Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 20:32
Static task
static1
Behavioral task
behavioral1
Sample
554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exe
Resource
win10v2004-20240508-en
General
-
Target
554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exe
-
Size
405KB
-
MD5
00de695ced3264cbd334cb3ddd8b3234
-
SHA1
71f620acc41aef0462acc4d568fc02599a9bde42
-
SHA256
554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3
-
SHA512
7c41a6cc3a3a89fdf6f763e1c6de9278d46e0ff2119690dd61414c1495471ab05fc3c7b0478d15057803e0b019c653c85c44447594a47e949d2ee6aa42e576c4
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 26 4056 rundll32.exe 36 4056 rundll32.exe 37 4056 rundll32.exe 38 4056 rundll32.exe 52 4056 rundll32.exe 53 4056 rundll32.exe 62 4056 rundll32.exe 79 4056 rundll32.exe -
Deletes itself 1 IoCs
Processes:
yfkmn.exepid process 4768 yfkmn.exe -
Executes dropped EXE 1 IoCs
Processes:
yfkmn.exepid process 4768 yfkmn.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4056 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\kzbdp\\fibdt.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\k: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 4056 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
yfkmn.exedescription ioc process File opened for modification \??\c:\Program Files\kzbdp yfkmn.exe File created \??\c:\Program Files\kzbdp\fibdt.dll yfkmn.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe 4056 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4056 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exeyfkmn.exepid process 4432 554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exe 4768 yfkmn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.execmd.exeyfkmn.exedescription pid process target process PID 4432 wrote to memory of 2428 4432 554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exe cmd.exe PID 4432 wrote to memory of 2428 4432 554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exe cmd.exe PID 4432 wrote to memory of 2428 4432 554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exe cmd.exe PID 2428 wrote to memory of 1092 2428 cmd.exe PING.EXE PID 2428 wrote to memory of 1092 2428 cmd.exe PING.EXE PID 2428 wrote to memory of 1092 2428 cmd.exe PING.EXE PID 2428 wrote to memory of 4768 2428 cmd.exe yfkmn.exe PID 2428 wrote to memory of 4768 2428 cmd.exe yfkmn.exe PID 2428 wrote to memory of 4768 2428 cmd.exe yfkmn.exe PID 4768 wrote to memory of 4056 4768 yfkmn.exe rundll32.exe PID 4768 wrote to memory of 4056 4768 yfkmn.exe rundll32.exe PID 4768 wrote to memory of 4056 4768 yfkmn.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exe"C:\Users\Admin\AppData\Local\Temp\554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\yfkmn.exe "C:\Users\Admin\AppData\Local\Temp\554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\yfkmn.exeC:\Users\Admin\AppData\Local\Temp\\yfkmn.exe "C:\Users\Admin\AppData\Local\Temp\554e23a2acc2789058c991870cc3a97fcd83022b6c641ac9fac6ac51029485e3.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\kzbdp\fibdt.dll",Verify C:\Users\Admin\AppData\Local\Temp\yfkmn.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\yfkmn.exeFilesize
405KB
MD51886a8062432029e09128bb411b6e27f
SHA101f03fc45ec4ce6a221c342cae30ccc7a3bdd28a
SHA256b58685c3f7d20af8480a9b6b2932687fe9ef1c1a3af76a2d407fc137722c6a6e
SHA512add1bb28a9e22778ba4125ceb59e90c4007aba528a68009cda884db112f4b6808391e0bfbfe1af347cc165b5063ea0d8da2c0feef9b2865e1df962c115cc2c0a
-
\??\c:\Program Files\kzbdp\fibdt.dllFilesize
228KB
MD5a286c91bf7599d7621571ed610adc383
SHA10489db23f8a117106c041c265cc7581d6f617b40
SHA256a9b82be68158551fa19f7b385a551fa135384aea600da6c27f27967c1e8548fe
SHA512a1301a50bd7bd6adceccf7165d0f8605b36e31f6ebeb43d510cfc334e2e74752577a27a201953bef3f47b67322d34f08c29a6880f61737493aefb6edec872563
-
memory/4056-11-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/4056-12-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/4056-14-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/4432-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4432-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4768-6-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4768-8-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB