285a2d30c64963afb5f89422cd4db20da4e0c334a36bab3792b75aff18458f3b

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-02-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b77c38f888e59493bc3255c9f99c15e.exe
Size

1.3MB
MD5

9b77c38f888e59493bc3255c9f99c15e
SHA1

3d20941657853f6834c0b33dff99fd284d32a298
SHA256

285a2d30c64963afb5f89422cd4db20da4e0c334a36bab3792b75aff18458f3b
SHA512

7f5c786a3ea63e121ec31e5970eb15c7a4b6023caf239bf512bcb6cc257e30e5fab4999367dbf1bbe82f9bc058dbcc29c9b759eb53b474f136419cd020052c07
SSDEEP

24576:MYtDdU+YdDm0UaIwhgTJz6qP4lpEZXzTnby1ZU2vgxLy7Nt/M:hdfBatod6qP4DEdX+RvELy7N

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\KAPFA.sys	KASetup.exe

Executes dropped EXE 5 IoCs

pid	Process
2904	KAgentSilent.exe
636	KASetup.exe
1344	KaUsrTsk.exe
2976	AgentMon.exe
2320	AgentMon.exe

Loads dropped DLL 16 IoCs

pid	Process
1976	9b77c38f888e59493bc3255c9f99c15e.exe
2904	KAgentSilent.exe
2904	KAgentSilent.exe
2904	KAgentSilent.exe
2904	KAgentSilent.exe
636	KASetup.exe
636	KASetup.exe
636	KASetup.exe
636	KASetup.exe
636	KASetup.exe
1976	9b77c38f888e59493bc3255c9f99c15e.exe
1976	9b77c38f888e59493bc3255c9f99c15e.exe
1976	9b77c38f888e59493bc3255c9f99c15e.exe
2320	AgentMon.exe
2320	AgentMon.exe
2320	AgentMon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KASHAVND9909425094573756 = "\"C:\\Program Files (x86)\\Kaseya\\AVND9909425094573756\\KaUsrTsk.exe\""	KASetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KaseyaSP.dll	KASetup.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\drivers\KaseyaD.VXD	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaUsrTsk.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\drivers\KAPFA.sys	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaFW.ini	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KasStats.log	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KasAgent.log	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\offline.ico	9b77c38f888e59493bc3255c9f99c15e.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KasError.log	AgentMon.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KASetup.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KPrtPng.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KasFirewall.log	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\noremote.ico	9b77c38f888e59493bc3255c9f99c15e.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.log	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\lastChk.txt	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KAgentExt.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KasError.log	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\online.ico	9b77c38f888e59493bc3255c9f99c15e.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.bak	AgentMon.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\evLogBlkList.xml	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\kGetELMg64.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\drivers\KAPFA64.sys	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\drivers\KaseyaSP.dll	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini	9b77c38f888e59493bc3255c9f99c15e.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\blink.ico	9b77c38f888e59493bc3255c9f99c15e.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KEventLog.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\sporder.dll	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.log	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KASetup.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\LogParser.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\Package.xml	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.bak	AgentMon.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\lastChk.txt	AgentMon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AgentMon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AgentMon.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1760	ipconfig.exe

Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe
1344	KaUsrTsk.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2904	1976	9b77c38f888e59493bc3255c9f99c15e.exe	28
PID 1976 wrote to memory of 2904	1976	9b77c38f888e59493bc3255c9f99c15e.exe	28
PID 1976 wrote to memory of 2904	1976	9b77c38f888e59493bc3255c9f99c15e.exe	28
PID 1976 wrote to memory of 2904	1976	9b77c38f888e59493bc3255c9f99c15e.exe	28
PID 1976 wrote to memory of 2904	1976	9b77c38f888e59493bc3255c9f99c15e.exe	28
PID 1976 wrote to memory of 2904	1976	9b77c38f888e59493bc3255c9f99c15e.exe	28
PID 1976 wrote to memory of 2904	1976	9b77c38f888e59493bc3255c9f99c15e.exe	28
PID 2904 wrote to memory of 636	2904	KAgentSilent.exe	29
PID 2904 wrote to memory of 636	2904	KAgentSilent.exe	29
PID 2904 wrote to memory of 636	2904	KAgentSilent.exe	29
PID 2904 wrote to memory of 636	2904	KAgentSilent.exe	29
PID 2904 wrote to memory of 636	2904	KAgentSilent.exe	29
PID 2904 wrote to memory of 636	2904	KAgentSilent.exe	29
PID 2904 wrote to memory of 636	2904	KAgentSilent.exe	29
PID 1976 wrote to memory of 1344	1976	9b77c38f888e59493bc3255c9f99c15e.exe	30
PID 1976 wrote to memory of 1344	1976	9b77c38f888e59493bc3255c9f99c15e.exe	30
PID 1976 wrote to memory of 1344	1976	9b77c38f888e59493bc3255c9f99c15e.exe	30
PID 1976 wrote to memory of 1344	1976	9b77c38f888e59493bc3255c9f99c15e.exe	30
PID 1976 wrote to memory of 2976	1976	9b77c38f888e59493bc3255c9f99c15e.exe	31
PID 1976 wrote to memory of 2976	1976	9b77c38f888e59493bc3255c9f99c15e.exe	31
PID 1976 wrote to memory of 2976	1976	9b77c38f888e59493bc3255c9f99c15e.exe	31
PID 1976 wrote to memory of 2976	1976	9b77c38f888e59493bc3255c9f99c15e.exe	31
PID 1344 wrote to memory of 1760	1344	KaUsrTsk.exe	33
PID 1344 wrote to memory of 1760	1344	KaUsrTsk.exe	33
PID 1344 wrote to memory of 1760	1344	KaUsrTsk.exe	33
PID 1344 wrote to memory of 1760	1344	KaUsrTsk.exe	33
PID 1344 wrote to memory of 2616	1344	KaUsrTsk.exe	35
PID 1344 wrote to memory of 2616	1344	KaUsrTsk.exe	35
PID 1344 wrote to memory of 2616	1344	KaUsrTsk.exe	35
PID 1344 wrote to memory of 2616	1344	KaUsrTsk.exe	35
PID 1344 wrote to memory of 2000	1344	KaUsrTsk.exe	36
PID 1344 wrote to memory of 2000	1344	KaUsrTsk.exe	36
PID 1344 wrote to memory of 2000	1344	KaUsrTsk.exe	36
PID 1344 wrote to memory of 2000	1344	KaUsrTsk.exe	36
PID 1344 wrote to memory of 672	1344	KaUsrTsk.exe	39
PID 1344 wrote to memory of 672	1344	KaUsrTsk.exe	39
PID 1344 wrote to memory of 672	1344	KaUsrTsk.exe	39
PID 1344 wrote to memory of 672	1344	KaUsrTsk.exe	39
PID 2320 wrote to memory of 2108	2320	AgentMon.exe	40
PID 2320 wrote to memory of 2108	2320	AgentMon.exe	40
PID 2320 wrote to memory of 2108	2320	AgentMon.exe	40
PID 2320 wrote to memory of 2108	2320	AgentMon.exe	40
PID 2320 wrote to memory of 2012	2320	AgentMon.exe	42
PID 2320 wrote to memory of 2012	2320	AgentMon.exe	42
PID 2320 wrote to memory of 2012	2320	AgentMon.exe	42
PID 2320 wrote to memory of 2012	2320	AgentMon.exe	42

C:\Users\Admin\AppData\Local\Temp\9b77c38f888e59493bc3255c9f99c15e.exe
"C:\Users\Admin\AppData\Local\Temp\9b77c38f888e59493bc3255c9f99c15e.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\KAgentSilent.exe
  KAgentSilent.exe /a /k /g AVND9909425094573756 /l "C:\Users\Admin\AppData\Local\Temp\KASetup.log" /v "1"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KASetup.exe
    "C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KASetup.exe" /k /g AVND9909425094573756 /l "C:\Users\Admin\AppData\Local\Temp\KASetup.log" /v "1" /s
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:636
- C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaUsrTsk.exe
  KaUsrTsk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1760
- - C:\Windows\SysWOW64\net.exe
    net use
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\net.exe
    net use
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\net.exe
    net use
    3⤵
    PID:672
- C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.exe
  agentmon.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2976

C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.exe
"C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C mkdir "c:\kworking\kLogConfig"
  2⤵
  PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /Y "c:\kworking\kLogConfig\*.*" c:\kworking\kLogConfig"
  2⤵
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.log

Filesize
113B

MD5
5eced5c3e35cf8dd8502c2dbf43b67ee

SHA1
d00b1709e0d0b994055c423936b3351fbcebecd7

SHA256
fccf87d2798c4ee1aaa699f748c509bd8c1a55064f85ece8dc82b93165a794c5

SHA512
bbe5bdd26c2944d6166a2f69a6bba63ac2a2c38c8429ace722ff2295aa93d9be6eaa1b7fb748b84c5069b22cfa9f7f619f6d2b405ae7d929dc9d84bd6ac78054

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.log

Filesize
229B

MD5
c97703c1365fdf026bb8d68996a7445f

SHA1
dc3e299163bfe4cc449c72162fa08a16de1c3c71

SHA256
701e7d5a89e140c2ccefdc75def838df6b05339a52703f9f0375dc1deb2b86e3

SHA512
ee875ba9bb5153e1003048c57f0f748223fdaca5e5fb3d40ed62482b542519a32bdd079aee14f9f2a56976cab19b2baafd5c446d4d48008de17bd85939eaf5b0

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
fa0072019f0f451e455f8b2215a02ddf

SHA1
d3cb4bebca43a72de2f859c1d3cff27930493bee

SHA256
6c8f1fceb7dc207b11470ae0654ad512fcf03405cc65fde961628d8a6973cf05

SHA512
7377309d2ea98aabc9ecf0576c50517e74d4a439820cddacc8a3cba6d4bfa149f520364d208ced8ffe8f88f72f3cf4f8036f46adcc9c31ea3345c941fa55dca8

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
8ac759ea43b1c4dfb39bcf2bf8c1208c

SHA1
296d083590bfea7a72abee9ac50e493e593b55b7

SHA256
b6006f9531bba958ab55695df0b2570db38489d22d38e60a3d0a63be8dfaf0ae

SHA512
e0e1ed1b9cd4ac3a82e898458b177a58dfe73b32ea53fad43a8f833cc489e78dabd55e352aa372604649f95ff35ebd9ad6a592a4e6d72c2be0669f7bf4cee831

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
a617c9fe1a59527160e4ef1bba8eb9c6

SHA1
04fcff4406457d37df0ba317d1aaee143886cdc0

SHA256
5e5a5ec4ce35e8cfbcb31118fee115cb212666de1fe97ae4b41fe5406e44ecce

SHA512
b58058fab0862d61d2a7a575fc4312c841c156e2d7886e5761846519ccb6164af5e07bc4d2a967cd72e8844f4d1a156feed123dc52a0306e75215a4d19407dfd

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
1463ece10b0b4a3d7475bfffb46656fd

SHA1
2aee8b1ace0f72c03ee6546fbab2e5effca97f78

SHA256
5e59b3ec95123b23cbf2b8c80e6aa426a2be4be139895f048550eafd5a838e8c

SHA512
b9e721578a124eea888b4cdecb18c488e669287be2ec69a97b4107ac76c9eff17233da261bad766c94d1df1930e2586bbc6b89ad351fbd0aa2d40b369fdc3b65

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
1a161e54cc72b1d43fd10923c6f60429

SHA1
68a644f5642a8942d7f53a8178905cd9e3f8ba7b

SHA256
aba7966436069abcad47fe16c468c3baae6e66ebc957f9087323078f2c9face2

SHA512
6372e9b684506b6323a8be955547f6cfd3d8ad385b41b7d72c937a5dcacf29680557f162f6e511576c663751c06dbb4ab5762f69fbad0bf9fd07dc8db7bf6607

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\Package.xml

Filesize
130B

MD5
bb07daff0aa25dd05fd33b74e8df9a35

SHA1
ebd8bf14f4ae4bcdda0ce966482c6ea41f49a1b4

SHA256
aea1eef03ef6f358e7d9d4bc3d9edfd53b4b899f38d0b6b5332e64ab5527907a

SHA512
0d32db96351ab28a28633238b9a0e72413e03ebb63855553f83d12e4c996775fbbf21c43eb6814a3e19c150138d167872d3c92767f7da872ee2a001f908c8a11

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\offline.ico

Filesize
1KB

MD5
39c8c4fc8bc9e95f85b4515437374dae

SHA1
5a3d501622e273344a6db2cd3c4014fe4638a3db

SHA256
59a1aac853ec9e9a48c546244e4f9b0449ba51757fd6062a396cf5c7c916738b

SHA512
83a04cc519fbe701d2adcc4dbeace5ab896fb7a708176326a39829b6f3f4d327ff87e87a0596954df058271858e343ece55ec517ae5bc5966892b47e65ba5347

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\online.ico

Filesize
1KB

MD5
5a6c04c2cc60cc665f0c63ae91d9142a

SHA1
a1374351d9aef8721efaf8a8075c71911ceda5d6

SHA256
1c61515219ed009ff682f72d34989f6208a5ab6f3e9f59721cc35b18309227a3

SHA512
2be8320c1bee9fcdf836347ee5bb3b5ec5e7de378f40e3da79c91d87b5523900b43ed851e7e44f12fc48b81e0bbe44362f07d3585b847d5097effd85c0cd5b13

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\evLogBlkList.xml

Filesize
609B

MD5
8520581577591ed4a27b43641762512f

SHA1
3293cccfebc2fd6e8c422b4c83e01a3f51c27f44

SHA256
c0b0329a8d51aa0e4e623e2d2abe1427a30723c0c0713b93a962de6b84140dd0

SHA512
e3aa66551e93c433dd415a55918dc457b4886af6ee6614c881c3ca5201719493b5fe2ef42bcee6d88eb509ca59627d30b43c7ad5e96ed10a30b331296a5fe88a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaseya\Kaseya Agent.lnk

Filesize
1KB

MD5
6a6ce939f15637585d6bf8de9dab5446

SHA1
a60e94288d475140bcf99e0892c816fe31e634d9

SHA256
53d9610486467269f71700d7fb71565715777ea21104a35e82159dcd9dd0bc6b

SHA512
096654fde61834ca1a4ce85be91ad1a5652ce895544cb00d5b1a405fbd5e100e3f710e8b1a4388f5736fac9cd4cb9be38ea089c71aedc620d5abb6df9ebc1f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
2KB

MD5
8254cd4bdffbeb584178ccdc81714303

SHA1
8078bf32c238b0a62e035d21c4a068a28a15ce4c

SHA256
ddfcc8e939cfd009fee02f88044b3f243e1443f4a23bacea05978e1fa5de1739

SHA512
0c221468480f0e198562483053b7bda6d18ac34b59fe10be83a53b4dc0527edcc5374d49ea71937231c3030d0fee0cd75f36b2ac08629f56e608298fd4dd8982

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
3KB

MD5
7dd73b1c526dfc680991f1e3a4ad2292

SHA1
e9a024e967cc550a0674bddab7dbe46819537ea5

SHA256
556c78d0853acacbf360fa05ea761e0182f239cfb2a1cd0f684d77af645a8ece

SHA512
400f8c203e588ac11f5ed5e2fa5de04a1424b53daa76c4cdfc1be61d38d9344781190d61596e9a99fbc61a00bf79eb446b33cc80df0e37af1893dae5c31cbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
4KB

MD5
4309587b0c0ed4169d9bafa872df9caf

SHA1
083f2334f80c0ddbacac7e778963c5df0c4608e1

SHA256
510b184e7f654ffaaa337d653d4a60e9e11302dabf32551c43e9fc7eacb2f06a

SHA512
f14d45323f36381cb260cb1031ef96c8d0c2d028ae18e68d56b335b22f76561d1c702e26412f4992010ef5aff42b75e43e28915c4e37ca5d46f0a81ad7c88017

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
10KB

MD5
4440a37318db550506480ee32c73f7c5

SHA1
6345d2938c37ab3b5df2fba61a7587b018272a9d

SHA256
c9582e74c7097ac68d0aa55dd599b4c34ec16c771e8ef981fa636dcb7d5426b1

SHA512
facb653f7243e9555669c2175f738a385b4bf00f0edda807525c009a9df43bb7869ac2bd4bb783d160c589b787e258768e6607738bd2aca62639f795356b6f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\KaseyaD.ini

Filesize
2KB

MD5
a9341897e8e341d4a1b298ac0e25bf1a

SHA1
427debc8f2250ebcebe9ba815dd85745350e5dd1

SHA256
6a9b919e85596505fb65864aa94f5a92e01dfea98444cd5099f383e44a5844ad

SHA512
61a721b76354b0539d07a885ce967ff50acc5da4b304fe0beaf1b8c3fc754328340d92c8ccb050b1ca38d171e4a243b4ed898e3832e78d62afd42dcd2bbf5210

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\AgentMon.exe

Filesize
728KB

MD5
ddeb42b13cdb7b05521edb45c25a0151

SHA1
eaaf15fa2f31dc9881b0f50bf0b9fa6472be774a

SHA256
58b6392eef742b2420c8f5ee2b97d25f16e67fcaaf124ef2a751d324e51898cd

SHA512
596b4b351d8fc2d4bf5cbc5a0262d22fbcc58d87a04219e5ce9441e5553c73562fabb5ca68fcada88d7a33bcd7262a1d71493e70b7503b1c0e98d525f8ad503f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KAPFA.sys

Filesize
16KB

MD5
14fa46806ddc1a2db571891324c68688

SHA1
aead4b8d5dd1eb9fd333bb3b99e8c6cfb7439a29

SHA256
94071ecfe3c96dfdea68df0a53093ab69f23dd2267dd000ec3f3375ed6f93bbc

SHA512
78ba886792714ab0e44b109682c701c2df56d543db841e729af9e38f76f0052cb507415c3c60568d09c51ffca1f7b5a17ea948faeb77d578192934e59288c30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KAPFA64.sys

Filesize
29KB

MD5
336cee54830a1ad9a61bd5d9d6c181e3

SHA1
83f10f3caa3aae4f495013c6c36baa8b6e500a05

SHA256
cbffac70f551eb3a8e0714d6f5c4fd35b7a61f60dd0164fe3119b3fc2f1d21f9

SHA512
aea07cc566fa308387a5880bc73ffc1bf0b74fe50a2f996fd9ebc9ce2647ef371276acf41f2dc3779fb44f6507c924e9b831b7a72a3dd342d0300bd1ea73e165

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KASetup.exe

Filesize
88KB

MD5
1c515f0781789deb5cdca1954c16a84b

SHA1
a6bb481b6d45a2ad202e49d17245ec98bd7598db

SHA256
503dfe3ff75728fdf6f16776ac38605fb0d085aeff3ddf124f001e7235ac11e6

SHA512
8691f2abe53b1850ae0da520571f921cf77ad4d7eab9f6f38e79b92a6d45bd56d8a4abceadf8cba2b494d7a0ef34118cca8af1a10dc3aa5dc60dca693666e4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KASetup.exe

Filesize
64KB

MD5
0effc93031ac5c5bd0f523fca3b626f0

SHA1
8d5b0ff21838a929c8eb4a49fff9583916632f6b

SHA256
0bdc98ffdb04f6191ca450c92af383db619e13ba331d5704d4a30533c9224b1e

SHA512
b76ccec62a97559a30f99cf86c3dd602c713f9067ce4a089676719c04ba57215dd7a43641b65ac6a9df7c20bfbc48968b0a13483a734e4c35feab9d11dd7a201

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KAgentExt.dll

Filesize
76KB

MD5
0899ef5806179890c085b558db2c63dd

SHA1
4e4c91649945c47dce9335a9cfb1ede1da2e47eb

SHA256
30fd003b1ffb0a673ccf4b81fbf974504fd5c361a7a959746b863a201863cd18

SHA512
68eba32103508abc136239868620de89b5b16411e8868cddf7606673297cf087fb7720ca28d217662aadcb0ea5a105f000e48f7e6ea45f3027b65b45fa27821d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KEventLog.dll

Filesize
128KB

MD5
e40db8437c308abfe09305933a92cec2

SHA1
77a3f4e991ca5ea48c9965f48bf735bbd55e7289

SHA256
dba05618ce322ea06a362208239d926ca07ebf8b149e1ff4b30494aff297770c

SHA512
478cc07f1fb1f3161a2633118a4226fd5cbe1a153aaed071d68105cf7b4a15ec365b92ad6028e5f5dd7658416b42135592d9e731db0599eec1a6b6cef2bd69a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KPrtPng.exe

Filesize
104KB

MD5
c3a8623ab5785db5caa6f5280ce0b38f

SHA1
2f72b10dfda63ed4af8476b2247426873b026f0a

SHA256
7c77447a02cf1f7ebcbf756247716dd05c6617878c2a96285c6613bab7dc85b9

SHA512
93f8673098c26c20ccd64211b755f7896cdac5beeac03c99a9827d89b2967148feefe896bf81ac057325d4abc6fd9b30b0e611af09e9520be7fdb0c0e209f429

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KaUsrTsk.exe

Filesize
316KB

MD5
61e0870e8352fc42a42e414ed55bf837

SHA1
b0ef19d08f40c77b2d31e9dd9aad087fd847a294

SHA256
501caa9f031da6a00bfefb5fe1123c730838e5d16476c103218b625935594e82

SHA512
aa52a44135095223ae4c0c00deffdba34ceebb693e3877af20d08cccc4d4270cab78b63ca6834e02b9abe676eb09a361a1a17dc5882c6d1aa072db7b1296b12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KaseyaD.VXD

Filesize
30KB

MD5
2bdd2b147075c82b1f802f2c503fad22

SHA1
db1472b622e391c931b7f23d828c167023818edd

SHA256
82762843c454aee6002264f1074ac4108a8f4e53b2862fa463cc7ba7345e9949

SHA512
25d722253cf3724afa0b9baba4b8ec67ab4505b27420f3aed65999f5fe33a0bf2091a19ad9d6c4f8e9cfb857b06db0794cb4e90b1786a000cda38d0e9cf3f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KaseyaD.ini

Filesize
2KB

MD5
3d8b610262459277622c3a3386a1c02b

SHA1
040550af4cbfe39c82fea4ba99ed011b69e478cf

SHA256
1529153a7259c1f855c932a487b809e357accee33ff5516b9c9b837f3dd5ecb5

SHA512
d13689e3380dea2b21deda5fcbedaf3bbd366d37e0885b6c37fffdf217ecb0176ee225136bf06a0c07550fd2ddc511c49fe85612245d2eb037a47588dc646079

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KaseyaFW.ini

Filesize
2KB

MD5
110bcfd4a9b3ace873e40d41ad039b72

SHA1
5f652ecfb90311a8a2e5a52424d333cc6234f0e0

SHA256
04e0218852ef83d415f1497c56088ec001e3fb72af3b487dbe171be13c636c04

SHA512
fe9f8c2062f4c2280fd6aaab244d97047e53989ba5817911580744d86177fd42f812a402a740c346e891bdd2b95d2086de19b9822239da025860dfd263616f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\KaseyaSP.dll

Filesize
132KB

MD5
06559cafead9fd6554f2191cba5f535b

SHA1
678d3988cbd7ee0b6e0ac27496fc09f06eef8f40

SHA256
4c0745df2291f50653094fea956858ed4917b571f8c9625a63ad808e1616fb65

SHA512
d11a3b92269d595c1a9709087426911ded0b9a042b61b3dbf63f166dc7c793259ee99738cd002f20ec00e2232e9865c6ad46f0be3959bf089ba0b5ddd7f06019

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\LogParser.dll

Filesize
132KB

MD5
f97b6619d66d8c7dfe933d19bad26c30

SHA1
47ef3f568d01a291da2b67bf87085726457f7c9c

SHA256
092383b5ca5cdc01969e33f316a775be3bb39e68bd45b8f6cd8943f35383b242

SHA512
99c8c172870f6dc57870ad6a69df85c709bc0386b5e898d658bc8f2219e31324f2e2ac82a6ae4c85a65ddd58f5961ffb4fa3aa3e679ecb24b393f6c077f8a2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\kGetELMg64.exe

Filesize
94KB

MD5
07a4918403b3b96d9fdeba51ab3cc224

SHA1
268df049b2b19fbf2e2aae2085c85bd67c8dbc27

SHA256
b4acf11dac17dcc26c23f0f148491727056a29f0c22308478be92a8d04278fd5

SHA512
26c7b000984fd4b06b25b8554b4694c52d75a3c77a074509df6444c89befe40013b181262ea56bf3a8d1c7a8d08529c12ca7a13fb3cc36ba891958c589c242fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\pftw1.pkg

Filesize
926KB

MD5
3be27138201a97e10a702517ae21b875

SHA1
93f636d7738f3218793abef52db13483b1c1ac15

SHA256
6e4e9bccb952d2e6b3190ab58cc38379be21aadc66a11df1b8f05f225b2dc80e

SHA512
5fb465fe8526b3e2e883ebc2b2865bc20aefa69dee88934bca38e4c5d292950791d12f2c99dcda50b01fae932f1a7bb93d266b4be1663be9384f45fc8d677e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft5247.tmp\sporder.dll

Filesize
9KB

MD5
e2050130c7c0ec056a44237bbb8feb43

SHA1
8aab6d37d7b9663896c47b6fcc7fbf89781599df

SHA256
aa06892b2869b24218e21f87070abab39e177f0edfedc30fd9ae169e8faf23f9

SHA512
70507ef106ee91d5970c8ac351c060e329236f4920c96612a160b0db827e0354d5c5aaa096c2b77c301294b9ce680aadd5ade56ce345ad46779bd73901c581a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\plf51C8.tmp

Filesize
5KB

MD5
cfaec980a3639a6b33704c0db20cb812

SHA1
e9402b1deb9293d51ea7a45ff5aea0f5bff1ea8f

SHA256
55023b00e2c2401272d0ad7b4b633814869483b6d939c5d4910e4ff18eeeee6c

SHA512
72bb65180098c195ea74c7dacf24500d98bbd872149e4247bdc98b3a12fabd2fd6846a61b7d30e610748d49348c347a1cec5939276e3a0b30703aeeb591017b2

Download Submit
\Users\Admin\AppData\Local\Temp\KAgentSilent.exe

Filesize
1.2MB

MD5
b88dbe0131aa4cdf9f764f7245badca6

SHA1
a9f39985a4104956d45343aba2de4973a4fa07a4

SHA256
0c1af4b264fa29fc61c672f1eca7f001cb69fa768dad880a0885c694a5272718

SHA512
e2edcc0ea8417104344fe1173e8aa11cc947adafe987f5b6f6d30a1ab8f0d8f3a1e15e163b4745293dd1c75af8e8cc216529ae6b0fa00d7f496f6c3efd863c80

Download Submit
\Users\Admin\AppData\Local\Temp\pft5247.tmp\KASetup.exe

Filesize
173KB

MD5
0dfdbd04b658a0e1e9be497ef0beecfc

SHA1
5217e916a352640d0cd7476dd06ae2d28e7af412

SHA256
bb3bf0fd5da2eed73fe6fc5971c44ed529a03874d86ffa6d64d63e719c03cc6b

SHA512
a7d70fd24dfcb14eb6e2a89668564189beb91649bc02096c085cbc88f690100c277a5b989f42a8b1036f82c62bc5b337f5affbd1620909e1c77ad0cee4d734b1

Download Submit
memory/2320-305-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads