Analysis
-
max time kernel
55s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-02-2021 06:55
Static task
static1
Behavioral task
behavioral1
Sample
Archive-541b.exe
Resource
win7v20201028
General
-
Target
Archive-541b.exe
-
Size
1.4MB
-
MD5
c8d498122478c4941c5b2d2d97ec3a30
-
SHA1
b50be0c98c44ff1eaf44d31f8b8d541afbbb4bfb
-
SHA256
d57d259f26333fe3798dc7a9b4f34ef9a1f18f7b320a9b4022bb56756d68fbba
-
SHA512
3c296961d10a3a55f4a6d57b209ce246517ffceade877a521622f301d030c0edc16553a46b5f443b975e9dc4f2be90171e2c5050a74efe32cfb254401c080dea
Malware Config
Signatures
-
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe Nirsoft -
Executes dropped EXE 6 IoCs
Processes:
Stely.exeresourcefilehaha.exeresourcefilehaha2.exeStely.exeresourcefilehaha.exeresourcefilehaha2.exepid process 2512 Stely.exe 1500 resourcefilehaha.exe 3024 resourcefilehaha2.exe 2896 Stely.exe 4092 resourcefilehaha.exe 748 resourcefilehaha2.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe upx C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe upx C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe upx -
Processes:
resource yara_rule C:\Users\Admin\Desktop\Stely.exe vmprotect C:\Users\Admin\Desktop\Stely.exe vmprotect behavioral2/memory/2512-6-0x00000000007D0000-0x00000000007D1000-memory.dmp vmprotect C:\Users\Admin\Desktop\Stely.exe vmprotect -
Loads dropped DLL 4 IoCs
Processes:
Stely.exeStely.exepid process 2512 Stely.exe 2512 Stely.exe 2896 Stely.exe 2896 Stely.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
Archive-541b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Archive-541b.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Archive-541b.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
resourcefilehaha.exeresourcefilehaha.exepid process 1500 resourcefilehaha.exe 1500 resourcefilehaha.exe 1500 resourcefilehaha.exe 1500 resourcefilehaha.exe 4092 resourcefilehaha.exe 4092 resourcefilehaha.exe 4092 resourcefilehaha.exe 4092 resourcefilehaha.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Stely.exeStely.exedescription pid process Token: SeDebugPrivilege 2512 Stely.exe Token: SeDebugPrivilege 2896 Stely.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Archive-541b.exepid process 744 Archive-541b.exe 744 Archive-541b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Stely.exeStely.exedescription pid process target process PID 2512 wrote to memory of 1500 2512 Stely.exe resourcefilehaha.exe PID 2512 wrote to memory of 1500 2512 Stely.exe resourcefilehaha.exe PID 2512 wrote to memory of 1500 2512 Stely.exe resourcefilehaha.exe PID 2512 wrote to memory of 3024 2512 Stely.exe resourcefilehaha2.exe PID 2512 wrote to memory of 3024 2512 Stely.exe resourcefilehaha2.exe PID 2512 wrote to memory of 3024 2512 Stely.exe resourcefilehaha2.exe PID 2896 wrote to memory of 4092 2896 Stely.exe resourcefilehaha.exe PID 2896 wrote to memory of 4092 2896 Stely.exe resourcefilehaha.exe PID 2896 wrote to memory of 4092 2896 Stely.exe resourcefilehaha.exe PID 2896 wrote to memory of 748 2896 Stely.exe resourcefilehaha2.exe PID 2896 wrote to memory of 748 2896 Stely.exe resourcefilehaha2.exe PID 2896 wrote to memory of 748 2896 Stely.exe resourcefilehaha2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Archive-541b.exe"C:\Users\Admin\AppData\Local\Temp\Archive-541b.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Stely.exe"C:\Users\Admin\Desktop\Stely.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe"C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe" /C /stext C:\Users\Admin\AppData\Local\Temp\credentialslmao.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe"C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe" /C /stext C:\Users\Admin\AppData\Local\Temp\cookieslmao.txt2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Stely.exe"C:\Users\Admin\Desktop\Stely.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe"C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe" /C /stext C:\Users\Admin\AppData\Local\Temp\credentialslmao.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe"C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe" /C /stext C:\Users\Admin\AppData\Local\Temp\cookieslmao.txt2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Stely.exe.logMD5
e9a77f993e802389e806cab5016e8019
SHA1390e4d0a3f29d63f4098ce78c2b233738fe4a5b1
SHA2564b983b3b8055c3ecab455b12d587aa1f53ef5f4dc69e32b0be5d34b4d600e615
SHA51216541addd57ea0dba773c4a1de74f1c476e8333871de93d43908cd7bba7ee393223f1ba5a45c7d1695cab32b9a233cd56c9560f7ca1d3f154f1e604db47465e0
-
C:\Users\Admin\AppData\Local\Temp\cookieslmao.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\cookieslmao.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\credentialslmao.txtMD5
814b5ce4cad79d36055d2d4b5958cc31
SHA12a06a869615f0858479371b0415899681fb0c7d8
SHA2566d1fa1a75faec2b39e8a2a1df8dd0f15e5256de7da7c527225ecf22fdacaf559
SHA512a82fa1594ccbe1df93a973a01c787a6baa0ce8a97c0b0b0a844c90cb6be092b1094636b4d88c568fece95cd9bdfe4412875011abe318373a4fcfc218f93d1278
-
C:\Users\Admin\AppData\Local\Temp\credentialslmao.txtMD5
814b5ce4cad79d36055d2d4b5958cc31
SHA12a06a869615f0858479371b0415899681fb0c7d8
SHA2566d1fa1a75faec2b39e8a2a1df8dd0f15e5256de7da7c527225ecf22fdacaf559
SHA512a82fa1594ccbe1df93a973a01c787a6baa0ce8a97c0b0b0a844c90cb6be092b1094636b4d88c568fece95cd9bdfe4412875011abe318373a4fcfc218f93d1278
-
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exeMD5
053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exeMD5
053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exeMD5
053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exeMD5
053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exeMD5
4a82a984210f0d4fcc24649f8248687e
SHA154127c2d922ac623741be36857cd6ba737016a0c
SHA256c95ed6164ca6ed4f2ea67807d1d1c9e99c19ed244dc53a5ddb2ba34c4aa2efd6
SHA5121ac051019f430f16048759de8c9e97b5600e7ac537016c71e771fc14b4a6c3bda139b16449a251abe3b1ad3faa8afd718d573d079ce6d425e9217b540bbdffdb
-
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exeMD5
4a82a984210f0d4fcc24649f8248687e
SHA154127c2d922ac623741be36857cd6ba737016a0c
SHA256c95ed6164ca6ed4f2ea67807d1d1c9e99c19ed244dc53a5ddb2ba34c4aa2efd6
SHA5121ac051019f430f16048759de8c9e97b5600e7ac537016c71e771fc14b4a6c3bda139b16449a251abe3b1ad3faa8afd718d573d079ce6d425e9217b540bbdffdb
-
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exeMD5
4a82a984210f0d4fcc24649f8248687e
SHA154127c2d922ac623741be36857cd6ba737016a0c
SHA256c95ed6164ca6ed4f2ea67807d1d1c9e99c19ed244dc53a5ddb2ba34c4aa2efd6
SHA5121ac051019f430f16048759de8c9e97b5600e7ac537016c71e771fc14b4a6c3bda139b16449a251abe3b1ad3faa8afd718d573d079ce6d425e9217b540bbdffdb
-
C:\Users\Admin\Desktop\AForge.Video.DirectShow.dllMD5
17ed442e8485ac3f7dc5b3c089654a61
SHA1d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA5129118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2
-
C:\Users\Admin\Desktop\Stely.exeMD5
e7c3f530cf00076c250c6bcbc64c0a06
SHA185e15cb1322674b2e244cc454964e7af63618081
SHA2569acd171925e00b11abed564f3eddd2dcb62f00731060d786affe4490de4a7517
SHA512ef35342d8d16a7ea0cfde172eb919aa8b4798e21718d17990975b114bacfc5fe97b779468e0895ccd33ce59fceb788054fc1f4135f83238b333d27c742bda682
-
C:\Users\Admin\Desktop\Stely.exeMD5
e7c3f530cf00076c250c6bcbc64c0a06
SHA185e15cb1322674b2e244cc454964e7af63618081
SHA2569acd171925e00b11abed564f3eddd2dcb62f00731060d786affe4490de4a7517
SHA512ef35342d8d16a7ea0cfde172eb919aa8b4798e21718d17990975b114bacfc5fe97b779468e0895ccd33ce59fceb788054fc1f4135f83238b333d27c742bda682
-
C:\Users\Admin\Desktop\Stely.exeMD5
e7c3f530cf00076c250c6bcbc64c0a06
SHA185e15cb1322674b2e244cc454964e7af63618081
SHA2569acd171925e00b11abed564f3eddd2dcb62f00731060d786affe4490de4a7517
SHA512ef35342d8d16a7ea0cfde172eb919aa8b4798e21718d17990975b114bacfc5fe97b779468e0895ccd33ce59fceb788054fc1f4135f83238b333d27c742bda682
-
\Users\Admin\Desktop\AForge.Video.DirectShow.dllMD5
17ed442e8485ac3f7dc5b3c089654a61
SHA1d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA5129118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2
-
\Users\Admin\Desktop\AForge.Video.DirectShow.dllMD5
17ed442e8485ac3f7dc5b3c089654a61
SHA1d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA5129118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2
-
\Users\Admin\Desktop\AForge.Video.DirectShow.dllMD5
17ed442e8485ac3f7dc5b3c089654a61
SHA1d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA5129118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2
-
\Users\Admin\Desktop\AForge.Video.DirectShow.dllMD5
17ed442e8485ac3f7dc5b3c089654a61
SHA1d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA5129118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2
-
memory/748-48-0x0000000000000000-mapping.dmp
-
memory/1500-20-0x0000000000000000-mapping.dmp
-
memory/2512-13-0x00000000098B0000-0x00000000098B1000-memory.dmpFilesize
4KB
-
memory/2512-19-0x0000000005D70000-0x0000000005D71000-memory.dmpFilesize
4KB
-
memory/2512-14-0x00000000099C0000-0x00000000099C1000-memory.dmpFilesize
4KB
-
memory/2512-9-0x00000000095B0000-0x00000000095B1000-memory.dmpFilesize
4KB
-
memory/2512-8-0x0000000002A30000-0x0000000002A31000-memory.dmpFilesize
4KB
-
memory/2512-6-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/2512-18-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/2512-5-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/2896-34-0x0000000009110000-0x0000000009111000-memory.dmpFilesize
4KB
-
memory/2896-30-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/3024-24-0x0000000000000000-mapping.dmp
-
memory/4092-44-0x0000000000000000-mapping.dmp