Overview
overview
10Static
static
10kayflock-b...I2.dll
windows7-x64
1kayflock-b...I2.dll
windows10-2004-x64
1kayflock-b...nt.dll
windows7-x64
1kayflock-b...nt.dll
windows10-2004-x64
1kayflock-b...on.exe
windows7-x64
1kayflock-b...on.exe
windows10-2004-x64
1kayflock-b...ck.exe
windows7-x64
1kayflock-b...ck.exe
windows10-2004-x64
7kayflock-b...us.dll
windows7-x64
1kayflock-b...us.dll
windows10-2004-x64
1kayflock-b...ne.exe
windows10-2004-x64
1kayflock-b...vc.exe
windows10-2004-x64
1kayflock-b...er.exe
windows10-2004-x64
1kayflock-b...ic.exe
windows7-x64
8kayflock-b...ic.exe
windows10-2004-x64
8kayflock-b...hh.exe
windows10-2004-x64
1kayflock-b...ad.exe
windows10-2004-x64
1kayflock-b...64.exe
windows10-2004-x64
1kayflock-b...32.dll
windows10-2004-x64
1kayflock-b...32.exe
windows10-2004-x64
1kayflock-b...te.exe
windows10-2004-x64
7kayflock-b...nt.dll
windows7-x64
1kayflock-b...nt.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2024 17:42
Behavioral task
behavioral1
Sample
kayflock-beta/Guna.UI2.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
kayflock-beta/Guna.UI2.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
kayflock-beta/System.Management.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
kayflock-beta/System.Management.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
kayflock-beta/byfron.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
kayflock-beta/byfron.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
kayflock-beta/kayflock.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
kayflock-beta/kayflock.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
kayflock-beta/nexus.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
kayflock-beta/nexus.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
kayflock-beta/packages/ranks/HelpPane.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral12
Sample
kayflock-beta/packages/ranks/bfsvc.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
kayflock-beta/packages/ranks/explorer.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral14
Sample
kayflock-beta/packages/ranks/fullstack-magic.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
kayflock-beta/packages/ranks/fullstack-magic.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral16
Sample
kayflock-beta/packages/ranks/hh.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
kayflock-beta/packages/ranks/notepad.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral18
Sample
kayflock-beta/packages/ranks/splwow64.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
kayflock-beta/packages/ranks/twain_32.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral20
Sample
kayflock-beta/packages/ranks/winhlp32.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
kayflock-beta/packages/ranks/write.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
kayflock-beta/runtimes/win/lib/net6.0/System.Management.dll
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
kayflock-beta/runtimes/win/lib/net6.0/System.Management.dll
Resource
win10v2004-20240412-en
General
-
Target
kayflock-beta/packages/ranks/fullstack-magic.exe
-
Size
1.4MB
-
MD5
4a629a32c3cc21b2276bb0785713eb1e
-
SHA1
7888df74655fcbd13b80cf614098f1a773596438
-
SHA256
7e01d1f8f33c2df815d95078825da15efdeaa5cbd6a8556d8323c0d39ad0cd53
-
SHA512
1f1765b9699aa1da93763d956b2cc110228a74f492fde210e27b4ec4b7b26c55fefc6dd5a4e73c8e324b2208be28f52b8261a64247cb42f8330c9cfea451570d
-
SSDEEP
24576:Mc8sHmuATYC2ts1BsuZYrPNVfBAmNvf26ikntJMVoUx8AI8AKwsKI2+Xf:z3Hmu+B2ts1BsEYhVHpfCKMVoUiAI8Y
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
fullstack-magic.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" fullstack-magic.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
fullstack-magic.exepid process 2212 fullstack-magic.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fullstack-magic.exedescription pid process Token: SeLoadDriverPrivilege 2212 fullstack-magic.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fullstack-magic.execmd.exedescription pid process target process PID 2212 wrote to memory of 2624 2212 fullstack-magic.exe cmd.exe PID 2212 wrote to memory of 2624 2212 fullstack-magic.exe cmd.exe PID 2624 wrote to memory of 4900 2624 cmd.exe certutil.exe PID 2624 wrote to memory of 4900 2624 cmd.exe certutil.exe PID 2624 wrote to memory of 4444 2624 cmd.exe find.exe PID 2624 wrote to memory of 4444 2624 cmd.exe find.exe PID 2624 wrote to memory of 4968 2624 cmd.exe find.exe PID 2624 wrote to memory of 4968 2624 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD53⤵PID:4900
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4444
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:4968