Analysis
-
max time kernel
111s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
5e14291d1ddc502823a02e1bdb0cee56.exe
Resource
win7-20240221-en
General
-
Target
5e14291d1ddc502823a02e1bdb0cee56.exe
-
Size
306KB
-
MD5
5e14291d1ddc502823a02e1bdb0cee56
-
SHA1
1ce2cc9c34fa0386b4d2d7ca36d4504fda3d1130
-
SHA256
f98a232e9e666e4af8894757f171505040762677b4fcfa4e00269ea548ca13f7
-
SHA512
a96959377102289f93579c73939d0da98b6e2fe79aaf53c93727cb45ca28ee64451ef33a676ef06e095ccc89fe447edc92f539a121db4112f7533773758df985
-
SSDEEP
3072:23Cbs6xpadpZ8MtN+pbLmXcXi3uyPXEpkUEt92NbphFfOSNhcBquEiHE/I7IuU:VEdLd6q3uysKGGremE/+U
Malware Config
Extracted
stealc
http://185.172.128.150
-
url_path
/c698e1bc8a2f5e6d.php
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3024 4200 WerFault.exe 5e14291d1ddc502823a02e1bdb0cee56.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5e14291d1ddc502823a02e1bdb0cee56.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5e14291d1ddc502823a02e1bdb0cee56.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5e14291d1ddc502823a02e1bdb0cee56.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5e14291d1ddc502823a02e1bdb0cee56.exepid process 4200 5e14291d1ddc502823a02e1bdb0cee56.exe 4200 5e14291d1ddc502823a02e1bdb0cee56.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e14291d1ddc502823a02e1bdb0cee56.exe"C:\Users\Admin\AppData\Local\Temp\5e14291d1ddc502823a02e1bdb0cee56.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 13482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4200 -ip 42001⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4200-1-0x0000000001B10000-0x0000000001C10000-memory.dmpFilesize
1024KB
-
memory/4200-2-0x0000000003630000-0x0000000003657000-memory.dmpFilesize
156KB
-
memory/4200-3-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/4200-4-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/4200-5-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/4200-6-0x0000000001B10000-0x0000000001C10000-memory.dmpFilesize
1024KB
-
memory/4200-9-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/4200-11-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/4200-13-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB