dd4ed634c3494ae83f56337d774ba00a0617fc0fd27b1a5c7185ed5bf526ec76

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f3987c0e62a0f3b39848202c79fb95e.exe
Size

1.3MB
MD5

7f3987c0e62a0f3b39848202c79fb95e
SHA1

61bb8efc59d4b85262f123a5a5199abf1907121d
SHA256

dd4ed634c3494ae83f56337d774ba00a0617fc0fd27b1a5c7185ed5bf526ec76
SHA512

b83196292ec8a02ec7d401f070c1aa6a473a08083841ffb30aa18c9f50dc329f197d0457f3d44c616b8d7fcc6a7368b05865993c61b4ecc34921ec3297207515
SSDEEP

24576:3DSmDdU+YdDm0UaIwhgTJz6qP4lpEZXzTnby1ZU2vgxLy7Nt/M:pdfBatod6qP4DEdX+RvELy7N

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\KAPFA.sys	KASetup.exe

Executes dropped EXE 5 IoCs

pid	Process
1152	KAgentSilent.exe
1556	KASetup.exe
1984	KaUsrTsk.exe
2808	AgentMon.exe
3480	AgentMon.exe

Loads dropped DLL 3 IoCs

pid	Process
3480	AgentMon.exe
3480	AgentMon.exe
3480	AgentMon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KASHPLLT9905823878822487 = "\"C:\\Program Files (x86)\\Kaseya\\PLLT9905823878822487\\KaUsrTsk.exe\""	KASetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KaseyaSP.dll	KASetup.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KAgentExt.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\drivers\KaseyaSP.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KasAgent.log	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KasStats.log	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KasError.log	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\drivers\KaseyaD.VXD	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\lastChk.txt	AgentMon.exe
File opened for modification	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\lastChk.txt	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\kGetELMg64.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\sporder.dll	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaseyaD.ini	7f3987c0e62a0f3b39848202c79fb95e.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaUsrTsk.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KasFirewall.log	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KasError.log	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\Package.xml	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\LogParser.dll	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.log	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KASetup.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KPrtPng.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KEventLog.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\drivers\KAPFA64.sys	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.log	AgentMon.exe
File opened for modification	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KASetup.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaseyaD.ini	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaseyaFW.ini	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\PLLT9905823878822487\drivers\KAPFA.sys	KASetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1984	KaUsrTsk.exe
1984	KaUsrTsk.exe
1984	KaUsrTsk.exe
1984	KaUsrTsk.exe
1984	KaUsrTsk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1984	KaUsrTsk.exe
1984	KaUsrTsk.exe
1984	KaUsrTsk.exe
1984	KaUsrTsk.exe
1984	KaUsrTsk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1152	1884	7f3987c0e62a0f3b39848202c79fb95e.exe	91
PID 1884 wrote to memory of 1152	1884	7f3987c0e62a0f3b39848202c79fb95e.exe	91
PID 1884 wrote to memory of 1152	1884	7f3987c0e62a0f3b39848202c79fb95e.exe	91
PID 1152 wrote to memory of 1556	1152	KAgentSilent.exe	95
PID 1152 wrote to memory of 1556	1152	KAgentSilent.exe	95
PID 1152 wrote to memory of 1556	1152	KAgentSilent.exe	95
PID 1884 wrote to memory of 1984	1884	7f3987c0e62a0f3b39848202c79fb95e.exe	98
PID 1884 wrote to memory of 1984	1884	7f3987c0e62a0f3b39848202c79fb95e.exe	98
PID 1884 wrote to memory of 1984	1884	7f3987c0e62a0f3b39848202c79fb95e.exe	98
PID 1884 wrote to memory of 2808	1884	7f3987c0e62a0f3b39848202c79fb95e.exe	99
PID 1884 wrote to memory of 2808	1884	7f3987c0e62a0f3b39848202c79fb95e.exe	99
PID 1884 wrote to memory of 2808	1884	7f3987c0e62a0f3b39848202c79fb95e.exe	99

C:\Users\Admin\AppData\Local\Temp\7f3987c0e62a0f3b39848202c79fb95e.exe
"C:\Users\Admin\AppData\Local\Temp\7f3987c0e62a0f3b39848202c79fb95e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\KAgentSilent.exe
  KAgentSilent.exe /a /k /g PLLT9905823878822487 /l "C:\Users\Admin\AppData\Local\Temp\KASetup.log"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KASetup.exe
    "C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KASetup.exe" /k /g PLLT9905823878822487 /l "C:\Users\Admin\AppData\Local\Temp\KASetup.log" /s
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:1556
- C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaUsrTsk.exe
  KaUsrTsk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1984
- C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe
  agentmon.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2808

C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe
"C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe

Filesize
19KB

MD5
3837429014aec2ebe6b640fd2f57f25a

SHA1
0db94d6cf498f7348fb0c7c41c7c7925819652a3

SHA256
f53a02873f4545dcf2435afca9112ef2b30ef3a06f923d07385cfabeebc06a7d

SHA512
ef0f9aac0516daf01133c2077fb3a0ce486b379f6c2d598efcaf4e6e37100d320ae2793807e67ae9592e326a84e37b048bc40013ff280dce6655918082e71aad

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe

Filesize
64KB

MD5
7723c1ca6ec4867c490754a4e0a72d57

SHA1
b5e092cc069dcc5c64e8805666792e28f888f942

SHA256
2eacf0d604005b186ccfa6a8a5e01aa1071c53c62b994f81e6237600ff25ece6

SHA512
0da45d758eaee17782d788ea9b0dd05b0579edb200a8457a84bc21bcbc11fb447891db6f52c5f5fd7c83eb5745cd0ad60075af67a852ae3eabc099f2a9916206

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.exe

Filesize
531KB

MD5
6e7b03787be8fd7064a640ce6b520281

SHA1
9946313d005fb5f7c57f1cb51c7c115855c2e7ee

SHA256
592a66acdca0a5f99d77787a83be297cea5e7e94bd96fb2c4ee1fbc29a115f99

SHA512
d5a66f54468760f8c0e59d41a1dfd7e555fec32b1e857e7cc642547ba178236ff602e1212f7690f27df448d5a259ab3411194f3fe19c8e0b673b10793f2e8eb5

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\AgentMon.log

Filesize
229B

MD5
05fbed4779076ede22fb40a60083efa8

SHA1
2c9afa6f91913dcbdd7a7d2bea9237e2b225befc

SHA256
b24c5ac90eaf4ab4ba0ba0cd97e001cb0932fdf05a5a874373195239821c77c9

SHA512
f8f3f63e226a3f1086f6c12474ae6acca85231e65c5390b324526080a377a5ac30025f4e629ea2979c440dda4ebf92cd16aeffb7445a54f9a309956804595291

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KASetup.exe

Filesize
173KB

MD5
0dfdbd04b658a0e1e9be497ef0beecfc

SHA1
5217e916a352640d0cd7476dd06ae2d28e7af412

SHA256
bb3bf0fd5da2eed73fe6fc5971c44ed529a03874d86ffa6d64d63e719c03cc6b

SHA512
a7d70fd24dfcb14eb6e2a89668564189beb91649bc02096c085cbc88f690100c277a5b989f42a8b1036f82c62bc5b337f5affbd1620909e1c77ad0cee4d734b1

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KEventLog.dll

Filesize
128KB

MD5
e40db8437c308abfe09305933a92cec2

SHA1
77a3f4e991ca5ea48c9965f48bf735bbd55e7289

SHA256
dba05618ce322ea06a362208239d926ca07ebf8b149e1ff4b30494aff297770c

SHA512
478cc07f1fb1f3161a2633118a4226fd5cbe1a153aaed071d68105cf7b4a15ec365b92ad6028e5f5dd7658416b42135592d9e731db0599eec1a6b6cef2bd69a5

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaUsrTsk.exe

Filesize
128KB

MD5
d070bb60ca042dfc0afb9c20e4b65541

SHA1
caf2a3a031f1d41ac8586e6bf4e5cae3e731a393

SHA256
142af8436e5119bb26e085b06615e9852aa8a8ead4f2b4b221f723642c7f8679

SHA512
8d7e5af4cc29bba987da2c0284e4f96d278d9bcdf66a99185bf06a5517c7fa6734444f082d7a3097712ad3d3e9921d9e7b87464b0f58da93e2f2fd2d6cad1a9e

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaseyaD.ini

Filesize
2KB

MD5
43b40bff8e9b4855e8f21871d3be6ca3

SHA1
5694da8605de630496b22f2b4a77697f220cf95c

SHA256
142291925eb0963aefd278058c1c061eccc01b1ea0e8efda94daeb6e37398732

SHA512
6cb0deb10efd9a63ee01247e071b09ad7d372bdb4adfd6c0f70793982aabc469bafd6ce3b60f02f808b5602c36ba985c38203506f3b8f9ef12911ae84df15a0d

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\KaseyaD.ini

Filesize
1KB

MD5
542272069584fb8dc35d807352016bf3

SHA1
bd93273a4b4b498c812bbc53a0b7ff96cf2fb444

SHA256
ae7ab8db47ffd6944c168f74700675333cf48a9c9829b04c79399362466f7927

SHA512
dcf26b3352a853b6c27cab27de693c8bd90cfe2778f2e3e1c865870b9e4813b7fe5a05ae9e3b068fcaec8986c2fe6f649e21a510d34dbf7ea42c3cb08fa983cb

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\LogParser.dll

Filesize
132KB

MD5
f97b6619d66d8c7dfe933d19bad26c30

SHA1
47ef3f568d01a291da2b67bf87085726457f7c9c

SHA256
092383b5ca5cdc01969e33f316a775be3bb39e68bd45b8f6cd8943f35383b242

SHA512
99c8c172870f6dc57870ad6a69df85c709bc0386b5e898d658bc8f2219e31324f2e2ac82a6ae4c85a65ddd58f5961ffb4fa3aa3e679ecb24b393f6c077f8a2e3

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\Package.xml

Filesize
130B

MD5
91b53fe6d4112c8e2902b2503b77b34f

SHA1
8c5d9afecde2dcbab3d7fca1a72a71419e0fe175

SHA256
832c7239546815495b5e1a2676030cfa9999d97278a115db007b6a1a4de36aa2

SHA512
4cb779a64fc9aeeb7f08f1bfe11be812e8cfa2a719829a081299ef6b9b039e9cbd92fecdbcb640e15cc117adfe0ae06ed01a2a484db02f6cbda9c173b6cf28cc

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\drivers\KAPFA64.sys

Filesize
29KB

MD5
631731583a723a653a028c0202475541

SHA1
00af96f5a59fde9f96fb68eeeb65c080e2180217

SHA256
3621e5f7b1185d89c2346a114c320bfcd496c26cf08bb92a828d23adbb05c360

SHA512
886a6ad966eaf3c17979d0dc458983aad6c1aca73466f7db846040239e72bf4e839d36daaec2d74fc42e270d2fed7cb212ac1bc5a8da7b9288dd1276cc70a856

Download Submit
C:\Program Files (x86)\Kaseya\PLLT9905823878822487\drivers\KaseyaSP.dll

Filesize
37KB

MD5
68b5ca9d5a25e72c178068600bcc974e

SHA1
2243d829d4b8b9daea14a1948d78c13c578d96da

SHA256
31dd455f7db7121f2f372003f66b0eb03a06905e5c050b9d3ac0fca1374a8672

SHA512
87718e45a3b590b5523d08e5c46396910efac595b227068646d8b6937f540e040a31b4cf4261deb7ee9befa35367bd0596974e53ab6070f26f25365d730d50b0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaseya\Kaseya Agent.lnk

Filesize
1KB

MD5
f394e2ae2fa25dda55a6497d734796f0

SHA1
2a9c8ec832602abc370a7493ab9595977b55f9f3

SHA256
9800ff08874af447abee89e8ee2c72733709fd90dfc46eee6aebb19b9969f6e6

SHA512
2000c2cebec5257224d2fd9adef628e94deed7b3febde120c594ba041507f875159aa0b86e4ea2c0ba490bfd87018de014413cdb547a36299d7e444cb114d88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
2KB

MD5
c7a4f912c595d32e4ac6f82953ab62c9

SHA1
0e614a3587c746f93a5ed00ea8f75b476470dff5

SHA256
1c964b2611925ee1b6de89e76d764e8f277e9d7132f89e2b5d99c517bfa5e9e8

SHA512
af6f736b768c5de12488d51a3ca296c7f7a44c5b3782f8c4d0fc9b7cc944f751a04bf096be8460781b75ee07f37f944b685bca79edd79d670a0d494ebfa51b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
2KB

MD5
b7cdae8f518aa950507d1671cbadb484

SHA1
6c25cdba1573893676c58dbd5a14e893328972b1

SHA256
606a39625ced9d216e107a5afb2b48070bf78e2437f830b9f4274a1d260ffe83

SHA512
0e0875553c3ae73f5d1ccb8bf73b965793db5d9c0b8013dea91b3cdc044842d026bfc10930bdb593331dbb7652e11d8bfe19989372c77ca117c91aa616e497c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
3KB

MD5
eafe518e63df5cd017c6f244f53669f3

SHA1
043b292e388dccbadb9bcbdffdc52722f0bc34a6

SHA256
a63b5105e48f7f87c1d8375d5f7ebb14724f6431d02b89518f877cc628f445d4

SHA512
86a87fe4f7db5f11e87e29bcc3a9d0896e3d86d0bbbbba54a4ec2dfe68825826cafa7810ee0a893b50ff7cb31a1d76240bd9c95ad4bca872971b56a5e928772f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
6KB

MD5
a0ce810e5873796cdd2772a6d0573f9a

SHA1
13c9a05ace05189a979fcc4f69520f7618a4a121

SHA256
6fdf5e9a0a4d0e8c530818e691e3b4b338c02a973ba4479728b0af1ed3cfd0d7

SHA512
9c66940b568df0435f64392f69268b3f4b6c2601b06c4b11bba21ef892b44d59026f502f6d71cce58aafc5ca3153cb6539c235a6d34f654f61e2455f8d57236d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
10KB

MD5
cf1f93b8fae5fbca4f32956edde59d3d

SHA1
02b7e7755208852dadbf8f4bec9cc6236a579d6c

SHA256
56023c2a7edcb0fd580be0598e694e20e8b0ee9769809206c97214d17476ee52

SHA512
c797f17d507401e0c05f72d6eb2c00cd6a1f6c90de7967a039f14b40c7829c162c763927ac6804e52bc039eb4d17539ba6acfa95dc4725f9c5df56f7767493e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAgentSilent.exe

Filesize
998KB

MD5
272286228bf767c1adb8976b328a3e0d

SHA1
d1e3adcbcb0abcf9825ad9aead15a5c5151576a2

SHA256
4bc45510e0eec50412cb4ade97142aecf15b01efd54a636dcc3c5e714971854e

SHA512
11263457ca823a99a63d0f8b2fc3e96423cfa8ff409365a788f7d4d75bd54dff7933bf18c920dada200d466057ad662ee465da3520ecf60ebd4150f1ef8ec09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAgentSilent.exe

Filesize
565KB

MD5
dccc44df4445af7cd21a00489dfc0e65

SHA1
c4de22f0fade8fc4847233170e7b81b6dc5ef943

SHA256
df4fd0566ceafc16416428654f923ed1178315ae6380113d3c810b0d5993cf15

SHA512
330553764599a7a037db691738eccd16f9f173831f536067e53c208ff8d5a20d20de3955386d79e58aa45641e0b29a08795dc7b98ebda96d346ddfc06feb6f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\AgentMon.exe

Filesize
728KB

MD5
ddeb42b13cdb7b05521edb45c25a0151

SHA1
eaaf15fa2f31dc9881b0f50bf0b9fa6472be774a

SHA256
58b6392eef742b2420c8f5ee2b97d25f16e67fcaaf124ef2a751d324e51898cd

SHA512
596b4b351d8fc2d4bf5cbc5a0262d22fbcc58d87a04219e5ce9441e5553c73562fabb5ca68fcada88d7a33bcd7262a1d71493e70b7503b1c0e98d525f8ad503f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KAPFA.sys

Filesize
16KB

MD5
14fa46806ddc1a2db571891324c68688

SHA1
aead4b8d5dd1eb9fd333bb3b99e8c6cfb7439a29

SHA256
94071ecfe3c96dfdea68df0a53093ab69f23dd2267dd000ec3f3375ed6f93bbc

SHA512
78ba886792714ab0e44b109682c701c2df56d543db841e729af9e38f76f0052cb507415c3c60568d09c51ffca1f7b5a17ea948faeb77d578192934e59288c30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KAPFA64.sys

Filesize
17KB

MD5
04f48804d11b1dea0a82494ff5981e16

SHA1
a56d32e68c7a744dc748e081da510368a949fb8f

SHA256
4e0d8bc6c0df23aa93ea93af08381c0feb12d7d8f3614ca783c71de47c673364

SHA512
a63a0690ca45d73f0cab92d75c601cd62f8bdf64447f7d68ef6494efc8049e06866cae9b1f28c463fa4a12b9fef6ca62f92de4cb53d10c3feeafc9df74b42bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KASetup.exe

Filesize
129KB

MD5
f0b01039ab0416bd46e259013cb26e1a

SHA1
b04aed01319574b24bce0ef9c955e05241282a04

SHA256
45f7cbd81e566bb1b0fe6192f1ed0393e600fd30afef474a817ecd03b694cdc1

SHA512
2b9532ca237acc56a67957f16eea78a3d31a30b33b1062f1b01e32224ad3d5eb9d96665d02491571ab6eb2882950c97bfe11a8c50d4abbdcdcf9f85cf6a5b7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KAgentExt.dll

Filesize
35KB

MD5
9d2707006b0368ba7371a2ecd3ad171f

SHA1
da013bbeeef7f5271a238733e959bfec916a9fbc

SHA256
35c147ddea34a9041f42217ccac4e772b42dd32468ea8c82c15262ba5cac2f9e

SHA512
9d264abf13435c52565f10298315057086c82583f2e9081f48cfb10cb9cba0c442c2e66c601ec227e7417ad3b4306c65d38d7765ddef8460de5d6805922914b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KEventLog.dll

Filesize
7KB

MD5
2c87ea1075d2ec5073a2f1841e4c364a

SHA1
96114af3fc8dbf63cd8634e6aa11a4c7d66fac6b

SHA256
42323cd1b022018b033430b761bf436fd6effaae868f2877afd777ca188f0bfc

SHA512
f557d4991913a694d885cb253d4395dd77ed1bb09839d7cdc850ff45dd516eca0a9bbbd7a2171e91768a55d3a379a7683d882fdf8a8812ed107560ec4d44ac18

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KPrtPng.exe

Filesize
104KB

MD5
c3a8623ab5785db5caa6f5280ce0b38f

SHA1
2f72b10dfda63ed4af8476b2247426873b026f0a

SHA256
7c77447a02cf1f7ebcbf756247716dd05c6617878c2a96285c6613bab7dc85b9

SHA512
93f8673098c26c20ccd64211b755f7896cdac5beeac03c99a9827d89b2967148feefe896bf81ac057325d4abc6fd9b30b0e611af09e9520be7fdb0c0e209f429

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KaUsrTsk.exe

Filesize
316KB

MD5
61e0870e8352fc42a42e414ed55bf837

SHA1
b0ef19d08f40c77b2d31e9dd9aad087fd847a294

SHA256
501caa9f031da6a00bfefb5fe1123c730838e5d16476c103218b625935594e82

SHA512
aa52a44135095223ae4c0c00deffdba34ceebb693e3877af20d08cccc4d4270cab78b63ca6834e02b9abe676eb09a361a1a17dc5882c6d1aa072db7b1296b12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KaseyaD.VXD

Filesize
5KB

MD5
7ef9adb10dd8560de8f50fc6c4a3f9c7

SHA1
ad0eecf57892ba6ad953845b211484b27bdd30ca

SHA256
1787e6fbba9a3c92d83966725cccfdbc2cb7b5514909920e71ca6465134b0022

SHA512
79ee5becc1846ae921b4a2c140a4bed4e4d23ac9eae70f31179d97fcc2d59550fd73b92e0e1e9be5bee1573693fe4bf2688311965a3a8a9ccc2d7ef6e558047e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KaseyaD.ini

Filesize
2KB

MD5
3d8b610262459277622c3a3386a1c02b

SHA1
040550af4cbfe39c82fea4ba99ed011b69e478cf

SHA256
1529153a7259c1f855c932a487b809e357accee33ff5516b9c9b837f3dd5ecb5

SHA512
d13689e3380dea2b21deda5fcbedaf3bbd366d37e0885b6c37fffdf217ecb0176ee225136bf06a0c07550fd2ddc511c49fe85612245d2eb037a47588dc646079

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KaseyaFW.ini

Filesize
2KB

MD5
110bcfd4a9b3ace873e40d41ad039b72

SHA1
5f652ecfb90311a8a2e5a52424d333cc6234f0e0

SHA256
04e0218852ef83d415f1497c56088ec001e3fb72af3b487dbe171be13c636c04

SHA512
fe9f8c2062f4c2280fd6aaab244d97047e53989ba5817911580744d86177fd42f812a402a740c346e891bdd2b95d2086de19b9822239da025860dfd263616f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\KaseyaSP.dll

Filesize
43KB

MD5
b7e25218dd6050ce4a08c87e90fa9ed0

SHA1
1e0848725c88cfba0e97eb827417418f5036ce06

SHA256
ca96ff370a2137bf7ed94cb7e06c810236f4fb5e3a019c8164adc436a705383d

SHA512
019b97ea4f503a6aa481872568691e7e180a28c11d47bbdfcad028a110d9fe020f386f9409bc1e2498ea84dc878efa18f83ca057b0fec431e3d6864096c0f4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\LogParser.dll

Filesize
43KB

MD5
d03d307ed6059ad022bf7b72699b8ff8

SHA1
88152876fad38e461834a5140756d8935c3e9d0e

SHA256
a6879478f2a89b26fd31e1a8997b51bb6ae571e3de0960d27c0bd84402214d7d

SHA512
b87dbbecfd31e028a3b605c70c0369c377a90e9cc093b5dbc979d95cc2e71c178b2c698c253ef435e25609efced385b2cbbd6cf764b6da147ab1b17b24cba3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\kGetELMg64.exe

Filesize
94KB

MD5
07a4918403b3b96d9fdeba51ab3cc224

SHA1
268df049b2b19fbf2e2aae2085c85bd67c8dbc27

SHA256
b4acf11dac17dcc26c23f0f148491727056a29f0c22308478be92a8d04278fd5

SHA512
26c7b000984fd4b06b25b8554b4694c52d75a3c77a074509df6444c89befe40013b181262ea56bf3a8d1c7a8d08529c12ca7a13fb3cc36ba891958c589c242fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\pftw1.pkg

Filesize
118KB

MD5
787a1a9a6130404e3775c4af1939a607

SHA1
575191037f89f4742bd44d35f0976749f1b6e174

SHA256
29d015e3e774fe92f902e97b7d0ae5ed052da4a46609bb218d2cd374ac346cb4

SHA512
ed31a4306a32309f693702d2a36edf1cb9adbd2915f37db3af2a2b179982824efcd78a2889d2d765782d56a74e3b8857b7dfdd16e2df2a911d3107f337c2dc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5584.tmp\sporder.dll

Filesize
9KB

MD5
e2050130c7c0ec056a44237bbb8feb43

SHA1
8aab6d37d7b9663896c47b6fcc7fbf89781599df

SHA256
aa06892b2869b24218e21f87070abab39e177f0edfedc30fd9ae169e8faf23f9

SHA512
70507ef106ee91d5970c8ac351c060e329236f4920c96612a160b0db827e0354d5c5aaa096c2b77c301294b9ce680aadd5ade56ce345ad46779bd73901c581a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\plf5525.tmp

Filesize
5KB

MD5
cfaec980a3639a6b33704c0db20cb812

SHA1
e9402b1deb9293d51ea7a45ff5aea0f5bff1ea8f

SHA256
55023b00e2c2401272d0ad7b4b633814869483b6d939c5d4910e4ff18eeeee6c

SHA512
72bb65180098c195ea74c7dacf24500d98bbd872149e4247bdc98b3a12fabd2fd6846a61b7d30e610748d49348c347a1cec5939276e3a0b30703aeeb591017b2

Download Submit
memory/3480-290-0x00000000013E0000-0x0000000001403000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads