4a46e2e7fd5b14bb4a5f7f7c8f017c663acfb90ac3f5a670392a66bfc22b8b57

General

Target

420987758bb5c93abb4771a9aaf6397d.exe
Size

1.8MB
MD5

420987758bb5c93abb4771a9aaf6397d
SHA1

bfa05581bcb8e51941024d9e0f95392bb16574f4
SHA256

4a46e2e7fd5b14bb4a5f7f7c8f017c663acfb90ac3f5a670392a66bfc22b8b57
SHA512

5fad4683ccf387f96655644235f411e54d3979eb6d6b0c2fe4280df23272aae5df7c5550c80794573402d4bb28d277c62dbb60fe37fb4fa5b9bef783ac049a6b
SSDEEP

49152:IAHJUeUUgROyrljaLsrX1WNDUTaAuoE9kUS:IIUwyprX1WNgQXlS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	KLSSrv.exe

Loads dropped DLL 3 IoCs

pid	Process
2408	420987758bb5c93abb4771a9aaf6397d.exe
2408	420987758bb5c93abb4771a9aaf6397d.exe
2828	KLSSrv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysApp = "C:\\Windows\\system32\\SChal.exe"	420987758bb5c93abb4771a9aaf6397d.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\macrosoft\KLSSName.ini	420987758bb5c93abb4771a9aaf6397d.exe
File opened for modification	C:\Windows\SysWOW64\macrosoft\KLSSettings.dll	420987758bb5c93abb4771a9aaf6397d.exe
File opened for modification	C:\Windows\SysWOW64\macrosoft\Shell.exe	420987758bb5c93abb4771a9aaf6397d.exe
File opened for modification	C:\Windows\SysWOW64\macrosoft\KLSSrv.exe	420987758bb5c93abb4771a9aaf6397d.exe
File opened for modification	C:\Windows\SysWOW64\macrosoft\KLSSName.ini	420987758bb5c93abb4771a9aaf6397d.exe
File opened for modification	C:\Windows\SysWOW64\macrosoft\KLSschal.exe	420987758bb5c93abb4771a9aaf6397d.exe
File created	C:\Windows\SysWOW64\macrosoft\Shell.exe	420987758bb5c93abb4771a9aaf6397d.exe
File created	C:\Windows\SysWOW64\macrosoft\KLSSettings.dll	420987758bb5c93abb4771a9aaf6397d.exe
File opened for modification	C:\Windows\SysWOW64\macrosoft\KLSDLL.dll	420987758bb5c93abb4771a9aaf6397d.exe
File created	C:\Windows\SysWOW64\macrosoft\KLSschal.exe	420987758bb5c93abb4771a9aaf6397d.exe
File opened for modification	C:\Windows\SysWOW64\appLogFileName.log	KLSSrv.exe
File opened for modification	C:\Windows\SysWOW64\KLSSname.ini	KLSSrv.exe
File created	C:\Windows\SysWOW64\macrosoft\KLSSrv.exe	420987758bb5c93abb4771a9aaf6397d.exe
File created	C:\Windows\SysWOW64\macrosoft\KLSDLL.dll	420987758bb5c93abb4771a9aaf6397d.exe
File created	C:\Windows\SysWOW64\appLogFileName.log	KLSSrv.exe
File created	C:\Windows\SysWOW64\1\KLSaslee.log	KLSSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2828	KLSSrv.exe
2828	KLSSrv.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2828	2408	420987758bb5c93abb4771a9aaf6397d.exe	28
PID 2408 wrote to memory of 2828	2408	420987758bb5c93abb4771a9aaf6397d.exe	28
PID 2408 wrote to memory of 2828	2408	420987758bb5c93abb4771a9aaf6397d.exe	28
PID 2408 wrote to memory of 2828	2408	420987758bb5c93abb4771a9aaf6397d.exe	28

C:\Users\Admin\AppData\Local\Temp\420987758bb5c93abb4771a9aaf6397d.exe
"C:\Users\Admin\AppData\Local\Temp\420987758bb5c93abb4771a9aaf6397d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\KLSSrv.exe
  "C:\Windows\system32\KLSSrv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KLSSname.ini

Filesize
33B

MD5
1446b844f1f13a1e1770d80c5ea22f6b

SHA1
4444186c7c4cc36ffdc959a990113e92cb9d8e61

SHA256
73fa7e9363e4f318437ab1f43e53b1733f16824ba3224b121edfdbf965067d42

SHA512
14334ed0765dcdf0a6ce4d7ff1221c4a3f6d1faef0b90e3970905e776abb4a491e35c7f5ef72941751f8802329c5d2b571a923aab481aeee8250616c86b57e8b

Download Submit
C:\Windows\SysWOW64\KLSSrv.exe

Filesize
960KB

MD5
f6f12dec7aea8678ad858b0ac56c1cc9

SHA1
3e8e294886aa28683e297f38426dfbe69a53df03

SHA256
094b981c3f37f2c77a419ec8015462258934f460a440aebffa7a53e4e21cf07c

SHA512
bca9c347377b4f88cef906a2e6d00aefd1070cc06d6c38382e66e587ab1230a5445c6e24913a146b43285b1141ecff5ae67883bc751f421864270090770a6479

Download Submit
C:\Windows\SysWOW64\KLSsettings.dll

Filesize
111B

MD5
cc5b34a3170d8704bc5bc0b6c6b1b52d

SHA1
d61f9776c8588b68ccd631eabf966520bcd69e50

SHA256
89417acb3fb71c22683961fc0fd9cc34d7dd689046d660983feed7c4ea8a3b86

SHA512
89036e5855bee2576846dd30b8939ba3cc38ee7b7efa9c880c8018f82567be563d33bb2a16854af0897946c667cf45f77fbbec5d12e9da77ac42bd5891264c99

Download Submit
\Windows\SysWOW64\KLSDll.dll

Filesize
9KB

MD5
4a759e525f6aa722e02f4c79669472e1

SHA1
b656596fc2dedc7cd99ca0ffc9db090eacb47b95

SHA256
a18add1fa914202a7da48851d19cc87bb550f6fbd7f6b5a0377a94d600b5fedf

SHA512
cdb612913c2cce176bcc94c9ced2ee0caa96c63bb72e6b9a0223e92c299d2ba86869a3d0b9708a2fc343a1d5d50a9622bd4f2859ee256a2af2adeaa9f4fd9f25

Download Submit
\Windows\SysWOW64\KLSSrv.exe

Filesize
1.1MB

MD5
4a77c7d56d4d03384087ae4ef37712fc

SHA1
e87ef0a8ddcc5f5db10c13ed3190d018df815445

SHA256
ce967fee5d5a1854285962ae9f20c7b3041837e1737a6176e2ffe82ecc2ad05a

SHA512
02556aa8c851dd9f43eb79411095a0456e0dbcc17cfd4113aded16fab6224e614f66e4814a297e3fcdd4f9ba8797d51d63d27e9c4cc1f2ae977c00ec9414485d

Download Submit
\Windows\SysWOW64\KLSSrv.exe

Filesize
814KB

MD5
71bafe7af9f4c89b5157f5cdb1c9c23b

SHA1
5b2155631278d2471a61dff132fd4aff2f9b746c

SHA256
c709680b2103e34b64c9543c46961f6624b3844445c78b873e4229a82414a639

SHA512
370fff597018961d6a1e961a9caca3a0b142eec1e5822c289ea562dc7b593c02120ab3bf2eda493f48140bccffda2d86c661cc2e8b0818ebbef882519904ef17

Download Submit
memory/2408-29-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2408-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2828-47-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2828-79-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-30-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2828-57-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-61-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2828-69-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-70-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2828-45-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-90-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-102-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-106-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-119-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-130-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-142-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2828-152-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads