Analysis
-
max time kernel
145s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 15:49
Behavioral task
behavioral1
Sample
6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe
Resource
win10v2004-20220812-en
General
-
Target
6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe
-
Size
69KB
-
MD5
9ea38549db22318be6020b7e6c82c2d2
-
SHA1
0a36f31f09abbd16b433a4ed3965b9be2ff45a48
-
SHA256
6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c
-
SHA512
8b11de3c8feb278c302c7d6792dc9f19862a6b66f0fb7768cb416ee823e66d1aff2b9407c4e823a0e03ea924058aa61a5856cbb10906978e8950c326e6d19061
-
SSDEEP
1536:4aIdJ8LqMbEwOLc3tfnbvTzkeOFjlkHzrbq:4ah3bEwOLc3tfnvzk1vq2
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\kyjs.sys 6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe File created C:\Windows\SysWOW64\drivers\kyjs.sys 6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svdra\ImagePath = "system32\\drivers\\kyjs.sys" 6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe -
Processes:
resource yara_rule behavioral2/memory/3036-132-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3036-138-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeRundll32.exepid process 4076 rundll32.exe 3416 Rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exedescription ioc process File created C:\Windows\SysWOW64\GBuK.dll 6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe File opened for modification C:\Windows\SysWOW64\GBuK.dll 6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 652 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Rundll32.exepid process 3416 Rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Rundll32.exepid process 3416 Rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exerundll32.exedescription pid process target process PID 3036 wrote to memory of 4076 3036 6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe rundll32.exe PID 3036 wrote to memory of 4076 3036 6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe rundll32.exe PID 3036 wrote to memory of 4076 3036 6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe rundll32.exe PID 4076 wrote to memory of 3416 4076 rundll32.exe Rundll32.exe PID 4076 wrote to memory of 3416 4076 rundll32.exe Rundll32.exe PID 4076 wrote to memory of 3416 4076 rundll32.exe Rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe"C:\Users\Admin\AppData\Local\Temp\6f69a8ba90daa34a130d97c4f61089a46d21cfaed2b02422f0f1cf89ef0e5f2c.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\GBuK.dll,DllRegisterServer2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Rundll32.exeC:\Windows\system32\Rundll32.exe C:\Windows\system32\GBuK.dll,DllUnregisterServer3⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\GBuK.dllFilesize
48KB
MD59bb2b0480d12899117c5fda1b8950368
SHA12a2f9ad09609f977ec0d2e7cd27f046dd9440f20
SHA2561e4ea30cfa80f871a114a2a310eb0793ad9dcfc0cc3e95e3e40aead79876f665
SHA512542077b391dc40cd69c3b357a0cbf0dfbc7c289fd7cb7cdcbf155ece8705e769927702bd3838ad1fde88085ed0de6e08c4b1f1aa6b6a71d667b9dcbf03d1e7eb
-
C:\Windows\SysWOW64\GBuK.dllFilesize
48KB
MD59bb2b0480d12899117c5fda1b8950368
SHA12a2f9ad09609f977ec0d2e7cd27f046dd9440f20
SHA2561e4ea30cfa80f871a114a2a310eb0793ad9dcfc0cc3e95e3e40aead79876f665
SHA512542077b391dc40cd69c3b357a0cbf0dfbc7c289fd7cb7cdcbf155ece8705e769927702bd3838ad1fde88085ed0de6e08c4b1f1aa6b6a71d667b9dcbf03d1e7eb
-
C:\Windows\SysWOW64\GBuK.dllFilesize
48KB
MD59bb2b0480d12899117c5fda1b8950368
SHA12a2f9ad09609f977ec0d2e7cd27f046dd9440f20
SHA2561e4ea30cfa80f871a114a2a310eb0793ad9dcfc0cc3e95e3e40aead79876f665
SHA512542077b391dc40cd69c3b357a0cbf0dfbc7c289fd7cb7cdcbf155ece8705e769927702bd3838ad1fde88085ed0de6e08c4b1f1aa6b6a71d667b9dcbf03d1e7eb
-
memory/3036-132-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3036-138-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3416-136-0x0000000000000000-mapping.dmp
-
memory/4076-133-0x0000000000000000-mapping.dmp