Malware Analysis Report

2024-11-13 16:14

Sample ID 240413-wdfr5afc28
Target kayflock-beta.rar
SHA256 9ecbf28720a944bdd3f3c20cdb3f4da7f40da903b651be520348e01a8efa2504
Tags
agilenet agenttesla persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ecbf28720a944bdd3f3c20cdb3f4da7f40da903b651be520348e01a8efa2504

Threat Level: Known bad

The file kayflock-beta.rar was found to be: Known bad.

Malicious Activity Summary

agilenet agenttesla persistence

AgentTesla payload

Agenttesla family

Sets service image path in registry

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

Enumerates system info in registry

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-13 17:48

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/2116-0-0x000001EB3FD20000-0x000001EB40C3E000-memory.dmp

memory/2116-1-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

memory/2116-2-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

151s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.242.39.171:443 tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

130s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\winhlp32.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\helppane.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\helppane.exe N/A
N/A N/A C:\Windows\helppane.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 528 wrote to memory of 2544 N/A C:\Windows\helppane.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 528 wrote to memory of 2544 N/A C:\Windows\helppane.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\winhlp32.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\winhlp32.exe"

C:\Windows\helppane.exe

C:\Windows\helppane.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=4280,i,17229298512878960157,13441031190071685883,262144 --variations-seed-version --mojo-platform-channel-handle=2404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5008,i,17229298512878960157,13441031190071685883,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5796,i,17229298512878960157,13441031190071685883,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,17229298512878960157,13441031190071685883,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5072,i,17229298512878960157,13441031190071685883,262144 --variations-seed-version --mojo-platform-channel-handle=5820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=5516,i,17229298512878960157,13441031190071685883,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5948,i,17229298512878960157,13441031190071685883,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
NL 104.109.143.24:443 bzib.nelreports.net tcp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 support.microsoft.com udp
BE 2.21.16.124:443 support.microsoft.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 20.42.65.84:443 browser.events.data.microsoft.com tcp
US 23.53.113.225:443 c.s-microsoft.com tcp
BE 2.21.17.194:443 www.microsoft.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 13.107.246.64:443 mem.gfx.ms tcp
US 8.8.8.8:53 24.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 124.16.21.2.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 225.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
IE 40.126.31.71:443 login.microsoftonline.com tcp
BE 2.17.107.107:443 www.bing.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 aadcdn.msftauth.net udp
US 8.8.8.8:53 aadcdn.msftauth.net udp
US 8.8.8.8:53 aadcdn.msauth.net udp
US 8.8.8.8:53 aadcdn.msauth.net udp
US 152.199.23.37:443 aadcdn.msftauth.net tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 107.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 37.23.199.152.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 20.42.65.84:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 logincdn.msftauth.net udp
US 8.8.8.8:53 logincdn.msftauth.net udp
US 8.8.8.8:53 acctcdn.msauth.net udp
US 8.8.8.8:53 acctcdn.msauth.net udp
US 8.8.8.8:53 acctcdn.msftauth.net udp
US 8.8.8.8:53 acctcdn.msftauth.net udp
US 192.229.221.185:443 logincdn.msftauth.net tcp
US 8.8.8.8:53 lgincdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 lgincdnmsftuswe2.azureedge.net udp
US 13.107.246.64:443 lgincdnmsftuswe2.azureedge.net tcp
US 8.8.8.8:53 lgincdnvzeuno.azureedge.net udp
US 8.8.8.8:53 lgincdnvzeuno.azureedge.net udp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 8.8.8.8:53 acctcdnvzeuno.azureedge.net udp
US 8.8.8.8:53 acctcdnvzeuno.azureedge.net udp
US 8.8.8.8:53 acctcdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 acctcdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 support.microsoft.com udp
US 13.107.246.64:443 mem.gfx.ms tcp
US 8.8.8.8:53 support.content.office.net udp
US 8.8.8.8:53 support.content.office.net udp
NL 23.38.21.64:443 support.content.office.net tcp
US 8.8.8.8:53 185.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 64.21.38.23.in-addr.arpa udp
BE 2.17.107.107:443 www.bing.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\Guna.UI2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

134s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\Guna.UI2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

124s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\bfsvc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\bfsvc.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\bfsvc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,7447082786332118630,10839110169592584063,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\splwow64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\splwow64.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\splwow64.exe"

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\twain_32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3776 wrote to memory of 1216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3776 wrote to memory of 1216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3776 wrote to memory of 1216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\twain_32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\twain_32.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\runtimes\win\lib\net6.0\System.Management.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\runtimes\win\lib\net6.0\System.Management.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

113s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win7-20240221-en

Max time kernel

120s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2240 -s 504

Network

N/A

Files

memory/2240-0-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

memory/2240-1-0x0000000000DE0000-0x0000000001CFE000-memory.dmp

memory/2240-2-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\notepad.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\notepad.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\notepad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\cmd.exe
PID 2412 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\cmd.exe
PID 2412 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1200 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1200 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1200 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1200 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1200 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1200 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1200 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1200 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2412 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\WerFault.exe
PID 2412 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\WerFault.exe
PID 2412 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2412 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 23.14.90.91:80 apps.identrust.com tcp
N/A 127.0.0.1:49188 tcp
N/A 127.0.0.1:49190 tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp

Files

memory/2412-1-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
N/A 127.0.0.1:54848 tcp
N/A 127.0.0.1:54850 tcp
US 104.26.0.5:443 keyauth.win tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 5.0.26.104.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

134s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\hh.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\hh.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\hh.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe"

C:\Program Files\Windows NT\Accessories\wordpad.exe

"C:\Program Files\Windows NT\Accessories\wordpad.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\runtimes\win\lib\net6.0\System.Management.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\runtimes\win\lib\net6.0\System.Management.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 40.42.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win7-20240221-en

Max time kernel

119s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419192479" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000001655481ec736ee010a46363d0125252f30d712e50ee449f0fa393b02896ccc2f000000000e8000000002000020000000452bd5fc8f1f92850f78852d17f2493e79270b8c0578213120320b74c3c94093200000004c16d3957c8d4d7f509e90be8d86c3dd92ee2b045b3db26ac9624a3b1cf71f0d4000000085dc86e5048dd2a7e05416d6755de1ddfe123db1aa69d2ddef48b4d2e39341a7c728b321bd7d164a037018fa28c0e14bf1b3c0d061adcb78aa7a281e151ee617 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{44C5ACA1-F9BE-11EE-8698-5E73522EB9B5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1088661ccb8dda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000800e7c31dcdf0d9c3854b3a43ea09353b2c884b8829d5e7d5b5cb5a80d9599ef000000000e8000000002000020000000a5936f203eb84ffedaeaab559dbb360539a351a911b260fcc58d17671a0225ba900000006ecdfc096922e768423f47dd7489a79c81a5e957bf36cde924cf6eb5262ce0d7e1082875caa6ed171fe66ffd5eb38fd60000cfd483fa60e6e25e8bfd79628c0203ed1919fda664680127b5ea84d4315f5c5a1bb4b973acfbeb497e34d1def9d6d233cdba4dc054c044775f25d12f587ac9504797f219ca30f3498c1a4f66c63bac6f72a6ebce91585b8bdc548e40ebfd400000001d2bed96252074fd89099c81981e184761add504294298841f880977d4ec31bd3e7bf6aae020ee71064502ff43f9ccc310c9c8c22243dc6513a763efaa93bd4b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.28&gui=true

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 aka.ms udp
IE 2.18.238.120:443 aka.ms tcp
IE 2.18.238.120:443 aka.ms tcp
IE 2.18.238.120:443 aka.ms tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab9D1B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab9E85.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a119c926cb4356bc161e30ef0dc68ab
SHA1 489c43d1080d963e96d26a273e1e904d58a532f5
SHA256 9be0fe79aeb01e52a836b9dcf34dc18b18d844b0a139e459d71f8b64532bbc06
SHA512 6a2dbb7691e26577fd47cf34e8c898214e8d655da465621193e96284452c7933e82b7416aee0e8c7b161b7ac49ab6a4dfcc8d7872f9754d959e8ecb185cf3f68

C:\Users\Admin\AppData\Local\Temp\Tar9EF7.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53a9a07cc2e6cba5eb8bef39c638d7c0
SHA1 3ab3a2ac04fe930f8fb8ed3a0467c67782e596b7
SHA256 bc0bbbc876f579d70eec40de7537d747eae4fe20f536c07c21c6512915dc6647
SHA512 d2d291b9ae90d94228d8ea4e1bb039193b966a03cc2641b0113fcaf281b1de5e35848db30860f6a16dbc9980ae0ff55169f71b31738609f8b19410adfba20262

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6bfc6fd5fa5b12ec9235ffb9d7fa6ff0
SHA1 232fd7b3cc2894ed963661b46cb1a3372a256ac0
SHA256 bce1cfbd8abd1b78cb03bc550fe8fc302d898c0b7f072c0837eb41d94b2187d5
SHA512 fcdde91ad2ff4350d0367293163f06f0bbbc6c4b8be1623c484ebc4977a4a09d10855da60575493166f17d84e9c090d446b6d57e8151d88ec606bc6feaf1a0cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36bf24729010247f427c5559fae9ed56
SHA1 33b7327c4ec474134b231aceb9ef14834cc050b1
SHA256 24ccb8b1c7f8eb9a97bc78b08cfcb5fd80e41394ba8eb393d959b2a8692690ab
SHA512 da38448eaf67242ea3ec4254fe6e761a52ace39b78c54aa291ff90d2210bcf35dd3c12b4093a50d29d5ecfccb61dd7d3a84b16d775bf28432372e2309e2178b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93016c844e184af5b7af7fafd444765b
SHA1 188ea2566e30132c1362f3d4320836c19e6fca6b
SHA256 a7b58e088832b38695fa91d7449dca4abf9cca4e83dea3baab9dc7bfbce92f24
SHA512 e21146e43eb4726d29a1c6c364fb56df5e03017ad8d9c7a6a6f70904ba262fc1d2403c3ba9e2fd17ba553ed5c95d59f8b1fa4bf790fc8e943bb7901bc763ae0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 822e663b422dd7bcf8c320a1f9ef82b4
SHA1 76672aa77ad0069dc1645198f3237c15489fa3eb
SHA256 ac87185f249391146b5bcabe2d83478c3faea4baab0bdd75c9e8444082ca118e
SHA512 b638d0f3ae1f4e8217fd36728fd7a003d07425a67893033e35393a5dbdc43ff85eb85ed4f4c242d6ff15cba73c1859631fc6f20ed102edc13f21efce084e8ea1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ac212c67a21ed0747a175dc9ea13ce4
SHA1 8cda65d174c10def64050b3b4e8392a827475b1e
SHA256 2ef7eca05dc15dd1987069cd4c91ab3323300a4fc73a94bc640fa6c9cbf7e5a2
SHA512 42ae9368a17df08f072739719c193aa33fd5011dc31dbfb9539e6972eff51f95ba541eb469f7f1696157fa12dae9fffa13ebe841b112f4069c1c0d6fa13eb917

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c0a2fd2b2facb97e3242f0f3d89b18e
SHA1 bb927eedb84a2a5bfb509d7422c0aa4a457db7ee
SHA256 0ac62f2a27fb96ccd8ca2e4e651e3e20ca88fbf44f8f678bf3e807d096719401
SHA512 00618b7fa3d9dcfd0de104e67c9d3418bfbedbddb0952d00396f14b07f38c1d571ab550051ee035e25d4d18980610a6f1298e0237e0677b48dfd47711b2e5f22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e65d950c1ecffa88c7661ddc017531af
SHA1 dd5e2be9849ff4120501bde75d3590d53bcbf430
SHA256 7fece81d358f99a0bf36fc732d70c957678079c2af6bb559a9df29a8a0f10353
SHA512 b161bb37f512058fd4b864ea936074b9a8168ef3a4a08778e13b289e03256e531f8450d0ae83b02671c7cbade8a86d396313f76028f6f2bc62724da392a02329

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f73b64fb7d07ba9ccfd753c2f7d0504f
SHA1 4329d66b7a3b59ee584c46f21763660193b5bbd1
SHA256 64afa4b2ad1bdfda1ac0147a3d390cdc0ad2910e59ee8ac245527fce1fdb0086
SHA512 342a96cb351a77a8f10de3324da1ecaa586a07c63363cd59e3fa8247bdcb2bac0a9e7e9d8bf60d86fd0d7b2f7a2529afa9d6b3a4e06509e71bac85c0ae9b0dd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88f409b71fc0e7569eba9af09f6782a4
SHA1 7c42a0dacbdf43eadb9e7b8eb7b399d8c0270682
SHA256 41170b24afdd339134feae0de7cbb94adb02303d316f7dc5e0a44dde273cb52b
SHA512 e2d17ac350dea65f8df1208538f4fc22fb035d8b48e05507c3e537236f2b1e1bd28b2daad4ad6be9641bd31f99d5e10e0a5b9f39fa7a575445a2a97078fd2729

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b86ab3a613b99b131af740e56de2532
SHA1 2996936e8bc970a81bdf7d4105ad56e2a19a3014
SHA256 d71f353b2555233344d13045399ee1f11209eacf0f3feb34182ab96945ff0a36
SHA512 54620ab7cee379c89ca99793e2ff20b512601d06dfa90e1f1e767156908cc33cc563bf1e062cecc79205d85895e098b02fd5a3edd17f128ab5d5100de5335afc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b6c0b105c7d3265a2507bb821754c15
SHA1 55790209bfc0c09ed0a53cc59ac5ea58976611a4
SHA256 119ae706aa0f2922a3b48cdea8484a0781ee3e695777269fa331868c235c1418
SHA512 65279af9ed3ccfa29b202eb7a22333502c7d5ce3bd561ef085b98b65f5d4b0ea535ba32e6799132f93f1fb4d47a83ef3ef28bbafcddc926c83628adca63fba04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 302894ab2122c1c2fdf3fa8309d43b32
SHA1 81193bda0eb78dec0a96747038309a4c99577fe5
SHA256 38ff9a78f20c79e818495a0a4da9d3039aeee0dff7a5609c10be765e7912a605
SHA512 8fa36b940ac975d262cb8b59111d2e5a4d0970ae0528dcd2e931095d8fb9427b9f3a1576422610e26ca7d89397fdd96e74d29b53dbc0d3ff9710ae818992c261

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 697cba58dfafb86087e9c3ef0b37b84a
SHA1 b4e7a21dec43b70eae7d82d7a8e6acdc5518d2e5
SHA256 7691c761c2143b9f17faafc78186ba8f6cb5d082d2dd534eac838a03b2ce6a21
SHA512 f3ba8769a66afce3ffd5327d4637d896b77509b5e0944484d605b0a0b16bde190e1be8acd5548ba2b7a67d121f6fa654a7d7b6b25d45c7f6982cdf210bdef11d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0287edd744fd9ad59e70d21a7b92470
SHA1 d0c8e17e495a99a04897868e4d67b6747402c0ed
SHA256 750346e8064d50152c310986c0d45b90824ab3ae8d0b259043c42842d17c8bbb
SHA512 c339b2eb9c1033b69968423bdcf4035706dfe1ea7dfbc51f784601392445b3eb6b762bc101d1205ecd4296c0f4be41a1581dda90f6dbf1c6cb6fb75c2b6a9b3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a93fc8351fed79b6f9304e1405bbc0ae
SHA1 0dd45ba2ec3a88ba776f9c3c924f758225d13bd8
SHA256 51f46d712ae324e73ccc29be97edc8369fbd54db880c436503b2f86dd3b211a6
SHA512 15d163006dcba57064a7f977b06affc28efecb84b14f5b93ac6caab706ac8965a9416b6aa58704c24cf145c07beaf0344cad6acee53af70f860f159fd3707348

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f59d9472c87e7ab22dff85a3cedeac4c
SHA1 90fe2c7d7f5ff4b7327773c7a277c339d26cd3b0
SHA256 ca441c2f8e0201ba2ece61c0b9abaa50e18afbbab53b4638743e927eb75ecca3
SHA512 cd34c52a4d18b82ac191695fc49b363adc3c04d123518f484347d124996097b8fdd1a1b66edec44abacc93c5adb5a51e7d56f34c7a419043a420898a76d542b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15eff70d34d8c9d3fb3f92eb163a6ff9
SHA1 0b76870f1b3ef6060137c23b2ce637eeca1fcd08
SHA256 986ae88e0ecdfd943e50d680d638a786710cf8e720feb590af6745c39bf1ee9f
SHA512 fe96a0f0a0da459d62aac644807da5522134f997cd9fe41caed419cbbaf2636b122a9997a3ba9547ebd0044f54b2f87fe1f077937b08eaf2690682ad4366c84d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33f401cf356877f76dab5ca3e96ad412
SHA1 e04379808827f613e37210c7227982d375529191
SHA256 0da0892d62762b03e495496ae419a1e2c0e8a5a40547be95095a28f65d4b3f3a
SHA512 ea4a086dd429222554308cc286519b9c6bb9008ab87e357ef9fb3fd8a080d2be9235561b4067e5cb18cad9fa5b572a0ae5e46f9e5babedfb5ce504c6f42b82f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca112b63256791b8f16b45dd0a9d545c
SHA1 572cfb1c618633562cbd9e94302b2be2d851eab7
SHA256 770547c09f85179abad4fdacdce9d91ecba0dda0df07d7f12c16de456ad8ae01
SHA512 925b2ff172e64731f6b173c006d8e0ccd56aff411eddff42c4fe090c3b790e8a3203b447ed615e343b18e85ab7c636aa4ef789ad19f119b8d856563dd9be2536

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 199d3e53740c3cdc65fa6251344d6aa8
SHA1 194b025e39ba74349a6794d780b49225a74bb652
SHA256 7788bd53048ede6e95ee6e3aac4dd74a3cc3c6bc72e76b27c42fb24e9653c18e
SHA512 b4bc4522434357a71c966b36f0aae5e69bfa7bcdfe53b9dbd5b1e5dc5998912707f8b4ac82058b751fefb60f738e16e1e00415332c29beadedce8cf0ee1f5c7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 653c3162029e39ed1050f6086fc4d536
SHA1 9566dab8a43695d15f62caebe5d61f916d29a035
SHA256 eb36c5d7a6deac361b85e1d52fe40411fb79cd18a763f8ab9022e61ff9ff2c6a
SHA512 5b5e00d2e5899ea962c6fbf7a9e62825889620f09d04f62efa9e8dbdc020e0cebdad567a3eb0e4f6e8705d883b0666f1176670d8d88cfcf3cdb3eb46ad69b5d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d2584098214709f6b91c82a51dfc023
SHA1 3a6bae9db57f903cd6601e1b285b4cb43ab7fbad
SHA256 513aaf879c11ab297ce733e5f8b62530845d251138f5fbb434d85c9038f93a82
SHA512 b0ab47a09498f54a02c6459822eac3a6ae645273023f6e3f55f1e0047a3f44b757b9e488f43278bc8859443242b867cb3759696909c731f5547f725d4d18b31a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 264eca0f7803e19e5efa33b2be66ac58
SHA1 d9c33c97eb62e3c5f117cf100872c1d65cf47d59
SHA256 5724cd9b091aafd075462bade92064419e2cdad1b491caab521cfabd5563d9ea
SHA512 8d02aa69526ea77f61e3c18d7be440cbb8a3b3ee10620e49ff7803b1acb1e9da5aff34af6617721febcdc738663328fd38d298964495f91db93e0a114757b620

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 865774acc00f3c822601fab8dda80456
SHA1 a41600127f2339417d71bd748b5fd145ed119210
SHA256 aa512da17c9091e9d47031933738a24263397f0bf78c8a0e57dfe650492ea9b0
SHA512 bc0fc1e7fedaee279df8bcc82744b98d4de9208a32869174b914934bfe6f6eefb38c5c1978112fad69891b84f64eba4471e5a77209e914ef8268f9e4587ba695

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b39a8c99ed39916d453c2756064dee6
SHA1 d68708f3f284166eb048ce80fe9b4f1966d48149
SHA256 1cd1ae0f6b0849b7d96616022dfed391412443229410ef204f600fc3dba300f7
SHA512 f9aa4e2b39dca67eac663303b4055686d6da44b174d55dbcb3861b2878ff885936c7646472100d44addd04adf554a16eb633f26131e086246a820e003c6802af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbeabf73ef523ac7669e3b57f2ca6a54
SHA1 e9c76c264d7b27dbf0206da058b00c73b6579525
SHA256 f9a315886c8528cf8bb419a6e6fe06c2133a665bb4ecc928cfa38771492bac45
SHA512 03cf940624d6d804fae2cd8ff864a85213018fd950762d937fed368f6c18fe6c5227304a8e69dad8ee7cd2472b1052a1dc518de4343085076ae5c08d7a2619e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44cbbc318ffc7d8315d9808509b358f2
SHA1 c1e5cb26dce699056f65a1e29b5e7c8ad92846f8
SHA256 74beda52899094a106526c63398d793df6a811d54064ead3d4302284dca32094
SHA512 585f5b1b8a0dd1fc254d765d18760e225c4eb7f99f68490142fa4a5e22dd572fa5eb525aacbf1ec151387c211b802577fef0ea272b987cdcee0df9aebe52d598

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 i.pinimg.com udp
BE 23.41.178.74:443 i.pinimg.com tcp
US 8.8.8.8:53 74.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/4648-0-0x00007FFBE9C30000-0x00007FFBEA12E000-memory.dmp

memory/4648-1-0x00007FFBE9C30000-0x00007FFBEA12E000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-13 17:48

Reported

2024-04-13 17:52

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\HelpPane.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\HelpPane.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\HelpPane.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A