Overview
overview
10Static
static
7584b319db0...3d.exe
windows7-x64
10584b319db0...3d.exe
windows10-2004-x64
10$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$TEMP/BroomSetup.exe
windows7-x64
7$TEMP/BroomSetup.exe
windows10-2004-x64
7$TEMP/syncUpd.exe
windows7-x64
10$TEMP/syncUpd.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-03-2024 21:34
Behavioral task
behavioral1
Sample
584b319db0670f97d7283199bdbf18b14d9f0e9d74112eaa05d046d891b8cd3d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
584b319db0670f97d7283199bdbf18b14d9f0e9d74112eaa05d046d891b8cd3d.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$TEMP/BroomSetup.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$TEMP/BroomSetup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$TEMP/syncUpd.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$TEMP/syncUpd.exe
Resource
win10v2004-20240226-en
General
-
Target
$TEMP/syncUpd.exe
-
Size
200KB
-
MD5
c722591f624fb69970f246b8c81d830f
-
SHA1
85516decea5d6987bebe39cbadf36053beaf4bb0
-
SHA256
13cd1152a19fdac6581cac2bd822f34bd3026ea1783ff231e299b6d28c046a6a
-
SHA512
822584c5c8a0813af4d845e80919776c71a43464ab719d1c303ebaae6a8ed47763183566bedc9be2e8c44de8ee6fd62d1e12be471e5d5c73ae4b1dcdaa34a908
-
SSDEEP
3072:8PDOu5suCmavnBRsuP6GTdbB27zP6FtHPUxX1GOL3+:455zaPBRPPj27uPH8jzu
Malware Config
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
KFBGCAKFHC.exepid process 1216 KFBGCAKFHC.exe -
Loads dropped DLL 3 IoCs
Processes:
syncUpd.execmd.exepid process 2008 syncUpd.exe 2008 syncUpd.exe 2456 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
KFBGCAKFHC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KFBGCAKFHC.exe" KFBGCAKFHC.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
syncUpd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
syncUpd.exeKFBGCAKFHC.exepid process 2008 syncUpd.exe 2008 syncUpd.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe 1216 KFBGCAKFHC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
KFBGCAKFHC.exedescription pid process Token: SeDebugPrivilege 1216 KFBGCAKFHC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
syncUpd.execmd.exeKFBGCAKFHC.execmd.exedescription pid process target process PID 2008 wrote to memory of 2456 2008 syncUpd.exe cmd.exe PID 2008 wrote to memory of 2456 2008 syncUpd.exe cmd.exe PID 2008 wrote to memory of 2456 2008 syncUpd.exe cmd.exe PID 2008 wrote to memory of 2456 2008 syncUpd.exe cmd.exe PID 2008 wrote to memory of 2848 2008 syncUpd.exe cmd.exe PID 2008 wrote to memory of 2848 2008 syncUpd.exe cmd.exe PID 2008 wrote to memory of 2848 2008 syncUpd.exe cmd.exe PID 2008 wrote to memory of 2848 2008 syncUpd.exe cmd.exe PID 2456 wrote to memory of 1216 2456 cmd.exe KFBGCAKFHC.exe PID 2456 wrote to memory of 1216 2456 cmd.exe KFBGCAKFHC.exe PID 2456 wrote to memory of 1216 2456 cmd.exe KFBGCAKFHC.exe PID 2456 wrote to memory of 1216 2456 cmd.exe KFBGCAKFHC.exe PID 1216 wrote to memory of 1836 1216 KFBGCAKFHC.exe cmd.exe PID 1216 wrote to memory of 1836 1216 KFBGCAKFHC.exe cmd.exe PID 1216 wrote to memory of 1836 1216 KFBGCAKFHC.exe cmd.exe PID 1216 wrote to memory of 1836 1216 KFBGCAKFHC.exe cmd.exe PID 1836 wrote to memory of 828 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 828 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 828 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 828 1836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\syncUpd.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\syncUpd.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KFBGCAKFHC.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\KFBGCAKFHC.exe"C:\Users\Admin\AppData\Local\Temp\KFBGCAKFHC.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KFBGCAKFHC.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30005⤵
- Runs ping.exe
PID:828
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIEBKJECFC.exe"2⤵PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
101KB
MD542b838cf8bdf67400525e128d917f6e0
SHA1a578f6faec738912dba8c41e7abe1502c46d0cae
SHA2560e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d
SHA512f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0