Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 21:46
Behavioral task
behavioral1
Sample
Staffbesting_Private.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Staffbesting_Private.exe
Resource
win10v2004-20241007-en
General
-
Target
Staffbesting_Private.exe
-
Size
16.8MB
-
MD5
454b279d44ee6560e8e2617c86e80c6f
-
SHA1
092c438dd4f49b090013002086a5a0215a38bc5c
-
SHA256
84dc07f9e850b5c47ebee63d4262ea9b7fa82a49b01132581b923d19858dc9e8
-
SHA512
28f2da6ea64f4e6bfee822fbb49e098797cf63361eea56f9357a727f3fa8b07c8f095b59256a688a1f429884ee7366072e5d268cbe2b5ef44cd7fb49ffa5367d
-
SSDEEP
393216:Tu7L/cxy/m3pqaUX47d4zjO8v/uOMzZlV:TCL0EKqaUI7d4zjO0elV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Staffbesting_Private.exe Staffbesting_Private.exe -
Loads dropped DLL 45 IoCs
pid Process 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe 2872 Staffbesting_Private.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 api.ipify.org 19 api.ipify.org 47 api.ipify.org 60 api.ipify.org 6 ifconfig.me 16 api.ipify.org -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 5032 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5032 tasklist.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4856 wrote to memory of 2872 4856 Staffbesting_Private.exe 84 PID 4856 wrote to memory of 2872 4856 Staffbesting_Private.exe 84 PID 2872 wrote to memory of 808 2872 Staffbesting_Private.exe 85 PID 2872 wrote to memory of 808 2872 Staffbesting_Private.exe 85 PID 2872 wrote to memory of 2448 2872 Staffbesting_Private.exe 87 PID 2872 wrote to memory of 2448 2872 Staffbesting_Private.exe 87 PID 2448 wrote to memory of 3784 2448 cmd.exe 89 PID 2448 wrote to memory of 3784 2448 cmd.exe 89 PID 2872 wrote to memory of 392 2872 Staffbesting_Private.exe 90 PID 2872 wrote to memory of 392 2872 Staffbesting_Private.exe 90 PID 392 wrote to memory of 5032 392 cmd.exe 92 PID 392 wrote to memory of 5032 392 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Staffbesting_Private.exe"C:\Users\Admin\AppData\Local\Temp\Staffbesting_Private.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\Staffbesting_Private.exe"C:\Users\Admin\AppData\Local\Temp\Staffbesting_Private.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl ifconfig.me"3⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\curl.execurl ifconfig.me4⤵PID:3784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5a1b78a3ce3165e90957880b8724d944f
SHA1a69f63cc211e671a08daad7a66ed0b05f8736cc7
SHA25684e071321e378054b6d3b56bbd66699e36554f637a44728b38b96a31199dfa69
SHA51215847386652cbee378d0ff6aad0a3fe0d0c6c7f1939f764f86c665f3493b4bccaf98d7a29259e94ed197285d9365b9d6e697b010aff3370cf857b8cb4106d7d8
-
Filesize
13KB
MD50dca79c062f2f800132cf1748a8e147f
SHA191f525b8ca0c0db245c4d3fa4073541826e8fb89
SHA2562a63e504c8aa4d291bbd8108f26eecde3dcd9bfba579ae80b777ff6dfec5e922
SHA512a820299fba1d0952a00db78b92fb7d68d77c427418388cc67e3a37dc87b1895d9ae416cac32b859d11d21a07a8f4cef3bd26ebb06cc39f04ad5e60f8692c659b
-
Filesize
14KB
MD5785f15dc9e505ed828356d978009ecce
SHA1830e683b0e539309ecf0f1ed2c7f73dda2011563
SHA256b2b68de1d7e5997eb0c8a44c9f2eb958de39b53db8d77a51a84f1d1b197b58b1
SHA51216033b72be6d66ab3a44b0480eb245d853a100d13a1e820eff5b12ce0bb73e17d6e48b3e778d1b20d0c04fe1fb8a5723c02ed8af434ae64d0944f847796d98f2
-
Filesize
10KB
MD5aec314222600ade3d96b6dc33af380a6
SHA1c6af3edadb09ea3a56048b57237c0a2dca33bee1
SHA256ea96505b38d27c085544fb129f2b0e00df5020d323d7853e6a6a8645ac785304
SHA512bbc00aa7fdf178bb6b2d86419c31967f2bc32d157aa7ee3ac308c28d8bf4823c1fafcde6c91651edc05c146e44d7e59e02a76283890652b27c52f509c3b9ef9a
-
Filesize
12KB
MD54ed6d4b1b100384d13f25dfa3737fb78
SHA1852a2f76c853db02e65512af35f5b4b4a2346abd
SHA256084e4b2da2180ad2a2e96e8804a6f2fc37bce6349eb8a5f6b182116b4d04bd82
SHA512276201a9bcb9f88f4bbac0cd9e3ea2da83e0fb4854b1a0dd63cff2af08af3883be34af6f06ece32fad2fd4271a0a09a3b576f1ed78b8a227d13c04a07eaf0827
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
63KB
MD542b1b82a77f4179b66262475ba5a8332
SHA19f6c979e2c59e27cc1e7494fc1cc1b0536aa3c22
SHA2568ec1af6be27a49e3dc70075d0b5ef9255fad52cbbdab6a5072080085b4e45e89
SHA5122ee9fc9079714cb2ae2226c87c9c790b6f52b110667dbe0f1677eedb27335949b41df200daf7f67aa5c90db63e369b4904aac986c040706f8a3f542c44daf1d0
-
Filesize
82KB
MD5a8a37ba5e81d967433809bf14d34e81d
SHA1e4d9265449950b5c5a665e8163f7dda2badd5c41
SHA25650e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b
SHA512b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979
-
Filesize
177KB
MD5fde9a1d6590026a13e81712cd2f23522
SHA1ca99a48caea0dbaccf4485afd959581f014277ed
SHA25616eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b
SHA512a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4
-
Filesize
120KB
MD5496dcf8821ffc12f476878775999a8f3
SHA16b89b8fdd7cd610c08e28c3a14b34f751580cffd
SHA256b59e103f8ec6c1190ded21eef27bea01579220909c3968eeec37d46d2ed39e80
SHA51207118f44b83d58f333bc4b853e9be66dffb3f7db8e65e0226975297bf5794ebdaa2c7a51ef84971faf4d4233a68a6b5e9ac02e737d16c0ac19a6cf65fad9443f
-
Filesize
63KB
MD51c88b53c50b5f2bb687b554a2fc7685d
SHA1bfe6fdb8377498bbefcaad1e6b8805473a4ccbf3
SHA25619dd3b5ebb840885543974a4cb6c8ea4539d76e3672be0f390a3a82443391778
SHA512a312b11c85aaa325ab801c728397d5c7049b55fa00f24d30f32bf5cc0ad160678b40f354d9d5ec34384634950b5d6eda601e21934c929b4bc7f6ef50f16e3f59
-
Filesize
155KB
MD5bc07d7ac5fdc92db1e23395fde3420f2
SHA1e89479381beeba40992d8eb306850977d3b95806
SHA256ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b
SHA512b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d
-
Filesize
49KB
MD58b3d764024c447853b2f362a4e06cfc6
SHA1a8fd99268cea18647bfa6592180186731bff6051
SHA256ca131fc4a8c77daff8cff1b7e743b564745f6d2b4f9bb371b1286eb383c0692e
SHA512720d58c3db8febd66e3bc372b7b0a409185e9722402ee49e038ade2141a70ec209b79cde7c4d67a90e5b3b35ed545b3400c8dbe73124299a266be2b036934e3e
-
Filesize
31KB
MD5e0cc8c12f0b289ea87c436403bc357c1
SHA1e342a4a600ef9358b3072041e66f66096fae4da4
SHA2569517689d7d97816dee9e6c01ffd35844a3af6cde3ff98f3a709d52157b1abe03
SHA5124d93f23db10e8640cd33e860241e7ea6a533daf64c36c4184844e6cca7b9f4bd41db007164a549e30f5aa9f983345318ff02d72815d51271f38c2e8750df4d77
-
Filesize
77KB
MD5290dbf92268aebde8b9507b157bef602
SHA1bea7221d7abbbc48840b46a19049217b27d3d13a
SHA256e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe
SHA5129ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5
-
Filesize
117KB
MD5562fecc2467778f1179d36af8554849f
SHA1097c28814722c651f5af59967427f4beb64bf2d1
SHA25688b541d570afa0542135cc33e891650346997d5c99ae170ef724fa46c87d545a
SHA512e106ccdd100d0ce42e909d9a21b1ad3b12aee8350033f249ed4c69b195b00adaf441aa199d9885c9d16488db963c751746ce98786246d96568bade4c707d362a
-
Filesize
157KB
MD50a7eb5d67b14b983a38f82909472f380
SHA1596f94c4659a055d8c629bc21a719ce441d8b924
SHA2563bac94d8713a143095ef8e2f5d2b4a3765ebc530c8ca051080d415198cecf380
SHA5123b78fd4c03ee1b670e46822a7646e668fbaf1ef0f2d4cd53ccfcc4abc2399fcc74822f94e60af13b3cdcb522783c008096b0b265dc9588000b7a46c0ed5973e1
-
Filesize
24KB
MD5a16b1acfdaadc7bb4f6ddf17659a8d12
SHA1482982d623d88627c447f96703e4d166f9e51db4
SHA2568af17a746533844b0f1b8f15f612e1cf0df76ac8f073388e80cfc60759e94de0
SHA51203d65f37efc6aba325109b5a982be71380210d41dbf8c068d6a994228888d805adac1264851cc6f378e61c3aff1485cc6c059e83218b239397eda0cec87bd533
-
Filesize
1.7MB
MD58fb7342c0840183a1670698bc6817ebc
SHA131d38f79f91ae71aaa96f1aa3ea55a8a20977c2c
SHA256df88a1c444ae1c0af3de8ae3be8794bbc529ddaeb6c1a7a54b20a67f22be4136
SHA512c6a140a059b2e5826d03ed754683df5546ed8ee4ed90a59918d61ce1163682374c0919daf585ad00166ed4f5df0ca30cf17c2e86c077810f5b38499911fc3aa3
-
Filesize
10KB
MD5b7262254fcc94b031065cee9ef965983
SHA13d2be33ff9a8ecfaaa5ee25d99cfc21a2f3544a9
SHA2568d1c0618dc9d666de3df50884246ff534d79eb29a9bcf9f04f618f2e0a7ac4e5
SHA5125df83f7dacc6821177f8f9a8c13f1a995ae136349685504dcb7745969bf7ce3d1d13b24df266086855bf567cb7bac407c6c3703c991526bc3f6b6d486eb627d7
-
Filesize
113KB
MD5c16b82c4312e882d7acd36621e5d0e01
SHA19ab05e1da7954bead989d5897ba645a4d0317f9f
SHA2567eabcaaa64b60b64b47e513b253d5c92ce527a3426da6108899390d07b308433
SHA512bd3d595b431744ad8960c83f2a1f62023846306a61ae07bd6c8309956726ef8a6cb5388c123ac4288f868db254171df0f2ae40da07f97e8f2b48de3b6e6323a9
-
Filesize
3.3MB
MD580b72c24c74d59ae32ba2b0ea5e7dad2
SHA175f892e361619e51578b312605201571bfb67ff8
SHA256eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d
SHA51208014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a
-
Filesize
37KB
MD5d86a9d75380fab7640bb950aeb05e50e
SHA11c61aaf9022cd1f09a959f7b2a65fb1372d187d7
SHA25668fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b
SHA51218437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f
-
Filesize
686KB
MD586f2d9cc8cc54bbb005b15cabf715e5d
SHA1396833cba6802cb83367f6313c6e3c67521c51ad
SHA256d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771
SHA5120013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb
-
Filesize
194KB
MD5c5c1ca1b3641772e661f85ef0166fd6c
SHA1759a34eca7efa25321a76788fb7df74cfac9ee59
SHA2563d81d06311a8a15967533491783ea9c7fc88d594f40eee64076723cebdd58928
SHA5124f0d2a6f15ebeeb4f9151827bd0c2120f3ca17e07fca4d7661beece70fdcf1a0e4c4ff5300251f2550451f98ea0fdbf45e8903225b7d0cb8da2851cdf62cb8d0
-
Filesize
5.5MB
MD51fe47c83669491bf38a949253d7d960f
SHA1de5cc181c0e26cbcb31309fe00d9f2f5264d2b25
SHA2560a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae
SHA51205cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4
-
Filesize
675KB
MD5f655cc794762ae686c65b969e83f1e84
SHA1ac635354ea70333c439aa7f97f2e1759df883e38
SHA2569111856645f779f137c46d78a68374292fc512a2a4038466476bb9c6024097b5
SHA5127dde92438d920e832025ae0a54dbf1b7acc6192d937b1babc388706723e92910bd355aa4bb0e8ef6378c71460468537fef9fd3031d048adf0743d48aed229c14
-
Filesize
134KB
MD51696732a242bfaf6a50bd98eb7874f23
SHA1090a85275c7c67430d511570bab36eb299c7e787
SHA2566583c15de0f5a1b20c8750b0599e5cf162f91f239f8341bda842485d8bbc9887
SHA51270a03adb89649cece59e6b84a2f79ad53cf7c308ffaca8b19c0b64b59858e73a75addd131776d54b5bf12b747bcbb1ff9a4ce0e35d06bb995e34c5687dd3a25b
-
Filesize
29KB
MD54ac28414a1d101e94198ae0ac3bd1eb8
SHA1718fbf58ab92a2be2efdb84d26e4d37eb50ef825
SHA256b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5
SHA5122ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2
-
Filesize
1.4MB
MD5a98bb13828f662c599f2721ca4116480
SHA1ea993a7ae76688d6d384a0d21605ef7fb70625ee
SHA2566217e0d1334439f1ee9e1093777e9aa2e2b0925a3f8596d22a16f3f155262bf7
SHA5125f1d8c2f52cc976287ab9d952a46f1772c6cf1f2df734e10bbe30ce312f5076ef558df84dce662a108a146a63f7c6b0b5dc7230f96fa7241947645207a6420f4
-
Filesize
1.1MB
MD52ab7e66dff1893fea6f124971221a2a9
SHA13be5864bc4176c552282f9da5fbd70cc1593eb02
SHA256a5db7900ecd5ea5ab1c06a8f94b2885f00dd2e1adf34bcb50c8a71691a97804f
SHA512985480fffcc7e1a25c0070f44492744c3820334a35b9a72b9147898395ab60c7a73ea8bbc761de5cc3b6f8799d07a96c2880a7b56953249230b05dd59a1390ad
-
Filesize
136KB
MD53210cb66deb7f1bbcc46b4c3832c7e10
SHA15c5f59a29f5ef204f52fd3a9433b3a27d8a30229
SHA256bf5147f4fffbffa77d9169b65af13d983e2fcccdbca8151d72814c55939bb2c4
SHA5125d51ede8f464ca7e151bfaaef0b7e81f5ce16678d35a573cae2994db602c2d93f0463c3936fb896dee1cf5192b69fb1051594efa5d4f248a02226ca50b6bfa5c