Overview
overview
10Static
static
7f131584c3d...a6.exe
windows7-x64
10f131584c3d...a6.exe
windows10-2004-x64
10$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$TEMP/BroomSetup.exe
windows7-x64
7$TEMP/BroomSetup.exe
windows10-2004-x64
7$TEMP/syncUpd.exe
windows7-x64
10$TEMP/syncUpd.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-03-2024 21:46
Behavioral task
behavioral1
Sample
f131584c3dd59f8b331ef31de998c7a20a97fb0e69192d0d3cf508f9ac0052a6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f131584c3dd59f8b331ef31de998c7a20a97fb0e69192d0d3cf508f9ac0052a6.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$TEMP/BroomSetup.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$TEMP/BroomSetup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$TEMP/syncUpd.exe
Resource
win7-20240221-en
General
-
Target
$TEMP/syncUpd.exe
-
Size
200KB
-
MD5
c722591f624fb69970f246b8c81d830f
-
SHA1
85516decea5d6987bebe39cbadf36053beaf4bb0
-
SHA256
13cd1152a19fdac6581cac2bd822f34bd3026ea1783ff231e299b6d28c046a6a
-
SHA512
822584c5c8a0813af4d845e80919776c71a43464ab719d1c303ebaae6a8ed47763183566bedc9be2e8c44de8ee6fd62d1e12be471e5d5c73ae4b1dcdaa34a908
-
SSDEEP
3072:8PDOu5suCmavnBRsuP6GTdbB27zP6FtHPUxX1GOL3+:455zaPBRPPj27uPH8jzu
Malware Config
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
BGDBKKFHIE.exepid Process 1352 BGDBKKFHIE.exe -
Loads dropped DLL 3 IoCs
Processes:
syncUpd.execmd.exepid Process 2296 syncUpd.exe 2296 syncUpd.exe 1380 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
BGDBKKFHIE.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BGDBKKFHIE.exe" BGDBKKFHIE.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
syncUpd.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
syncUpd.exeBGDBKKFHIE.exepid Process 2296 syncUpd.exe 2296 syncUpd.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe 1352 BGDBKKFHIE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BGDBKKFHIE.exedescription pid Process Token: SeDebugPrivilege 1352 BGDBKKFHIE.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
syncUpd.execmd.exeBGDBKKFHIE.execmd.exedescription pid Process procid_target PID 2296 wrote to memory of 1380 2296 syncUpd.exe 31 PID 2296 wrote to memory of 1380 2296 syncUpd.exe 31 PID 2296 wrote to memory of 1380 2296 syncUpd.exe 31 PID 2296 wrote to memory of 1380 2296 syncUpd.exe 31 PID 2296 wrote to memory of 2272 2296 syncUpd.exe 33 PID 2296 wrote to memory of 2272 2296 syncUpd.exe 33 PID 2296 wrote to memory of 2272 2296 syncUpd.exe 33 PID 2296 wrote to memory of 2272 2296 syncUpd.exe 33 PID 1380 wrote to memory of 1352 1380 cmd.exe 35 PID 1380 wrote to memory of 1352 1380 cmd.exe 35 PID 1380 wrote to memory of 1352 1380 cmd.exe 35 PID 1380 wrote to memory of 1352 1380 cmd.exe 35 PID 1352 wrote to memory of 1800 1352 BGDBKKFHIE.exe 36 PID 1352 wrote to memory of 1800 1352 BGDBKKFHIE.exe 36 PID 1352 wrote to memory of 1800 1352 BGDBKKFHIE.exe 36 PID 1352 wrote to memory of 1800 1352 BGDBKKFHIE.exe 36 PID 1800 wrote to memory of 956 1800 cmd.exe 38 PID 1800 wrote to memory of 956 1800 cmd.exe 38 PID 1800 wrote to memory of 956 1800 cmd.exe 38 PID 1800 wrote to memory of 956 1800 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\syncUpd.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\syncUpd.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BGDBKKFHIE.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\BGDBKKFHIE.exe"C:\Users\Admin\AppData\Local\Temp\BGDBKKFHIE.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\BGDBKKFHIE.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30005⤵
- Runs ping.exe
PID:956
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe"2⤵PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD542b838cf8bdf67400525e128d917f6e0
SHA1a578f6faec738912dba8c41e7abe1502c46d0cae
SHA2560e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d
SHA512f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571