Overview
overview
10Static
static
10kayflock-b...I2.dll
windows7-x64
1kayflock-b...I2.dll
windows10-2004-x64
1kayflock-b...nt.dll
windows7-x64
1kayflock-b...nt.dll
windows10-2004-x64
1kayflock-b...on.exe
windows7-x64
1kayflock-b...on.exe
windows10-2004-x64
1kayflock-b...ck.exe
windows7-x64
1kayflock-b...ck.exe
windows10-2004-x64
7kayflock-b...us.dll
windows7-x64
1kayflock-b...us.dll
windows10-2004-x64
1kayflock-b...ne.exe
windows10-2004-x64
1kayflock-b...vc.exe
windows10-2004-x64
1kayflock-b...er.exe
windows10-2004-x64
1kayflock-b...ic.exe
windows7-x64
8kayflock-b...ic.exe
windows10-2004-x64
8kayflock-b...hh.exe
windows10-2004-x64
1kayflock-b...ad.exe
windows10-2004-x64
1kayflock-b...64.exe
windows10-2004-x64
1kayflock-b...32.dll
windows10-2004-x64
1kayflock-b...32.exe
windows10-2004-x64
1kayflock-b...te.exe
windows10-2004-x64
7kayflock-b...nt.dll
windows7-x64
1kayflock-b...nt.dll
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-04-2024 17:42
Behavioral task
behavioral1
Sample
kayflock-beta/Guna.UI2.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
kayflock-beta/Guna.UI2.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
kayflock-beta/System.Management.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
kayflock-beta/System.Management.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
kayflock-beta/byfron.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
kayflock-beta/byfron.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
kayflock-beta/kayflock.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
kayflock-beta/kayflock.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
kayflock-beta/nexus.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
kayflock-beta/nexus.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
kayflock-beta/packages/ranks/HelpPane.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral12
Sample
kayflock-beta/packages/ranks/bfsvc.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
kayflock-beta/packages/ranks/explorer.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral14
Sample
kayflock-beta/packages/ranks/fullstack-magic.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
kayflock-beta/packages/ranks/fullstack-magic.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral16
Sample
kayflock-beta/packages/ranks/hh.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
kayflock-beta/packages/ranks/notepad.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral18
Sample
kayflock-beta/packages/ranks/splwow64.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
kayflock-beta/packages/ranks/twain_32.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral20
Sample
kayflock-beta/packages/ranks/winhlp32.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
kayflock-beta/packages/ranks/write.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
kayflock-beta/runtimes/win/lib/net6.0/System.Management.dll
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
kayflock-beta/runtimes/win/lib/net6.0/System.Management.dll
Resource
win10v2004-20240412-en
General
-
Target
kayflock-beta/packages/ranks/fullstack-magic.exe
-
Size
1.4MB
-
MD5
4a629a32c3cc21b2276bb0785713eb1e
-
SHA1
7888df74655fcbd13b80cf614098f1a773596438
-
SHA256
7e01d1f8f33c2df815d95078825da15efdeaa5cbd6a8556d8323c0d39ad0cd53
-
SHA512
1f1765b9699aa1da93763d956b2cc110228a74f492fde210e27b4ec4b7b26c55fefc6dd5a4e73c8e324b2208be28f52b8261a64247cb42f8330c9cfea451570d
-
SSDEEP
24576:Mc8sHmuATYC2ts1BsuZYrPNVfBAmNvf26ikntJMVoUx8AI8AKwsKI2+Xf:z3Hmu+B2ts1BsEYhVHpfCKMVoUiAI8Y
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
fullstack-magic.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" fullstack-magic.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
fullstack-magic.exepid process 1800 fullstack-magic.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fullstack-magic.exedescription pid process Token: SeLoadDriverPrivilege 1800 fullstack-magic.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
fullstack-magic.execmd.exedescription pid process target process PID 1800 wrote to memory of 1792 1800 fullstack-magic.exe cmd.exe PID 1800 wrote to memory of 1792 1800 fullstack-magic.exe cmd.exe PID 1800 wrote to memory of 1792 1800 fullstack-magic.exe cmd.exe PID 1792 wrote to memory of 1300 1792 cmd.exe certutil.exe PID 1792 wrote to memory of 1300 1792 cmd.exe certutil.exe PID 1792 wrote to memory of 1300 1792 cmd.exe certutil.exe PID 1792 wrote to memory of 1680 1792 cmd.exe find.exe PID 1792 wrote to memory of 1680 1792 cmd.exe find.exe PID 1792 wrote to memory of 1680 1792 cmd.exe find.exe PID 1792 wrote to memory of 2396 1792 cmd.exe find.exe PID 1792 wrote to memory of 2396 1792 cmd.exe find.exe PID 1792 wrote to memory of 2396 1792 cmd.exe find.exe PID 1800 wrote to memory of 2572 1800 fullstack-magic.exe WerFault.exe PID 1800 wrote to memory of 2572 1800 fullstack-magic.exe WerFault.exe PID 1800 wrote to memory of 2572 1800 fullstack-magic.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1800 -s 12402⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1800-1-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB