Overview

overview

10

Static

static

3

KRNLWRD/Bu....3.dll

windows10-2004-x64

1

KRNLWRD/Sc...ET.dll

windows10-2004-x64

10

KRNLWRD/autoexec.lnk

windows10-2004-x64

3

KRNLWRD/injector.dll

windows10-2004-x64

1

KRNLWRD/krnl.dll

windows10-2004-x64

3

KRNLWRD/krnl.exe

windows10-2004-x64

1

KRNLWRD/workspace.lnk

windows10-2004-x64

3

Analysis

  • max time kernel
    136s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KRNLWRD/Bunifu_UI_v1.5.3.dll

  • Size

    236KB

  • MD5

    2ecb51ab00c5f340380ecf849291dbcf

  • SHA1

    1a4dffbce2a4ce65495ed79eab42a4da3b660931

  • SHA256

    f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

  • SHA512

    e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

  • SSDEEP

    6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\KRNLWRD\Bunifu_UI_v1.5.3.dll,#1
    1⤵
      PID:4864
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3488
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.0.876959875\208107299" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efe910bf-3f84-42d3-9bd2-3e0b9d1f4ad8} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 1848 22671732958 gpu
          3⤵
            PID:816
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.1.294411086\1181997482" -parentBuildID 20230214051806 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7db6e34-8d43-4769-948b-37996eb15f74} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 2420 22664889358 socket
            3⤵
            • Checks processor information in registry
            PID:3292
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.2.1946644686\2006611847" -childID 1 -isForBrowser -prefsHandle 2804 -prefMapHandle 2872 -prefsLen 22383 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82239c95-efcb-4cac-8889-e4d952598027} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 2928 2267440bb58 tab
            3⤵
              PID:4024
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.3.1945501196\211493197" -childID 2 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df0da94f-e1ed-4200-ade7-bf0fc14afde3} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 4216 2266487ab58 tab
              3⤵
                PID:3112
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.4.1875177915\2059473520" -childID 3 -isForBrowser -prefsHandle 4996 -prefMapHandle 4844 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db4dae75-381a-4660-ae43-bb97d81e4589} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5008 2267843d358 tab
                3⤵
                  PID:644
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.5.1961532415\1849618221" -childID 4 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c59e9886-3f60-4c2e-b88b-150a1301bab3} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5144 2267843d958 tab
                  3⤵
                    PID:3816
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.6.290846209\677479575" -childID 5 -isForBrowser -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a337a6b8-7703-4851-b46f-443dbd5ae9fa} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5440 2267843e858 tab
                    3⤵
                      PID:2340
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.7.1854213035\221402062" -childID 6 -isForBrowser -prefsHandle 5396 -prefMapHandle 3552 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6704c518-c8cd-47b4-8ab7-439e7d747a7a} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5380 2266487c758 tab
                      3⤵
                        PID:1076

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    26KB

                    MD5

                    692e3d0d181fbea53ebb65297f1fddc6

                    SHA1

                    adb5805e22f1d2ae1a9aa54a501c7fce67176bc9

                    SHA256

                    c9f5af946fdba6d92e3445344b40af23bf8efecb0a26ad527f2e7f1bbab9badf

                    SHA512

                    30b360b119f064866ac70ab5475af17440e24c973496938a8ab41f8324df69e4d685b640714a761b18d2bc51b6a0a509ec2f38cc3d5531c791bb88df4f99f572

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    369f026eb554214ce07a0df94016b127

                    SHA1

                    9e01faa60c8049b0bb44f0a4181a298b43d6a1e9

                    SHA256

                    a3d705004495bc117f7632a4f5768e89d19beedae8be789cd741e7995d670f4d

                    SHA512

                    d8b18713f295163ad87e6340d2d16ba337ef6db86237725a75de7cec0c4ce72cd25b5926315b404928265c6b3bb11b5c97f5d9632e734ca66f5befeae3a41085

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs.js
                    Filesize

                    7KB

                    MD5

                    96d287cb47d336dcf7a5cab5b0a34190

                    SHA1

                    bb91d6e8cc28dd593608fbe05617179505c9bc23

                    SHA256

                    40cae401a16da67eaf661f36af506c468ef78e411f1c2f87b90a42bc6151303e

                    SHA512

                    891030f250ddb8b3ce5423ed2bc8ca45f08b2002878292e9512d77331ca12556d36a864c4b9cde5c1913e46443640c133aab225a296a67c5adb5158385509974

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    f9b269a06cea89b97318b61c83061af8

                    SHA1

                    d355290479b0fe2b3eee5e9ab8c3ccb796ec9da3

                    SHA256

                    5584063008816ae8064f3f689384848d5ac76f730ba07f5227a215ba1a95bd3e

                    SHA512

                    52af437388402b5eeaa1045b70d30781db9049e324b3834700f2a257e64d5d3da25194b64a7dd3717a4a1bb9767aa2aaae10dded6cc70d22a9114929e05996db

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4
                    Filesize

                    1KB

                    MD5

                    589a549300e3f96917bcd0986f0985f1

                    SHA1

                    081e54acd33f2ba54c375a848ed93197f8efb17e

                    SHA256

                    b6e28249ddfcdbc0b08c29808518625625448bd09b01fe98d6322190c7b15905

                    SHA512

                    518a75b18ceb9f670731f10d4598aa0e7e0bea66f93b39f8b6839425daab8db248a1f98ef147d12017c17857a6305997b6846eef97207a54c6c622dc33d883e8

                    Download Submit