Overview

overview

10

Static

static

10

kayflock-b...I2.dll

windows7-x64

1

kayflock-b...I2.dll

windows10-2004-x64

1

kayflock-b...nt.dll

windows7-x64

1

kayflock-b...nt.dll

windows10-2004-x64

1

kayflock-b...on.exe

windows7-x64

1

kayflock-b...on.exe

windows10-2004-x64

1

kayflock-b...ck.exe

windows7-x64

1

kayflock-b...ck.exe

windows10-2004-x64

7

kayflock-b...us.dll

windows7-x64

1

kayflock-b...us.dll

windows10-2004-x64

1

kayflock-b...ne.exe

windows10-2004-x64

1

kayflock-b...vc.exe

windows10-2004-x64

1

kayflock-b...er.exe

windows10-2004-x64

1

kayflock-b...ic.exe

windows7-x64

8

kayflock-b...ic.exe

windows10-2004-x64

8

kayflock-b...hh.exe

windows10-2004-x64

1

kayflock-b...ad.exe

windows10-2004-x64

1

kayflock-b...64.exe

windows10-2004-x64

1

kayflock-b...32.dll

windows10-2004-x64

1

kayflock-b...32.exe

windows10-2004-x64

1

kayflock-b...te.exe

windows10-2004-x64

7

kayflock-b...nt.dll

windows7-x64

1

kayflock-b...nt.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-04-2024 17:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kayflock-beta/packages/ranks/fullstack-magic.exe

  • Size

    1.4MB

  • MD5

    4a629a32c3cc21b2276bb0785713eb1e

  • SHA1

    7888df74655fcbd13b80cf614098f1a773596438

  • SHA256

    7e01d1f8f33c2df815d95078825da15efdeaa5cbd6a8556d8323c0d39ad0cd53

  • SHA512

    1f1765b9699aa1da93763d956b2cc110228a74f492fde210e27b4ec4b7b26c55fefc6dd5a4e73c8e324b2208be28f52b8261a64247cb42f8330c9cfea451570d

  • SSDEEP

    24576:Mc8sHmuATYC2ts1BsuZYrPNVfBAmNvf26ikntJMVoUx8AI8AKwsKI2+Xf:z3Hmu+B2ts1BsEYhVHpfCKMVoUiAI8Y

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe
    "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5
        3⤵
          PID:4900
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:4444
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:4968

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads