285a2d30c64963afb5f89422cd4db20da4e0c334a36bab3792b75aff18458f3b

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b77c38f888e59493bc3255c9f99c15e.exe
Size

1.3MB
MD5

9b77c38f888e59493bc3255c9f99c15e
SHA1

3d20941657853f6834c0b33dff99fd284d32a298
SHA256

285a2d30c64963afb5f89422cd4db20da4e0c334a36bab3792b75aff18458f3b
SHA512

7f5c786a3ea63e121ec31e5970eb15c7a4b6023caf239bf512bcb6cc257e30e5fab4999367dbf1bbe82f9bc058dbcc29c9b759eb53b474f136419cd020052c07
SSDEEP

24576:MYtDdU+YdDm0UaIwhgTJz6qP4lpEZXzTnby1ZU2vgxLy7Nt/M:hdfBatod6qP4DEdX+RvELy7N

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\KAPFA.sys	KASetup.exe

Executes dropped EXE 5 IoCs

pid	Process
4400	KAgentSilent.exe
636	KASetup.exe
3500	KaUsrTsk.exe
2464	AgentMon.exe
4404	AgentMon.exe

Loads dropped DLL 3 IoCs

pid	Process
4404	AgentMon.exe
4404	AgentMon.exe
4404	AgentMon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KASHAVND9909425094573756 = "\"C:\\Program Files (x86)\\Kaseya\\AVND9909425094573756\\KaUsrTsk.exe\""	KASetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KaseyaSP.dll	KASetup.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KPrtPng.exe	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\evLogBlkList.xml	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KASetup.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KasStats.log	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\lastChk.txt	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.bak	AgentMon.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KASetup.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KasError.log	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.log	AgentMon.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.bak	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\sporder.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\Package.xml	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\blink.ico	9b77c38f888e59493bc3255c9f99c15e.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\offline.ico	9b77c38f888e59493bc3255c9f99c15e.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KAgentExt.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\kGetELMg64.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KEventLog.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\drivers\KaseyaSP.dll	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KasAgent.log	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini	9b77c38f888e59493bc3255c9f99c15e.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaUsrTsk.exe	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\drivers\KAPFA.sys	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.log	AgentMon.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\lastChk.txt	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\drivers\KaseyaD.VXD	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\noremote.ico	9b77c38f888e59493bc3255c9f99c15e.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\online.ico	9b77c38f888e59493bc3255c9f99c15e.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaFW.ini	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\drivers\KAPFA64.sys	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini	KASetup.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KasFirewall.log	KASetup.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KasError.log	AgentMon.exe
File opened for modification	C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini	AgentMon.exe
File created	C:\Program Files (x86)\Kaseya\AVND9909425094573756\LogParser.dll	KASetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AgentMon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AgentMon.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4420	ipconfig.exe

Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe
3500	KaUsrTsk.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 4400	4564	9b77c38f888e59493bc3255c9f99c15e.exe	84
PID 4564 wrote to memory of 4400	4564	9b77c38f888e59493bc3255c9f99c15e.exe	84
PID 4564 wrote to memory of 4400	4564	9b77c38f888e59493bc3255c9f99c15e.exe	84
PID 4400 wrote to memory of 636	4400	KAgentSilent.exe	85
PID 4400 wrote to memory of 636	4400	KAgentSilent.exe	85
PID 4400 wrote to memory of 636	4400	KAgentSilent.exe	85
PID 4564 wrote to memory of 3500	4564	9b77c38f888e59493bc3255c9f99c15e.exe	89
PID 4564 wrote to memory of 3500	4564	9b77c38f888e59493bc3255c9f99c15e.exe	89
PID 4564 wrote to memory of 3500	4564	9b77c38f888e59493bc3255c9f99c15e.exe	89
PID 4564 wrote to memory of 2464	4564	9b77c38f888e59493bc3255c9f99c15e.exe	90
PID 4564 wrote to memory of 2464	4564	9b77c38f888e59493bc3255c9f99c15e.exe	90
PID 4564 wrote to memory of 2464	4564	9b77c38f888e59493bc3255c9f99c15e.exe	90
PID 3500 wrote to memory of 4420	3500	KaUsrTsk.exe	94
PID 3500 wrote to memory of 4420	3500	KaUsrTsk.exe	94
PID 3500 wrote to memory of 4420	3500	KaUsrTsk.exe	94
PID 3500 wrote to memory of 4592	3500	KaUsrTsk.exe	98
PID 3500 wrote to memory of 4592	3500	KaUsrTsk.exe	98
PID 3500 wrote to memory of 4592	3500	KaUsrTsk.exe	98
PID 3500 wrote to memory of 3428	3500	KaUsrTsk.exe	100
PID 3500 wrote to memory of 3428	3500	KaUsrTsk.exe	100
PID 3500 wrote to memory of 3428	3500	KaUsrTsk.exe	100
PID 3500 wrote to memory of 1540	3500	KaUsrTsk.exe	101
PID 3500 wrote to memory of 1540	3500	KaUsrTsk.exe	101
PID 3500 wrote to memory of 1540	3500	KaUsrTsk.exe	101
PID 4404 wrote to memory of 1880	4404	AgentMon.exe	102
PID 4404 wrote to memory of 1880	4404	AgentMon.exe	102
PID 4404 wrote to memory of 1880	4404	AgentMon.exe	102
PID 4404 wrote to memory of 4328	4404	AgentMon.exe	104
PID 4404 wrote to memory of 4328	4404	AgentMon.exe	104
PID 4404 wrote to memory of 4328	4404	AgentMon.exe	104

C:\Users\Admin\AppData\Local\Temp\9b77c38f888e59493bc3255c9f99c15e.exe
"C:\Users\Admin\AppData\Local\Temp\9b77c38f888e59493bc3255c9f99c15e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\KAgentSilent.exe
  KAgentSilent.exe /a /k /g AVND9909425094573756 /l "C:\Users\Admin\AppData\Local\Temp\KASetup.log" /v "1"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KASetup.exe
    "C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KASetup.exe" /k /g AVND9909425094573756 /l "C:\Users\Admin\AppData\Local\Temp\KASetup.log" /v "1" /s
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:636
- C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaUsrTsk.exe
  KaUsrTsk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:4420
- - C:\Windows\SysWOW64\net.exe
    net use
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\net.exe
    net use
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\net.exe
    net use
    3⤵
    PID:1540
- C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.exe
  agentmon.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2464

C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.exe
"C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C mkdir "c:\kworking\kLogConfig"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /Y "c:\kworking\kLogConfig\*.*" c:\kworking\kLogConfig"
  2⤵
  PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kaseya\AVND9909425094573756\AgentMon.log

Filesize
508B

MD5
8e854906ad8013fd04d3f9cd76f5ba85

SHA1
20b7b7fc9516d8f01cf5434fc30e972b7030f970

SHA256
d5e4b210c09c3ad2f43c80e521c8d934c63fd9a31cdfe8694072ff9514810b9a

SHA512
9baf9a55ea9a83276e766ccb6984df7a2dc8317a581e118d555040b8d8b7d19a5d8a68a8795cc81f2d01b954a2ebc5a99bbf2ace289a1e95a3f2f4100318b6d0

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
8284ce4c0a4b05f72fb2893e7cdded0f

SHA1
5c9b9ef272af22e9c4cefb63bfca2e5ee5392088

SHA256
0ef9e089d0ec3e2024a61288cbe7b55ca7c0d613dc5e891aa1ca8a53d8ca26ca

SHA512
2442ed8f68206906deb3adcacab24642bbad394c3da022485026b37b9a195fdb1f1fd98168b66676337bd9bcdfb8236330995016628e2064f927c9c1b70fd749

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
2a3495a4b3c2f2707ca67043dcbdd0be

SHA1
a7d8a9d1f4233b24b0d44f3fbeaff537698afd29

SHA256
1c2cdb044374b213caf7c39adbdbfbf3866bf975a793ba8ab9826e30edfdf2ef

SHA512
84bbb17c6bd63577480d5f2689cf1bc180c5aa67d4c140464d61a4ee14a926ff41f581f051856d02c457886b69e7db16698f75f1f8015f082bd825d76295d157

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
7e0b902d075c91d41fc290b27cd2525a

SHA1
d43e88d3871ed3f565699679bd187e7328f827d9

SHA256
2150eb24b4be4093e8e1809fe14d5f80549537c3137d51f30c69b1d4f61ec662

SHA512
c848a86127df7737e1021d1834c9046c61c1ffd78b42d20c3c5cf262b9beb61df423a4cde33aaf2c4e7887fce7dbf73eab0eee8961863df8e91cfb54135c2f2c

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
25c5f8ea3d81a7018ce22e9abd459208

SHA1
c7567aeb8112abf1aad06f7b0924fe7c1e138d65

SHA256
40b71bd7f9144e5f6ab9075cf29c5ac9ec655ebaf56d5143ee9c29ad9798d820

SHA512
8188b421c7cc236a9799868f5adb1b2342250ca5ba89a636cfe8bc0c9364dd11f2508aa24a7837957e6a77fde3d06afb1d2b5a05b525927dd6775a401d8620e5

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
638213de0f2b44cab9556d20bbb12c8d

SHA1
4503ef6a15452d283fdba260baa133e4f1e491c2

SHA256
359559df09fd435251d8fc8a52b780fa20f7334b58bf4401d8d1c5d8de48363e

SHA512
0a3684b4ad88d1a0aca255e60b5dee1bee64216b4173ec3474d98439c6b3035a922beb3bd43ec49c1864514b7868b22135e9c3138450b03bb2e00a21d634b7b7

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
c633b62dd350a9a73299908a112acfa7

SHA1
00c6008de4e2bf88dd49817cd96d83756cc70bb7

SHA256
52708591c517fb49c5c80fccdae3bc7a888cfc8954d50489dcca5bbe133edc2d

SHA512
1b4c53af58d2f1f38114424fbcd88f23c2a19fc1be9631c4aa0c20f61a6228388a2680aacb220388610b375095e29671ffb870f8d3d189f129fe6392403f6d82

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\KaseyaD.ini

Filesize
2KB

MD5
07cf82adc36dd24e3adce9fd4ca40b38

SHA1
23711432ac6c169e0b24a7b4dbc6a7be2e195378

SHA256
5a4f15b51c0f4f0a799de6918b780c556f889b0e32205a8f55df6c29d86cb594

SHA512
1f34f4c4e2a5b4edf45bbf301c8033c5d41b47a2f05f51dade40347c57d83ed3bb08137187ba0f14af3ba8dd167caece9e66b737aaaba0eb2a99b3b6d5a12ec0

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\Package.xml

Filesize
130B

MD5
bb07daff0aa25dd05fd33b74e8df9a35

SHA1
ebd8bf14f4ae4bcdda0ce966482c6ea41f49a1b4

SHA256
aea1eef03ef6f358e7d9d4bc3d9edfd53b4b899f38d0b6b5332e64ab5527907a

SHA512
0d32db96351ab28a28633238b9a0e72413e03ebb63855553f83d12e4c996775fbbf21c43eb6814a3e19c150138d167872d3c92767f7da872ee2a001f908c8a11

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\offline.ico

Filesize
1KB

MD5
39c8c4fc8bc9e95f85b4515437374dae

SHA1
5a3d501622e273344a6db2cd3c4014fe4638a3db

SHA256
59a1aac853ec9e9a48c546244e4f9b0449ba51757fd6062a396cf5c7c916738b

SHA512
83a04cc519fbe701d2adcc4dbeace5ab896fb7a708176326a39829b6f3f4d327ff87e87a0596954df058271858e343ece55ec517ae5bc5966892b47e65ba5347

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\custom\online.ico

Filesize
1KB

MD5
5a6c04c2cc60cc665f0c63ae91d9142a

SHA1
a1374351d9aef8721efaf8a8075c71911ceda5d6

SHA256
1c61515219ed009ff682f72d34989f6208a5ab6f3e9f59721cc35b18309227a3

SHA512
2be8320c1bee9fcdf836347ee5bb3b5ec5e7de378f40e3da79c91d87b5523900b43ed851e7e44f12fc48b81e0bbe44362f07d3585b847d5097effd85c0cd5b13

Download Submit
C:\Program Files (x86)\Kaseya\AVND9909425094573756\evLogBlkList.xml

Filesize
609B

MD5
8520581577591ed4a27b43641762512f

SHA1
3293cccfebc2fd6e8c422b4c83e01a3f51c27f44

SHA256
c0b0329a8d51aa0e4e623e2d2abe1427a30723c0c0713b93a962de6b84140dd0

SHA512
e3aa66551e93c433dd415a55918dc457b4886af6ee6614c881c3ca5201719493b5fe2ef42bcee6d88eb509ca59627d30b43c7ad5e96ed10a30b331296a5fe88a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaseya\Kaseya Agent.lnk

Filesize
1KB

MD5
9f7808f1c5e212a5c5e83a8f196303be

SHA1
662913c60851cdfde1149036f07a7a7b242b55d9

SHA256
bea81cf6a00805fc7e47c0126e066a5b2acbff20d7525b01328e606eb29faf99

SHA512
8011d94e58146ea850348cc8fbb446e83f4b8567f5a4ecfb112b1247ffae983c1e74129f6db920932270792e9b14779029e0916f5f7e07c391b2d1e36d6fe806

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
2KB

MD5
bf3e0e0d05a8bcad6760d9ef6601bf3b

SHA1
7b767411dfc1e6ecefcc4578fe77d1b935adba65

SHA256
cc7b8077eda008b9b7152cb283daa1651b910511c8a5ba1014cb0b0b1a14c097

SHA512
fd255191c52108031b37ecbd34e9bd160579353fd7edfeba39d9c87369263ce0bb88a22415597811e08e67140eafb8ca18ac9bc02cc6d63cde1b9762dabc345c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
3KB

MD5
85bd39995ab2b2a0b1bbd37f6c480e05

SHA1
0acd0c26e8be96f5b0acc3423c1d72813fda47ed

SHA256
77c5300c82c0fc9a784cf1601be597d0ddad2c88a5ed69b6e4fb290dcffd52c9

SHA512
46f317eef270e692f1475d598ab3e2dd53b8998be94477279942ba16b9880e6cf1d0db9ad81dc7767e66d97772cc1458336e4e9f333011677184bc747281ae1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
3KB

MD5
a3b28a05706de3fc8c53f8c57f47b0f8

SHA1
0a5ecdc21ba6ff4ffc43ed1821c251d947adaaed

SHA256
b93b09afd5a3667a3d790e8168b2ef0b9ea4c649beb97b110483f4376ba7f188

SHA512
b4b5f814e066223011627343d9a9c62b7b36e8804c7466622bfd440cd4095e0faa3b72af8d9bea6303d56e8fa066ce6aec21faf1ef4a8f377d4aa8390763107f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
5KB

MD5
6220ca8eec54c4276bfcfbb8badfdf27

SHA1
890601599f3fdbd140454c3d9cd6b1df975d9687

SHA256
0a6b29dd1e65b7ac232ef656219926e90389347e192c989059f9b444568c556e

SHA512
460749838640fc364020674dd6292b18d15bdc90e3e08424cec01088911bab66d389b5c5f70d130bd8de05874763a638c2f19028bd24d522ee0d344e5d2cfb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KASetup.log

Filesize
10KB

MD5
b9bf1ac928ab1d25ef764b1d8cfd7b3e

SHA1
2296fa3344a50ff573869b028ffdd1b81acbb992

SHA256
0be8e4bba2ff4dc2d3adc3abd9d71cee252b837a297aa2f35b7fe46d940f5b54

SHA512
570239c63d140bce5516e70cba754fb993f54738b0ece2fc946554dbb9433e648db58c19d00370beb4a9133cdefd98c0b56179ad25c4c151c8ab554d7d26f407

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAgentSilent.exe

Filesize
1.2MB

MD5
b88dbe0131aa4cdf9f764f7245badca6

SHA1
a9f39985a4104956d45343aba2de4973a4fa07a4

SHA256
0c1af4b264fa29fc61c672f1eca7f001cb69fa768dad880a0885c694a5272718

SHA512
e2edcc0ea8417104344fe1173e8aa11cc947adafe987f5b6f6d30a1ab8f0d8f3a1e15e163b4745293dd1c75af8e8cc216529ae6b0fa00d7f496f6c3efd863c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\AgentMon.exe

Filesize
728KB

MD5
ddeb42b13cdb7b05521edb45c25a0151

SHA1
eaaf15fa2f31dc9881b0f50bf0b9fa6472be774a

SHA256
58b6392eef742b2420c8f5ee2b97d25f16e67fcaaf124ef2a751d324e51898cd

SHA512
596b4b351d8fc2d4bf5cbc5a0262d22fbcc58d87a04219e5ce9441e5553c73562fabb5ca68fcada88d7a33bcd7262a1d71493e70b7503b1c0e98d525f8ad503f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KAPFA.sys

Filesize
16KB

MD5
14fa46806ddc1a2db571891324c68688

SHA1
aead4b8d5dd1eb9fd333bb3b99e8c6cfb7439a29

SHA256
94071ecfe3c96dfdea68df0a53093ab69f23dd2267dd000ec3f3375ed6f93bbc

SHA512
78ba886792714ab0e44b109682c701c2df56d543db841e729af9e38f76f0052cb507415c3c60568d09c51ffca1f7b5a17ea948faeb77d578192934e59288c30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KAPFA64.sys

Filesize
29KB

MD5
336cee54830a1ad9a61bd5d9d6c181e3

SHA1
83f10f3caa3aae4f495013c6c36baa8b6e500a05

SHA256
cbffac70f551eb3a8e0714d6f5c4fd35b7a61f60dd0164fe3119b3fc2f1d21f9

SHA512
aea07cc566fa308387a5880bc73ffc1bf0b74fe50a2f996fd9ebc9ce2647ef371276acf41f2dc3779fb44f6507c924e9b831b7a72a3dd342d0300bd1ea73e165

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KASetup.exe

Filesize
173KB

MD5
0dfdbd04b658a0e1e9be497ef0beecfc

SHA1
5217e916a352640d0cd7476dd06ae2d28e7af412

SHA256
bb3bf0fd5da2eed73fe6fc5971c44ed529a03874d86ffa6d64d63e719c03cc6b

SHA512
a7d70fd24dfcb14eb6e2a89668564189beb91649bc02096c085cbc88f690100c277a5b989f42a8b1036f82c62bc5b337f5affbd1620909e1c77ad0cee4d734b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KAgentExt.dll

Filesize
76KB

MD5
0899ef5806179890c085b558db2c63dd

SHA1
4e4c91649945c47dce9335a9cfb1ede1da2e47eb

SHA256
30fd003b1ffb0a673ccf4b81fbf974504fd5c361a7a959746b863a201863cd18

SHA512
68eba32103508abc136239868620de89b5b16411e8868cddf7606673297cf087fb7720ca28d217662aadcb0ea5a105f000e48f7e6ea45f3027b65b45fa27821d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KEventLog.dll

Filesize
128KB

MD5
e40db8437c308abfe09305933a92cec2

SHA1
77a3f4e991ca5ea48c9965f48bf735bbd55e7289

SHA256
dba05618ce322ea06a362208239d926ca07ebf8b149e1ff4b30494aff297770c

SHA512
478cc07f1fb1f3161a2633118a4226fd5cbe1a153aaed071d68105cf7b4a15ec365b92ad6028e5f5dd7658416b42135592d9e731db0599eec1a6b6cef2bd69a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KPrtPng.exe

Filesize
104KB

MD5
c3a8623ab5785db5caa6f5280ce0b38f

SHA1
2f72b10dfda63ed4af8476b2247426873b026f0a

SHA256
7c77447a02cf1f7ebcbf756247716dd05c6617878c2a96285c6613bab7dc85b9

SHA512
93f8673098c26c20ccd64211b755f7896cdac5beeac03c99a9827d89b2967148feefe896bf81ac057325d4abc6fd9b30b0e611af09e9520be7fdb0c0e209f429

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KaUsrTsk.exe

Filesize
316KB

MD5
61e0870e8352fc42a42e414ed55bf837

SHA1
b0ef19d08f40c77b2d31e9dd9aad087fd847a294

SHA256
501caa9f031da6a00bfefb5fe1123c730838e5d16476c103218b625935594e82

SHA512
aa52a44135095223ae4c0c00deffdba34ceebb693e3877af20d08cccc4d4270cab78b63ca6834e02b9abe676eb09a361a1a17dc5882c6d1aa072db7b1296b12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KaseyaD.VXD

Filesize
30KB

MD5
2bdd2b147075c82b1f802f2c503fad22

SHA1
db1472b622e391c931b7f23d828c167023818edd

SHA256
82762843c454aee6002264f1074ac4108a8f4e53b2862fa463cc7ba7345e9949

SHA512
25d722253cf3724afa0b9baba4b8ec67ab4505b27420f3aed65999f5fe33a0bf2091a19ad9d6c4f8e9cfb857b06db0794cb4e90b1786a000cda38d0e9cf3f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KaseyaD.ini

Filesize
2KB

MD5
3d8b610262459277622c3a3386a1c02b

SHA1
040550af4cbfe39c82fea4ba99ed011b69e478cf

SHA256
1529153a7259c1f855c932a487b809e357accee33ff5516b9c9b837f3dd5ecb5

SHA512
d13689e3380dea2b21deda5fcbedaf3bbd366d37e0885b6c37fffdf217ecb0176ee225136bf06a0c07550fd2ddc511c49fe85612245d2eb037a47588dc646079

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KaseyaFW.ini

Filesize
2KB

MD5
110bcfd4a9b3ace873e40d41ad039b72

SHA1
5f652ecfb90311a8a2e5a52424d333cc6234f0e0

SHA256
04e0218852ef83d415f1497c56088ec001e3fb72af3b487dbe171be13c636c04

SHA512
fe9f8c2062f4c2280fd6aaab244d97047e53989ba5817911580744d86177fd42f812a402a740c346e891bdd2b95d2086de19b9822239da025860dfd263616f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\KaseyaSP.dll

Filesize
132KB

MD5
06559cafead9fd6554f2191cba5f535b

SHA1
678d3988cbd7ee0b6e0ac27496fc09f06eef8f40

SHA256
4c0745df2291f50653094fea956858ed4917b571f8c9625a63ad808e1616fb65

SHA512
d11a3b92269d595c1a9709087426911ded0b9a042b61b3dbf63f166dc7c793259ee99738cd002f20ec00e2232e9865c6ad46f0be3959bf089ba0b5ddd7f06019

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\LogParser.dll

Filesize
132KB

MD5
f97b6619d66d8c7dfe933d19bad26c30

SHA1
47ef3f568d01a291da2b67bf87085726457f7c9c

SHA256
092383b5ca5cdc01969e33f316a775be3bb39e68bd45b8f6cd8943f35383b242

SHA512
99c8c172870f6dc57870ad6a69df85c709bc0386b5e898d658bc8f2219e31324f2e2ac82a6ae4c85a65ddd58f5961ffb4fa3aa3e679ecb24b393f6c077f8a2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\kGetELMg64.exe

Filesize
94KB

MD5
07a4918403b3b96d9fdeba51ab3cc224

SHA1
268df049b2b19fbf2e2aae2085c85bd67c8dbc27

SHA256
b4acf11dac17dcc26c23f0f148491727056a29f0c22308478be92a8d04278fd5

SHA512
26c7b000984fd4b06b25b8554b4694c52d75a3c77a074509df6444c89befe40013b181262ea56bf3a8d1c7a8d08529c12ca7a13fb3cc36ba891958c589c242fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\pftw1.pkg

Filesize
926KB

MD5
3be27138201a97e10a702517ae21b875

SHA1
93f636d7738f3218793abef52db13483b1c1ac15

SHA256
6e4e9bccb952d2e6b3190ab58cc38379be21aadc66a11df1b8f05f225b2dc80e

SHA512
5fb465fe8526b3e2e883ebc2b2865bc20aefa69dee88934bca38e4c5d292950791d12f2c99dcda50b01fae932f1a7bb93d266b4be1663be9384f45fc8d677e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD40B.tmp\sporder.dll

Filesize
9KB

MD5
e2050130c7c0ec056a44237bbb8feb43

SHA1
8aab6d37d7b9663896c47b6fcc7fbf89781599df

SHA256
aa06892b2869b24218e21f87070abab39e177f0edfedc30fd9ae169e8faf23f9

SHA512
70507ef106ee91d5970c8ac351c060e329236f4920c96612a160b0db827e0354d5c5aaa096c2b77c301294b9ce680aadd5ade56ce345ad46779bd73901c581a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\plfD2B1.tmp

Filesize
5KB

MD5
cfaec980a3639a6b33704c0db20cb812

SHA1
e9402b1deb9293d51ea7a45ff5aea0f5bff1ea8f

SHA256
55023b00e2c2401272d0ad7b4b633814869483b6d939c5d4910e4ff18eeeee6c

SHA512
72bb65180098c195ea74c7dacf24500d98bbd872149e4247bdc98b3a12fabd2fd6846a61b7d30e610748d49348c347a1cec5939276e3a0b30703aeeb591017b2

Download Submit
memory/4404-294-0x0000000000EB0000-0x0000000000ED3000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads