Overview
overview
10Static
static
10kayflock-beta.rar
windows7-x64
7kayflock-beta.rar
windows10-2004-x64
3kayflock-b...I2.dll
windows7-x64
1kayflock-b...I2.dll
windows10-2004-x64
1kayflock-b...nt.dll
windows7-x64
1kayflock-b...nt.dll
windows10-2004-x64
1kayflock-b...on.exe
windows7-x64
1kayflock-b...on.exe
windows10-2004-x64
1kayflock-b...ck.exe
windows7-x64
1kayflock-b...ck.exe
windows10-2004-x64
7kayflock-b...us.dll
windows7-x64
1kayflock-b...us.dll
windows10-2004-x64
1kayflock-b...ne.exe
windows10-2004-x64
1kayflock-b...vc.exe
windows10-2004-x64
1kayflock-b...er.exe
windows10-2004-x64
1kayflock-b...ic.exe
windows7-x64
8kayflock-b...ic.exe
windows10-2004-x64
8kayflock-b...hh.exe
windows10-2004-x64
1kayflock-b...ad.exe
windows10-2004-x64
1kayflock-b...64.exe
windows10-2004-x64
1kayflock-b...32.dll
windows10-2004-x64
1kayflock-b...32.exe
windows10-2004-x64
1kayflock-b...te.exe
windows10-2004-x64
7kayflock-b...nt.dll
windows7-x64
1kayflock-b...nt.dll
windows10-2004-x64
1Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 06:42
Behavioral task
behavioral1
Sample
kayflock-beta.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
kayflock-beta.rar
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
kayflock-beta/Guna.UI2.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
kayflock-beta/Guna.UI2.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
kayflock-beta/System.Management.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
kayflock-beta/System.Management.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
kayflock-beta/byfron.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
kayflock-beta/byfron.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
kayflock-beta/kayflock.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
kayflock-beta/kayflock.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
kayflock-beta/nexus.dll
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
kayflock-beta/nexus.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
kayflock-beta/packages/ranks/HelpPane.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral14
Sample
kayflock-beta/packages/ranks/bfsvc.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
kayflock-beta/packages/ranks/explorer.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral16
Sample
kayflock-beta/packages/ranks/fullstack-magic.exe
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
kayflock-beta/packages/ranks/fullstack-magic.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral18
Sample
kayflock-beta/packages/ranks/hh.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
kayflock-beta/packages/ranks/notepad.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral20
Sample
kayflock-beta/packages/ranks/splwow64.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
kayflock-beta/packages/ranks/twain_32.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral22
Sample
kayflock-beta/packages/ranks/winhlp32.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral23
Sample
kayflock-beta/packages/ranks/write.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral24
Sample
kayflock-beta/runtimes/win/lib/net6.0/System.Management.dll
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
kayflock-beta/runtimes/win/lib/net6.0/System.Management.dll
Resource
win10v2004-20240412-en
General
-
Target
kayflock-beta.rar
-
Size
9.9MB
-
MD5
97aa3a079dd9755550f3dc33b5cfc215
-
SHA1
68706f4f9fada471773b87c051c1d0bbc0da1ac6
-
SHA256
9ecbf28720a944bdd3f3c20cdb3f4da7f40da903b651be520348e01a8efa2504
-
SHA512
bb94b7252d1eaf201ec3bac6ed154159c30c69759d9683866be1be4ee6c173581eb5ab033e5fb346dfb0eb811ec850204ae2b925d125230579c6978e7737990a
-
SSDEEP
196608:I9wZUrLVz1Ik1+pfk/1eAD5kh7mv486rCujLl/yvhEW9NZ1elAbinuDll:FY1zWk/1XD5Y7VPjhyvSWHZ1AGinGll
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
kayflock.exekayflock.exekayflock.exekayflock.exekayflock.exepid process 2732 kayflock.exe 2708 kayflock.exe 2460 kayflock.exe 2492 kayflock.exe 876 kayflock.exe -
Loads dropped DLL 5 IoCs
Processes:
7zFM.exepid process 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
7zFM.exepid process 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2592 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 2592 7zFM.exe Token: 35 2592 7zFM.exe Token: SeSecurityPrivilege 2592 7zFM.exe Token: SeSecurityPrivilege 2592 7zFM.exe Token: SeSecurityPrivilege 2592 7zFM.exe Token: SeSecurityPrivilege 2592 7zFM.exe Token: SeSecurityPrivilege 2592 7zFM.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
7zFM.exepid process 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cmd.exe7zFM.exedescription pid process target process PID 2276 wrote to memory of 2592 2276 cmd.exe 7zFM.exe PID 2276 wrote to memory of 2592 2276 cmd.exe 7zFM.exe PID 2276 wrote to memory of 2592 2276 cmd.exe 7zFM.exe PID 2592 wrote to memory of 2732 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 2732 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 2732 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 2708 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 2708 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 2708 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 2460 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 2460 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 2460 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 2492 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 2492 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 2492 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 876 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 876 2592 7zFM.exe kayflock.exe PID 2592 wrote to memory of 876 2592 7zFM.exe kayflock.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\kayflock-beta.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kayflock-beta.rar"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zO02A40E76\kayflock.exe"C:\Users\Admin\AppData\Local\Temp\7zO02A40E76\kayflock.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zO02ADDF46\kayflock.exe"C:\Users\Admin\AppData\Local\Temp\7zO02ADDF46\kayflock.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zO02AF2046\kayflock.exe"C:\Users\Admin\AppData\Local\Temp\7zO02AF2046\kayflock.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zO02AB7156\kayflock.exe"C:\Users\Admin\AppData\Local\Temp\7zO02AB7156\kayflock.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zO02A2F056\kayflock.exe"C:\Users\Admin\AppData\Local\Temp\7zO02A2F056\kayflock.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\7zO02A40E76\kayflock.exeFilesize
253KB
MD52ea6211ab19482dddf2b32fdeddfe409
SHA1bfb9ab42d59ec933d1ebb8674bc697faaa99a52e
SHA2567a25def99b85f8486606ec7eb4d52395308afcc930e7b2df23897022b1d6baf1
SHA512e54d8b6db035ab9274c3f3a00474cf19d1543eb19f1c8eb89e11e33ddc6d675648201a70f495e6ddc0da4d71f17f01e3f6d77d5264effe1f0c46877379933bae