Overview
overview
10Static
static
10kayflock-beta.rar
windows7-x64
7kayflock-beta.rar
windows10-2004-x64
3kayflock-b...I2.dll
windows7-x64
1kayflock-b...I2.dll
windows10-2004-x64
1kayflock-b...nt.dll
windows7-x64
1kayflock-b...nt.dll
windows10-2004-x64
1kayflock-b...on.exe
windows7-x64
1kayflock-b...on.exe
windows10-2004-x64
1kayflock-b...ck.exe
windows7-x64
1kayflock-b...ck.exe
windows10-2004-x64
7kayflock-b...us.dll
windows7-x64
1kayflock-b...us.dll
windows10-2004-x64
1kayflock-b...ne.exe
windows10-2004-x64
1kayflock-b...vc.exe
windows10-2004-x64
1kayflock-b...er.exe
windows10-2004-x64
1kayflock-b...ic.exe
windows7-x64
8kayflock-b...ic.exe
windows10-2004-x64
8kayflock-b...hh.exe
windows10-2004-x64
1kayflock-b...ad.exe
windows10-2004-x64
1kayflock-b...64.exe
windows10-2004-x64
1kayflock-b...32.dll
windows10-2004-x64
1kayflock-b...32.exe
windows10-2004-x64
1kayflock-b...te.exe
windows10-2004-x64
7kayflock-b...nt.dll
windows7-x64
1kayflock-b...nt.dll
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 06:42
Behavioral task
behavioral1
Sample
kayflock-beta.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
kayflock-beta.rar
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
kayflock-beta/Guna.UI2.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
kayflock-beta/Guna.UI2.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
kayflock-beta/System.Management.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
kayflock-beta/System.Management.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
kayflock-beta/byfron.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
kayflock-beta/byfron.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
kayflock-beta/kayflock.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
kayflock-beta/kayflock.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
kayflock-beta/nexus.dll
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
kayflock-beta/nexus.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
kayflock-beta/packages/ranks/HelpPane.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral14
Sample
kayflock-beta/packages/ranks/bfsvc.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
kayflock-beta/packages/ranks/explorer.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral16
Sample
kayflock-beta/packages/ranks/fullstack-magic.exe
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
kayflock-beta/packages/ranks/fullstack-magic.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral18
Sample
kayflock-beta/packages/ranks/hh.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
kayflock-beta/packages/ranks/notepad.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral20
Sample
kayflock-beta/packages/ranks/splwow64.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
kayflock-beta/packages/ranks/twain_32.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral22
Sample
kayflock-beta/packages/ranks/winhlp32.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral23
Sample
kayflock-beta/packages/ranks/write.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral24
Sample
kayflock-beta/runtimes/win/lib/net6.0/System.Management.dll
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
kayflock-beta/runtimes/win/lib/net6.0/System.Management.dll
Resource
win10v2004-20240412-en
General
-
Target
kayflock-beta/packages/ranks/fullstack-magic.exe
-
Size
1.4MB
-
MD5
4a629a32c3cc21b2276bb0785713eb1e
-
SHA1
7888df74655fcbd13b80cf614098f1a773596438
-
SHA256
7e01d1f8f33c2df815d95078825da15efdeaa5cbd6a8556d8323c0d39ad0cd53
-
SHA512
1f1765b9699aa1da93763d956b2cc110228a74f492fde210e27b4ec4b7b26c55fefc6dd5a4e73c8e324b2208be28f52b8261a64247cb42f8330c9cfea451570d
-
SSDEEP
24576:Mc8sHmuATYC2ts1BsuZYrPNVfBAmNvf26ikntJMVoUx8AI8AKwsKI2+Xf:z3Hmu+B2ts1BsEYhVHpfCKMVoUiAI8Y
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
fullstack-magic.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" fullstack-magic.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
fullstack-magic.exepid process 2248 fullstack-magic.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fullstack-magic.exedescription pid process Token: SeLoadDriverPrivilege 2248 fullstack-magic.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
fullstack-magic.execmd.exedescription pid process target process PID 2248 wrote to memory of 2832 2248 fullstack-magic.exe cmd.exe PID 2248 wrote to memory of 2832 2248 fullstack-magic.exe cmd.exe PID 2248 wrote to memory of 2832 2248 fullstack-magic.exe cmd.exe PID 2832 wrote to memory of 2588 2832 cmd.exe certutil.exe PID 2832 wrote to memory of 2588 2832 cmd.exe certutil.exe PID 2832 wrote to memory of 2588 2832 cmd.exe certutil.exe PID 2832 wrote to memory of 2692 2832 cmd.exe find.exe PID 2832 wrote to memory of 2692 2832 cmd.exe find.exe PID 2832 wrote to memory of 2692 2832 cmd.exe find.exe PID 2832 wrote to memory of 1940 2832 cmd.exe find.exe PID 2832 wrote to memory of 1940 2832 cmd.exe find.exe PID 2832 wrote to memory of 1940 2832 cmd.exe find.exe PID 2248 wrote to memory of 2672 2248 fullstack-magic.exe WerFault.exe PID 2248 wrote to memory of 2672 2248 fullstack-magic.exe WerFault.exe PID 2248 wrote to memory of 2672 2248 fullstack-magic.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2248 -s 6122⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2248-1-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB