Overview

overview

8

Static

static

1

Kylaron Setup.zip

windows11-21h2-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Kylaron Setup.zip

  • Size

    68.7MB

  • Sample

    240625-jzbn3s1elj

  • MD5

    d30213d3476fbc08d6588b8ba54c4d34

  • SHA1

    18b6bfc50c3fa99c4dd74dabc21f10269ba628d6

  • SHA256

    fab28509b161700c0394c76057c7dc10b39049f320589f1aa20ebf1ee10e2b31

  • SHA512

    68b98a8ce093173c76be59f14b1f653997d88fedcc538e5caaa70febb146266131c107926f9e334c5694c748cc75f77f22acaff8112c846af3a1d1b8af738b9b

  • SSDEEP

    1572864:vWrdissOoJTHS0ADZ4ogW2IHaJmw2NY8Vvp8QRhgfF:vWZisMTyDDF2IHGDoXVvWQ7IF

Score
8/10
discoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      Kylaron Setup.zip

    • Size

      68.7MB

    • MD5

      d30213d3476fbc08d6588b8ba54c4d34

    • SHA1

      18b6bfc50c3fa99c4dd74dabc21f10269ba628d6

    • SHA256

      fab28509b161700c0394c76057c7dc10b39049f320589f1aa20ebf1ee10e2b31

    • SHA512

      68b98a8ce093173c76be59f14b1f653997d88fedcc538e5caaa70febb146266131c107926f9e334c5694c748cc75f77f22acaff8112c846af3a1d1b8af738b9b

    • SSDEEP

      1572864:vWrdissOoJTHS0ADZ4ogW2IHaJmw2NY8Vvp8QRhgfF:vWZisMTyDDF2IHGDoXVvWQ7IF

    Score
    8/10
    discoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

6
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks