Overview

overview

3

Static

static

3

KRNLWRD/Bu....3.dll

windows11-21h2-x64

1

KRNLWRD/Sc...ET.dll

windows11-21h2-x64

1

KRNLWRD/autoexec.lnk

windows11-21h2-x64

3

KRNLWRD/injector.dll

windows11-21h2-x64

1

KRNLWRD/krnl.dll

windows11-21h2-x64

3

KRNLWRD/krnl.exe

windows11-21h2-x64

1

KRNLWRD/workspace.lnk

windows11-21h2-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-06-2024 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KRNLWRD/Bunifu_UI_v1.5.3.dll

  • Size

    236KB

  • MD5

    2ecb51ab00c5f340380ecf849291dbcf

  • SHA1

    1a4dffbce2a4ce65495ed79eab42a4da3b660931

  • SHA256

    f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

  • SHA512

    e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

  • SSDEEP

    6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\KRNLWRD\Bunifu_UI_v1.5.3.dll,#1
    1⤵
      PID:3924
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:400
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.0.1877460799\233232541" -parentBuildID 20230214051806 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a2f93c1-c76e-4556-8043-92c08a452b7e} 400 "\\.\pipe\gecko-crash-server-pipe.400" 1864 27523823758 gpu
          3⤵
            PID:820
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.1.1191054025\814040386" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d31d169-44f7-42fb-a5b8-4cd9e8b6fca2} 400 "\\.\pipe\gecko-crash-server-pipe.400" 2388 27516b8ab58 socket
            3⤵
            • Checks processor information in registry
            PID:4688
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.2.1825621224\400646370" -childID 1 -isForBrowser -prefsHandle 1616 -prefMapHandle 1420 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f275c03d-d9bf-4340-8ab3-135f846b9392} 400 "\\.\pipe\gecko-crash-server-pipe.400" 1636 275261ed258 tab
            3⤵
              PID:4044
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.3.1288006851\749531096" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9f0a06f-480c-4acb-b586-ec1ce39ba460} 400 "\\.\pipe\gecko-crash-server-pipe.400" 3604 27516b3e858 tab
              3⤵
                PID:4408
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.4.395930320\963948689" -childID 3 -isForBrowser -prefsHandle 5080 -prefMapHandle 5076 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {302d658a-7ed3-4ba7-8866-d14070b667eb} 400 "\\.\pipe\gecko-crash-server-pipe.400" 5088 2752ba5d058 tab
                3⤵
                  PID:3780
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.5.1626553764\1974809881" -childID 4 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {711db885-2672-46b4-8f1a-b56056701889} 400 "\\.\pipe\gecko-crash-server-pipe.400" 5176 2752ba5e558 tab
                  3⤵
                    PID:2384
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.6.1759953785\1416742266" -childID 5 -isForBrowser -prefsHandle 5380 -prefMapHandle 5388 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21672683-21f2-4f9c-9420-60e70716fe66} 400 "\\.\pipe\gecko-crash-server-pipe.400" 5372 2752bafd358 tab
                    3⤵
                      PID:1648

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json
                  Filesize

                  26KB

                  MD5

                  ec7f12f05f8c1344cdb344c32e48cfa4

                  SHA1

                  da37a1da62feb108410401b3de644f8f40fd75aa

                  SHA256

                  9e23c348b605e8e9ca46906bf9df5103bb165f2240f70c4a9230a98ff6cd1530

                  SHA512

                  1e3474a97570c3001e3c3751378a50121d31b2f2d1d48b305ba6ca22c1271f915ea56b2e64a99bf3fcf4d1ffe2321cf44d5fd867a1accf75be7edf8b81ef721d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js
                  Filesize

                  7KB

                  MD5

                  de0de659d785081529ef66e30df1abcf

                  SHA1

                  1f30044529b320667f4961e5c20de3a52b9b75ba

                  SHA256

                  807c732fbb3b2642bb80b15228df13e2332959dbf48093e4fea801649df1713d

                  SHA512

                  da9613651715259967cadd30ee79c66386057cc42b03e98dc75ec2e294fe0cc47155de01e8768e81923784711013886b6a3903bfed731c8558355e27d2b97d16

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore.jsonlz4
                  Filesize

                  903B

                  MD5

                  f9bc53fbbd738de0429d123c0e14275b

                  SHA1

                  423b53deb9b3ac64f8da23fe5a7b6436487e2829

                  SHA256

                  aa93eb737cb2d61686870a707931d863705d93469571ff38d4aba5b98896b892

                  SHA512

                  3eabd8e1220f7a32e9b574a35e1a5a2485558787e6cbaa4f1fcce1961fd81e68527d07e3bcc80cb7d42099b2f9c6c0e0a66d0ba74d4b0051bfe7343fe581da92

                  Download Submit