75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248

General

Target

75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
Size

56KB
MD5

254ffe1185bbcd04bf92b11b22208890
SHA1

7655ca62b46f1ab8b71cb979147743e6260f56dd
SHA256

75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248
SHA512

1ab674c0c57e835ab42bd2a8e80cb0d7b10f2a15083d5f08190dc231398814b9ead4446583697ea622c91984a5502304da8e770110d9523bf2aa5b072ac4bd36
SSDEEP

1536:SOccX9QgnRt9UdLw6BNMyBhXZxHJ6P6D5p/G:Kgz07JjD5p/

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

kaolio.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kaolio.exe

Executes dropped EXE 1 IoCs

Processes:

kaolio.exe

pid process

2900 kaolio.exe

Loads dropped DLL 2 IoCs

Processes:

75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe

pid	process
384	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
384	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kaolio.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /m"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /w"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /s"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /r"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /a"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /j"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /b"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /B"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /l"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /g"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /h"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /M"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /q"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /o"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /e"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /D"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /R"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /C"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /E"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /I"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /U"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /S"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /W"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /y"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /z"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /Y"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /p"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /t"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /T"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /A"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /O"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /x"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /P"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /H"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /n"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /N"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /L"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /Z"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /f"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /J"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /F"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /d"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /k"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /G"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /u"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /Q"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /i"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /X"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /c"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /K"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /V"	kaolio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaolio = "C:\\Users\\Admin\\kaolio.exe /v"	kaolio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kaolio.exe

pid	process
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe
2900	kaolio.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exekaolio.exe

pid process

384 75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
2900 kaolio.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exekaolio.exe

description	pid	process	target process
PID 384 wrote to memory of 2900	384	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe	kaolio.exe
PID 384 wrote to memory of 2900	384	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe	kaolio.exe
PID 384 wrote to memory of 2900	384	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe	kaolio.exe
PID 384 wrote to memory of 2900	384	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe	kaolio.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 2900 wrote to memory of 384	2900	kaolio.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe

C:\Users\Admin\AppData\Local\Temp\75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
"C:\Users\Admin\AppData\Local\Temp\75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\kaolio.exe
"C:\Users\Admin\kaolio.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\kaolio.exe
Filesize
56KB

MD5
ecfbb50e47d390e278538c1c97776189

SHA1
2131577e174ad116fac51767e65eb80f6b55c835

SHA256
5f12ec222bdd2aef7f21dd0d185edd646a097e06e2694ca91570094e0cffc9ee

SHA512
3d4196071b38ff271d63ce782ddd0fb6a2a068c7c8bedb36ea709ff376154d8c592178fd399f0e45dc10d8722c5026eb623dbb007c09a419e8071119105c3b45

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads