Overview
overview
6Static
static
3KRLN/Bunif....3.dll
windows7-x64
1KRLN/Bunif....3.dll
windows10-2004-x64
1KRLN/KRNL Remake.exe
windows7-x64
6KRLN/KRNL Remake.exe
windows10-2004-x64
6KRLN/Visua...ol.dll
windows7-x64
1KRLN/Visua...ol.dll
windows10-2004-x64
1KRLN/bin/M...o.html
windows7-x64
3KRLN/bin/M...o.html
windows10-2004-x64
3KRLN/bin/M...ain.js
windows7-x64
3KRLN/bin/M...ain.js
windows10-2004-x64
3KRLN/bin/M...lua.js
windows7-x64
3KRLN/bin/M...lua.js
windows10-2004-x64
3KRLN/bin/M...ain.js
windows7-x64
3KRLN/bin/M...ain.js
windows10-2004-x64
3KRLN/bin/M....de.js
windows7-x64
3KRLN/bin/M....de.js
windows10-2004-x64
3KRLN/bin/M....es.js
windows7-x64
3KRLN/bin/M....es.js
windows10-2004-x64
3KRLN/bin/M....fr.js
windows7-x64
3KRLN/bin/M....fr.js
windows10-2004-x64
3KRLN/bin/M....it.js
windows7-x64
3KRLN/bin/M....it.js
windows10-2004-x64
3KRLN/bin/M....ja.js
windows7-x64
3KRLN/bin/M....ja.js
windows10-2004-x64
3KRLN/bin/M...nls.js
windows7-x64
3KRLN/bin/M...nls.js
windows10-2004-x64
3KRLN/bin/M....ko.js
windows7-x64
3KRLN/bin/M....ko.js
windows10-2004-x64
3KRLN/bin/M....ru.js
windows7-x64
3KRLN/bin/M....ru.js
windows10-2004-x64
3KRLN/bin/M...-cn.js
windows7-x64
3KRLN/bin/M...-cn.js
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-10-2024 21:40
Static task
static1
Behavioral task
behavioral1
Sample
KRLN/Bunifu_UI_v1.5.3.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
KRLN/Bunifu_UI_v1.5.3.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
KRLN/KRNL Remake.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
KRLN/KRNL Remake.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
KRLN/VisualStudioTabControl.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
KRLN/VisualStudioTabControl.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
KRLN/bin/Monaco/Monaco.html
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral8
Sample
KRLN/bin/Monaco/Monaco.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
KRLN/bin/Monaco/vs/base/worker/workerMain.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
KRLN/bin/Monaco/vs/base/worker/workerMain.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
KRLN/bin/Monaco/vs/basic-languages/lua/lua.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
KRLN/bin/Monaco/vs/basic-languages/lua/lua.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
KRLN/bin/Monaco/vs/editor/editor.main.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
KRLN/bin/Monaco/vs/editor/editor.main.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.de.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.de.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.es.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.es.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.fr.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.fr.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.it.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.it.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.ja.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral24
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.ja.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.ko.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral28
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.ko.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.ru.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.ru.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.zh-cn.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral32
Sample
KRLN/bin/Monaco/vs/editor/editor.main.nls.zh-cn.js
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
KRLN/KRNL Remake.exe
-
Size
506KB
-
MD5
e827bd09934709f4955b0e7ea4509ae7
-
SHA1
4c7364758d5891c10fd603cbf104b0e9413ff4b1
-
SHA256
2ffc609f2556ed208c7aea6e4217c9c1e337e4004c1c0981bf455953d0b8a34e
-
SHA512
e17d5a319d5e6725297bf95683aad15dd72604c0d70b6bf4a438cb07ac6fec8c5dd42209961f0ebaf14fbd64735569f25092f7df1a50b43bd8c6d121decfa55f
-
SSDEEP
3072:vfTc9bvGjdh559dJ12QcVXqLRY3pClghBCWyyCzn8sZL3l4gxHC2E+JQLujdX:v8GvL9d2VaLa3pClghtyV8sug5Iu
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: KRNL Remake.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main KRNL Remake.exe -
Modifies registry class 40 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000002359a5291100557365727300600008000400efbeee3a851a2359a5292a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a00310000000000555907ad102054656d700000360008000400efbe2359a529555907ad2a000000ff010000000002000000000000000000000000000000540065006d007000000014000000 KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 4a00310000000000555907ad10204b524c4e0000360008000400efbe555907ad555907ad2a000000818701000000080000000000000000000000000000004b0052004c004e00000014000000 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 = 5200310000000000555907ad102073637269707473003c0008000400efbe555907ad555907ad2a00000088a401000000050000000000000000000000000000007300630072006900700074007300000016000000 KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c00310000000000555907ad10204c6f63616c00380008000400efbe2359a529555907ad2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\MRUListEx = ffffffff KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 KRNL Remake.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\NodeSlot = "1" KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags KRNL Remake.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000002359772f100041646d696e00380008000400efbe2359a5292359772f2a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000 KRNL Remake.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000002359a529122041707044617461003c0008000400efbe2359a5292359a5292a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000 KRNL Remake.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 KRNL Remake.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" KRNL Remake.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3044 KRNL Remake.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3044 KRNL Remake.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe 3044 KRNL Remake.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KRLN\KRNL Remake.exe"C:\Users\Admin\AppData\Local\Temp\KRLN\KRNL Remake.exe"1⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3044