12b7443a5a94e82a8d377b28f712297585075fd035899c78d942f0f5fbd5e6931d9463f4346474dc54a87ed35e5d1efe7cd5979

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KaseyaD.ini
    Filesize

    2KB

    MD5

    13644346010e3adc72ba0351f6deb01f

    SHA1

    ca5d893bb118a0e13bb789a8c801e9c355807cc3

    SHA256

    cedba80b7716ecc6afcfe107b2ca9a2ec6ba3db92b805ec35e24e66f91193d26

    SHA512

    ba9287fb35d9495104011f796336507845a2d56fbd92d12eb7be953a829329e4fabbfff83e69fb0bb610eea6d7b0e429cd6a77ccb8c6f5bd756f0c3cc42ef3bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pft737D.tmp\KASetup.exe
    Filesize

    92KB

    MD5

    eee3f2a1235b1b098e3b80e75c0f6dc8

    SHA1

    83378106bebd65e75c67e148dd490c306dc5c599

    SHA256

    6ec9f8501fef28f0529465be4fc4bf0724d1415ac8883d82ff52c1a86a21447e

    SHA512

    4244370aa297b553e86dd9d280ccf7bd118305a28478f0906dcef3c21263cfac456c1845bda6f48a44c73a569312874ff9dfb6402f87a5fee3da2af768315c7d

    Download Submit

  • \Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe
    Filesize

    256KB

    MD5

    595f06c2c71ff317679154bd522ab658

    SHA1

    a7431435acc6c8ff1bb15cf738285f128940d935

    SHA256

    cfc77bdfa7c912604a398ebf772581826512d6c0277f293e1182a4084b782170

    SHA512

    cd18cb484dd3ed0706a7175e8c4f9433938669ec87f9317f82e911e4386b1de7cb3f66694139b56842cd9c78252c98094088e11f88b3e99422568beb4145e81b

    Download Submit

  • \Program Files (x86)\Kaseya\PLLT9905823878822487\KEventLog.dll
    Filesize

    128KB

    MD5

    e40db8437c308abfe09305933a92cec2

    SHA1

    77a3f4e991ca5ea48c9965f48bf735bbd55e7289

    SHA256

    dba05618ce322ea06a362208239d926ca07ebf8b149e1ff4b30494aff297770c

    SHA512

    478cc07f1fb1f3161a2633118a4226fd5cbe1a153aaed071d68105cf7b4a15ec365b92ad6028e5f5dd7658416b42135592d9e731db0599eec1a6b6cef2bd69a5

    Download Submit

  • \Program Files (x86)\Kaseya\PLLT9905823878822487\LogParser.dll
    Filesize

    132KB

    MD5

    f97b6619d66d8c7dfe933d19bad26c30

    SHA1

    47ef3f568d01a291da2b67bf87085726457f7c9c

    SHA256

    092383b5ca5cdc01969e33f316a775be3bb39e68bd45b8f6cd8943f35383b242

    SHA512

    99c8c172870f6dc57870ad6a69df85c709bc0386b5e898d658bc8f2219e31324f2e2ac82a6ae4c85a65ddd58f5961ffb4fa3aa3e679ecb24b393f6c077f8a2e3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\KAgentSilent.exe
    Filesize

    1.2MB

    MD5

    b88dbe0131aa4cdf9f764f7245badca6

    SHA1

    a9f39985a4104956d45343aba2de4973a4fa07a4

    SHA256

    0c1af4b264fa29fc61c672f1eca7f001cb69fa768dad880a0885c694a5272718

    SHA512

    e2edcc0ea8417104344fe1173e8aa11cc947adafe987f5b6f6d30a1ab8f0d8f3a1e15e163b4745293dd1c75af8e8cc216529ae6b0fa00d7f496f6c3efd863c80

    Download Submit

  • \Users\Admin\AppData\Local\Temp\KAgentSilent.exe
    Filesize

    92KB

    MD5

    abb2df997564f558518fa0a8ec68c719

    SHA1

    cadcbb5731e56114ab4763fbc36f68fe2e7d2c57

    SHA256

    c5be9afb72892b8e45480e9b65d7aec5d04f952d2b092d39c9782387fb901366

    SHA512

    63cac1bdcc601d626a9e52616970386c4ce41b7022e9216cf4e40d962f7cce12e7c42123ef6a52e6a75e212270506e68ff2f6e9223cfb6332479559104ad6b86

    Download Submit

  • \Users\Admin\AppData\Local\Temp\pft737D.tmp\KASetup.exe
    Filesize

    93KB

    MD5

    b9307c8eba7196604005e665d3f1c27f

    SHA1

    0bf7a491511f669507a90a09971f3820c1016cba

    SHA256

    6dcfca54a964ec089f7545bf720fe2a3d7092c187df8b729f28a0a266f77f97c

    SHA512

    bcd7d8c029d89111f84feff74700eefd03e0142bbab10bd8e69b12d0c638af69501663fd87f3f7b59771bfbcbe7f7dc44581893949ad33dfa23a4867e7c946c3

    Download Submit

  • memory/1148-300-0x00000000007C0000-0x00000000007E3000-memory.dmp

    Filesize

    140KB

    Download