e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0

General

Target

e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe
Size

6.7MB
MD5

c0dd70119d34658012e0d7ef729a7bd2
SHA1

e5ecc6f81a1b17f23fe51c960329abe2996c9a88
SHA256

e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0
SHA512

04b9403641ec0ada0f45e12f1e02639e3ed8219d6f9172459827f0546a2b88367492da2ad94bed0420ee579bf44110445e0f1554d6a86606144f5cac53b4d764
SSDEEP

196608:zD4AHp6hoSPoCINv+9KEMsWk+yMC1qKZtpez8:n4VhoCoC+jzsT1q8a8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1176	KDPlayAutoServiceC3.exe
2336	KDPlayMain.exe

Loads dropped DLL 5 IoCs

pid	Process
2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe
2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe
2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe
2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe
2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2536-0-0x0000000001080000-0x0000000001E72000-memory.dmp	upx
behavioral1/memory/2536-23-0x0000000001080000-0x0000000001E72000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auto_Agent_KDPlayC3 = "C:\\Users\\Admin\\AppData\\Local\\KDPlay\\KDPlayAutoServiceC3.exe"	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	KDPlayMain.exe
File opened (read-only)	\??\N:	KDPlayMain.exe
File opened (read-only)	\??\O:	KDPlayMain.exe
File opened (read-only)	\??\S:	KDPlayMain.exe
File opened (read-only)	\??\U:	KDPlayMain.exe
File opened (read-only)	\??\E:	KDPlayMain.exe
File opened (read-only)	\??\G:	KDPlayMain.exe
File opened (read-only)	\??\P:	KDPlayMain.exe
File opened (read-only)	\??\T:	KDPlayMain.exe
File opened (read-only)	\??\W:	KDPlayMain.exe
File opened (read-only)	\??\Z:	KDPlayMain.exe
File opened (read-only)	\??\H:	KDPlayMain.exe
File opened (read-only)	\??\M:	KDPlayMain.exe
File opened (read-only)	\??\R:	KDPlayMain.exe
File opened (read-only)	\??\V:	KDPlayMain.exe
File opened (read-only)	\??\X:	KDPlayMain.exe
File opened (read-only)	\??\Y:	KDPlayMain.exe
File opened (read-only)	\??\I:	KDPlayMain.exe
File opened (read-only)	\??\J:	KDPlayMain.exe
File opened (read-only)	\??\K:	KDPlayMain.exe
File opened (read-only)	\??\Q:	KDPlayMain.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KDPlayMain.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KDPlayAutoServiceC3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2336	KDPlayMain.exe
2336	KDPlayMain.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2336	KDPlayMain.exe
2336	KDPlayMain.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2336	KDPlayMain.exe
2336	KDPlayMain.exe
2336	KDPlayMain.exe
2336	KDPlayMain.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1176	2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe	29
PID 2536 wrote to memory of 1176	2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe	29
PID 2536 wrote to memory of 1176	2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe	29
PID 2536 wrote to memory of 1176	2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe	29
PID 2536 wrote to memory of 2336	2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe	30
PID 2536 wrote to memory of 2336	2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe	30
PID 2536 wrote to memory of 2336	2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe	30
PID 2536 wrote to memory of 2336	2536	e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe	30

C:\Users\Admin\AppData\Local\Temp\e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe
"C:\Users\Admin\AppData\Local\Temp\e3a2e885318921c0a494667c83af6bcdb258760e0ba9e4fc88489a25f1479ff0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\KDPlay\KDPlayAutoServiceC3.exe
  "C:\Users\Admin\AppData\Local\KDPlay\KDPlayAutoServiceC3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1176
- C:\Users\Admin\AppData\Local\KDPlay\KDPlayMain.exe
  "C:\Users\Admin\AppData\Local\KDPlay\KDPlayMain.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KDPlay\KDPlayAutoServiceC3.exe

Filesize
1.6MB

MD5
e547bdd081f7bdc001a3320b84a44655

SHA1
2e7f6a55222fa0c50b999b88775bc513145540c0

SHA256
dc2e1838eb3253b51f8f6be418fab5155c8758728453f0bf6e0581c81abf95e7

SHA512
db3f3d7a1ee3c7ee5ba921d9bb24c5026f0d532064321f6fb7f49fd6efa025465bafb03d7fc2da8fa13ca967527e4b18abcf5bbb24c9d17f93d3cb37ad242ed2

Download Submit
C:\Users\Admin\AppData\Local\KDPlay\KDPlayMain.exe

Filesize
12.1MB

MD5
21403a081abd8de2acabea1e0d5db490

SHA1
863300a304a37eb88dd65b98f00ef63708a21e30

SHA256
b503ce1c14d15ed2f532bf4ed2bd0f4b12fcc8b33173a67c52cea0ed3b5e7e57

SHA512
e7a3020d8114bf003a2652c1923b326d64e06988e588e777eb71fc9b68ac8244ad0252af04ce3ab0056bcac5c2d25eb7e2b2c8b7d36482de7ffdc43772ddfeb4

Download Submit
memory/2536-0-0x0000000001080000-0x0000000001E72000-memory.dmp

Filesize
13.9MB

Download
memory/2536-4-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2536-23-0x0000000001080000-0x0000000001E72000-memory.dmp

Filesize
13.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads