d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7

Resubmissions

07/01/2024, 17:33

240107-v5cdcaccf5 9

07/01/2024, 17:33

240107-v49mfsbdbl 9

Analysis

max time kernel
92s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
07/01/2024, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kayflockmp4.exe
Size

429KB
MD5

b88444cf2c03ce4efe2a1608a379ee53
SHA1

68d9285ee72288656c258cf9db9c564226a48ddb
SHA256

d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7
SHA512

7c9e116a417f2a15d2ca3f70b61697c9e34b6131b12221032cde9d64c41993f6f8cfa34196ed99122aa34d59159955d6362827f0d4eee1688bce465539e8d633
SSDEEP

12288:Zt5NpMGK6Ia5Jr4IQAvq3eSKXvVZhuwxHvh:Zt5NGGzIo3QSqOS+VZhT

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	loader.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral3/memory/2184-4-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp	themida
behavioral3/files/0x000300000002a7d6-2.dat	themida
behavioral3/memory/2184-7-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp	themida
behavioral3/memory/2184-6-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp	themida
behavioral3/memory/2184-8-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp	themida
behavioral3/memory/2184-10-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp	themida
behavioral3/memory/2184-11-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp	themida
behavioral3/memory/2184-12-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp	themida
behavioral3/memory/2184-9-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp	themida
behavioral3/memory/2184-13-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp	themida
behavioral3/memory/2184-21-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp	themida
behavioral3/memory/2184-22-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2184	loader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2184	loader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2184	loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 2936	4372	Kayflockmp4.exe	81
PID 4372 wrote to memory of 2936	4372	Kayflockmp4.exe	81
PID 2936 wrote to memory of 2184	2936	cmd.exe	82
PID 2936 wrote to memory of 2184	2936	cmd.exe	82
PID 2184 wrote to memory of 2156	2184	loader.exe	87
PID 2184 wrote to memory of 2156	2184	loader.exe	87
PID 2156 wrote to memory of 4328	2156	cmd.exe	86
PID 2156 wrote to memory of 4328	2156	cmd.exe	86
PID 2156 wrote to memory of 420	2156	cmd.exe	85
PID 2156 wrote to memory of 420	2156	cmd.exe	85
PID 2156 wrote to memory of 1188	2156	cmd.exe	84
PID 2156 wrote to memory of 1188	2156	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\Kayflockmp4.exe
"C:\Users\Admin\AppData\Local\Temp\Kayflockmp4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
    C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2156

C:\Windows\system32\find.exe
find /i /v "certutil"
1⤵
PID:1188

C:\Windows\system32\find.exe
find /i /v "md5"
1⤵
PID:420

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
893KB

MD5
edc620a0e79fe84b8b377db85c7d5597

SHA1
d017e81a012034aefd126bdd60f9392e5e437467

SHA256
b0007867b61375f669eab94a6dd3d8fa654928f53a774d868a0b2cdf9dc1ec1b

SHA512
df4ac3468b4a87204000edf2bcfe44d6e2e764416b0b16fe396ba4eaa265fb21ceb9246691320615443091d507a3d67c96b497b4aa6a967c5b3580bb1852141f

Download Submit
memory/2184-10-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp

Filesize
10.6MB

Download
memory/2184-12-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp

Filesize
10.6MB

Download
memory/2184-7-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp

Filesize
10.6MB

Download
memory/2184-6-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp

Filesize
10.6MB

Download
memory/2184-8-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp

Filesize
10.6MB

Download
memory/2184-4-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp

Filesize
10.6MB

Download
memory/2184-11-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp

Filesize
10.6MB

Download
memory/2184-5-0x00007FFEEFBC0000-0x00007FFEEFDC9000-memory.dmp

Filesize
2.0MB

Download
memory/2184-9-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp

Filesize
10.6MB

Download
memory/2184-13-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp

Filesize
10.6MB

Download
memory/2184-15-0x00007FFEEFBC0000-0x00007FFEEFDC9000-memory.dmp

Filesize
2.0MB

Download
memory/2184-21-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp

Filesize
10.6MB

Download
memory/2184-23-0x00007FFEEFBC0000-0x00007FFEEFDC9000-memory.dmp

Filesize
2.0MB

Download
memory/2184-22-0x00007FF67FA70000-0x00007FF68050F000-memory.dmp

Filesize
10.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads