Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 06:42

General

  • Target

    kayflock-beta.rar

  • Size

    9.9MB

  • MD5

    97aa3a079dd9755550f3dc33b5cfc215

  • SHA1

    68706f4f9fada471773b87c051c1d0bbc0da1ac6

  • SHA256

    9ecbf28720a944bdd3f3c20cdb3f4da7f40da903b651be520348e01a8efa2504

  • SHA512

    bb94b7252d1eaf201ec3bac6ed154159c30c69759d9683866be1be4ee6c173581eb5ab033e5fb346dfb0eb811ec850204ae2b925d125230579c6978e7737990a

  • SSDEEP

    196608:I9wZUrLVz1Ik1+pfk/1eAD5kh7mv486rCujLl/yvhEW9NZ1elAbinuDll:FY1zWk/1XD5Y7VPjhyvSWHZ1AGinGll

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\kayflock-beta.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kayflock-beta.rar"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Users\Admin\AppData\Local\Temp\7zO02A40E76\kayflock.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO02A40E76\kayflock.exe"
        3⤵
        • Executes dropped EXE
        PID:2732
      • C:\Users\Admin\AppData\Local\Temp\7zO02ADDF46\kayflock.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO02ADDF46\kayflock.exe"
        3⤵
        • Executes dropped EXE
        PID:2708
      • C:\Users\Admin\AppData\Local\Temp\7zO02AF2046\kayflock.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO02AF2046\kayflock.exe"
        3⤵
        • Executes dropped EXE
        PID:2460
      • C:\Users\Admin\AppData\Local\Temp\7zO02AB7156\kayflock.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO02AB7156\kayflock.exe"
        3⤵
        • Executes dropped EXE
        PID:2492
      • C:\Users\Admin\AppData\Local\Temp\7zO02A2F056\kayflock.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO02A2F056\kayflock.exe"
        3⤵
        • Executes dropped EXE
        PID:876

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\7zO02A40E76\kayflock.exe
    Filesize

    253KB

    MD5

    2ea6211ab19482dddf2b32fdeddfe409

    SHA1

    bfb9ab42d59ec933d1ebb8674bc697faaa99a52e

    SHA256

    7a25def99b85f8486606ec7eb4d52395308afcc930e7b2df23897022b1d6baf1

    SHA512

    e54d8b6db035ab9274c3f3a00474cf19d1543eb19f1c8eb89e11e33ddc6d675648201a70f495e6ddc0da4d71f17f01e3f6d77d5264effe1f0c46877379933bae