9ecbf28720a944bdd3f3c20cdb3f4da7f40da903b651be520348e01a8efa2504

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kayflock-beta.rar
Size

9.9MB
MD5

97aa3a079dd9755550f3dc33b5cfc215
SHA1

68706f4f9fada471773b87c051c1d0bbc0da1ac6
SHA256

9ecbf28720a944bdd3f3c20cdb3f4da7f40da903b651be520348e01a8efa2504
SHA512

bb94b7252d1eaf201ec3bac6ed154159c30c69759d9683866be1be4ee6c173581eb5ab033e5fb346dfb0eb811ec850204ae2b925d125230579c6978e7737990a
SSDEEP

196608:I9wZUrLVz1Ik1+pfk/1eAD5kh7mv486rCujLl/yvhEW9NZ1elAbinuDll:FY1zWk/1XD5Y7VPjhyvSWHZ1AGinGll

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

kayflock.exekayflock.exekayflock.exekayflock.exekayflock.exe

pid process

2732 kayflock.exe
2708 kayflock.exe
2460 kayflock.exe
2492 kayflock.exe
876 kayflock.exe
Loads dropped DLL 5 IoCs

Processes:

7zFM.exe

pid process

2592 7zFM.exe
2592 7zFM.exe
2592 7zFM.exe
2592 7zFM.exe
2592 7zFM.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

7zFM.exe

pid process

2592 7zFM.exe
2592 7zFM.exe
2592 7zFM.exe
2592 7zFM.exe
2592 7zFM.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2592 7zFM.exe

pid	process
2732	kayflock.exe
2708	kayflock.exe
2460	kayflock.exe
2492	kayflock.exe
876	kayflock.exe

pid	process
2592	7zFM.exe
2592	7zFM.exe
2592	7zFM.exe
2592	7zFM.exe
2592	7zFM.exe

pid	process
2592	7zFM.exe
2592	7zFM.exe
2592	7zFM.exe
2592	7zFM.exe
2592	7zFM.exe

pid	process
2592	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7zFM.exe

description	pid	process
Token: SeRestorePrivilege	2592	7zFM.exe
Token: 35	2592	7zFM.exe
Token: SeSecurityPrivilege	2592	7zFM.exe
Token: SeSecurityPrivilege	2592	7zFM.exe
Token: SeSecurityPrivilege	2592	7zFM.exe
Token: SeSecurityPrivilege	2592	7zFM.exe
Token: SeSecurityPrivilege	2592	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

7zFM.exe

pid process

2592 7zFM.exe
2592 7zFM.exe
2592 7zFM.exe
2592 7zFM.exe
2592 7zFM.exe
2592 7zFM.exe

pid	process
2592	7zFM.exe
2592	7zFM.exe
2592	7zFM.exe
2592	7zFM.exe
2592	7zFM.exe
2592	7zFM.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exe7zFM.exe

description	pid	process	target process
PID 2276 wrote to memory of 2592	2276	cmd.exe	7zFM.exe
PID 2276 wrote to memory of 2592	2276	cmd.exe	7zFM.exe
PID 2276 wrote to memory of 2592	2276	cmd.exe	7zFM.exe
PID 2592 wrote to memory of 2732	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 2732	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 2732	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 2708	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 2708	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 2708	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 2460	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 2460	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 2460	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 2492	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 2492	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 2492	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 876	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 876	2592	7zFM.exe	kayflock.exe
PID 2592 wrote to memory of 876	2592	7zFM.exe	kayflock.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\kayflock-beta.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kayflock-beta.rar"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Local\Temp\7zO02A40E76\kayflock.exe
"C:\Users\Admin\AppData\Local\Temp\7zO02A40E76\kayflock.exe"
3⤵
- Executes dropped EXE
PID:2732

C:\Users\Admin\AppData\Local\Temp\7zO02ADDF46\kayflock.exe
"C:\Users\Admin\AppData\Local\Temp\7zO02ADDF46\kayflock.exe"
3⤵
- Executes dropped EXE
PID:2708

C:\Users\Admin\AppData\Local\Temp\7zO02AF2046\kayflock.exe
"C:\Users\Admin\AppData\Local\Temp\7zO02AF2046\kayflock.exe"
3⤵
- Executes dropped EXE
PID:2460

C:\Users\Admin\AppData\Local\Temp\7zO02AB7156\kayflock.exe
"C:\Users\Admin\AppData\Local\Temp\7zO02AB7156\kayflock.exe"
3⤵
- Executes dropped EXE
PID:2492

C:\Users\Admin\AppData\Local\Temp\7zO02A2F056\kayflock.exe
"C:\Users\Admin\AppData\Local\Temp\7zO02A2F056\kayflock.exe"
3⤵
- Executes dropped EXE
PID:876

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\7zO02A40E76\kayflock.exe
Filesize
253KB

MD5
2ea6211ab19482dddf2b32fdeddfe409

SHA1
bfb9ab42d59ec933d1ebb8674bc697faaa99a52e

SHA256
7a25def99b85f8486606ec7eb4d52395308afcc930e7b2df23897022b1d6baf1

SHA512
e54d8b6db035ab9274c3f3a00474cf19d1543eb19f1c8eb89e11e33ddc6d675648201a70f495e6ddc0da4d71f17f01e3f6d77d5264effe1f0c46877379933bae

Download Submit