Analysis
-
max time kernel
70s -
max time network
74s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 18:04
Static task
static1
Behavioral task
behavioral1
Sample
kcfff.exe
Resource
win7
Behavioral task
behavioral2
Sample
kcfff.exe
Resource
win10v200430
General
-
Target
kcfff.exe
-
Size
1.2MB
-
MD5
71e21f88a8027b66d18aefd18eb97da7
-
SHA1
2436535f99b2ecce872f60552742d845eeb75863
-
SHA256
31158724133cf00916cca2eb89ed79d453f1c9210cd79dbafaafcbc2eadba065
-
SHA512
3f8a32c729d470c94e085a98a0a2b3972a0682773fc51a8a65ce18d8861ea99c8177e13f448c1066627c750725938917c47d30f04a61fd9ce1505ac213cc2f5b
Malware Config
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
kcfff.exeportyu.exeInstallUtil.exepid process 1132 kcfff.exe 1132 kcfff.exe 1132 kcfff.exe 360 portyu.exe 360 portyu.exe 360 portyu.exe 1400 InstallUtil.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
kcfff.execmd.exeportyu.exedescription pid process target process PID 1132 wrote to memory of 1504 1132 kcfff.exe cmd.exe PID 1132 wrote to memory of 1504 1132 kcfff.exe cmd.exe PID 1132 wrote to memory of 1504 1132 kcfff.exe cmd.exe PID 1132 wrote to memory of 1504 1132 kcfff.exe cmd.exe PID 1504 wrote to memory of 1612 1504 cmd.exe reg.exe PID 1504 wrote to memory of 1612 1504 cmd.exe reg.exe PID 1504 wrote to memory of 1612 1504 cmd.exe reg.exe PID 1504 wrote to memory of 1612 1504 cmd.exe reg.exe PID 1132 wrote to memory of 360 1132 kcfff.exe portyu.exe PID 1132 wrote to memory of 360 1132 kcfff.exe portyu.exe PID 1132 wrote to memory of 360 1132 kcfff.exe portyu.exe PID 1132 wrote to memory of 360 1132 kcfff.exe portyu.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe PID 360 wrote to memory of 1400 360 portyu.exe InstallUtil.exe -
Loads dropped DLL 2 IoCs
Processes:
kcfff.exeportyu.exepid process 1132 kcfff.exe 360 portyu.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
kcfff.exeportyu.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1132 kcfff.exe Token: SeDebugPrivilege 360 portyu.exe Token: SeDebugPrivilege 1400 InstallUtil.exe -
Executes dropped EXE 2 IoCs
Processes:
portyu.exeInstallUtil.exepid process 360 portyu.exe 1400 InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
portyu.exedescription pid process target process PID 360 set thread context of 1400 360 portyu.exe InstallUtil.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\appd = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\portyu.exe" reg.exe -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
Processes
-
C:\Users\Admin\AppData\Local\Temp\kcfff.exe"C:\Users\Admin\AppData\Local\Temp\kcfff.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1132 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v appd /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\portyu.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v appd /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\portyu.exe"3⤵
- Adds Run entry to start application
PID:1612 -
C:\Users\Admin\portyu.exe"C:\Users\Admin\portyu.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:360 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1400