d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7

General

Target

Kayflockmp4.exe
Size

429KB
MD5

b88444cf2c03ce4efe2a1608a379ee53
SHA1

68d9285ee72288656c258cf9db9c564226a48ddb
SHA256

d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7
SHA512

7c9e116a417f2a15d2ca3f70b61697c9e34b6131b12221032cde9d64c41993f6f8cfa34196ed99122aa34d59159955d6362827f0d4eee1688bce465539e8d633
SSDEEP

12288:Zt5NpMGK6Ia5Jr4IQAvq3eSKXvVZhuwxHvh:Zt5NGGzIo3QSqOS+VZhT

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe

Executes dropped EXE 1 IoCs

pid	Process
5044	loader.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000200000002a7ca-3.dat	themida
behavioral1/files/0x000200000002a7ca-2.dat	themida
behavioral1/memory/5044-4-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-6-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-7-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-8-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-9-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-10-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-11-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-12-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-13-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-14-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-15-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-18-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida
behavioral1/memory/5044-19-0x00007FF641090000-0x00007FF641B2F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5044	loader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5044	loader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5044	loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 1744	2884	Kayflockmp4.exe	80
PID 2884 wrote to memory of 1744	2884	Kayflockmp4.exe	80
PID 1744 wrote to memory of 5044	1744	cmd.exe	81
PID 1744 wrote to memory of 5044	1744	cmd.exe	81
PID 5044 wrote to memory of 4208	5044	loader.exe	83
PID 5044 wrote to memory of 4208	5044	loader.exe	83
PID 4208 wrote to memory of 5064	4208	cmd.exe	84
PID 4208 wrote to memory of 5064	4208	cmd.exe	84
PID 4208 wrote to memory of 1464	4208	cmd.exe	86
PID 4208 wrote to memory of 1464	4208	cmd.exe	86
PID 4208 wrote to memory of 4320	4208	cmd.exe	85
PID 4208 wrote to memory of 4320	4208	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\Kayflockmp4.exe
"C:\Users\Admin\AppData\Local\Temp\Kayflockmp4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
    C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5
        5⤵
        
        PID:5064
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:4320
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
1.7MB

MD5
1e2867e4f0c07da6a132d7694e238882

SHA1
265bec89666ea429d0606f05cddf334a3b69b043

SHA256
290b2abac6de033aff7f336a09772076edd2b877585210d47bcde949206788cd

SHA512
3337ae8feb83ae9bf7a2eb982afee9924e6fea60c8b40d80db7adc1160493edb430c36bdbebf74812e2748eef7310475250282d5d36202967cd617b05b0a1395

Download Submit
C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
1.9MB

MD5
a7bc206525c7892cfbaa59a544c13849

SHA1
54d4a284b005cccbe40700cbebd0762b5512241f

SHA256
0cdc6c1be8071c7fdf64c365ea7ce1fc411c4cae867afdc256eb8d6b729859c5

SHA512
4506ff3e95346ecaa4a6480c8c9328bf9e0dd2860583dfff0e393972cb9e13f6a7d5d526c6853289a8522a7db113e9294e3bf8be386a78b2e88f6a8626c79068

Download Submit
memory/5044-10-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-11-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-6-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-7-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-8-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-9-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-4-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-5-0x00007FFACE3E0000-0x00007FFACE5E9000-memory.dmp

Filesize
2.0MB

Download
memory/5044-12-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-13-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-14-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-15-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-16-0x00007FFACE3E0000-0x00007FFACE5E9000-memory.dmp

Filesize
2.0MB

Download
memory/5044-18-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download
memory/5044-19-0x00007FF641090000-0x00007FF641B2F000-memory.dmp

Filesize
10.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads