d57d259f26333fe3798dc7a9b4f34ef9a1f18f7b320a9b4022bb56756d68fbba

Analysis

max time kernel
55s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
27-02-2021 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archive-541b.exe
Size

1.4MB
MD5

c8d498122478c4941c5b2d2d97ec3a30
SHA1

b50be0c98c44ff1eaf44d31f8b8d541afbbb4bfb
SHA256

d57d259f26333fe3798dc7a9b4f34ef9a1f18f7b320a9b4022bb56756d68fbba
SHA512

3c296961d10a3a55f4a6d57b209ce246517ffceade877a521622f301d030c0edc16553a46b5f443b975e9dc4f2be90171e2c5050a74efe32cfb254401c080dea

Score

9^/10

spyware upx vmprotect

Malware Config

Signatures

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe	Nirsoft

Executes dropped EXE 6 IoCs

Processes:

Stely.exeresourcefilehaha.exeresourcefilehaha2.exeStely.exeresourcefilehaha.exeresourcefilehaha2.exe

pid process

2512 Stely.exe
1500 resourcefilehaha.exe
3024 resourcefilehaha2.exe
2896 Stely.exe
4092 resourcefilehaha.exe
748 resourcefilehaha2.exe

pid	process
2512	Stely.exe
1500	resourcefilehaha.exe
3024	resourcefilehaha2.exe
2896	Stely.exe
4092	resourcefilehaha.exe
748	resourcefilehaha2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe	upx
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe	upx
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Stely.exe	vmprotect
C:\Users\Admin\Desktop\Stely.exe	vmprotect
behavioral2/memory/2512-6-0x00000000007D0000-0x00000000007D1000-memory.dmp	vmprotect
C:\Users\Admin\Desktop\Stely.exe	vmprotect

Loads dropped DLL 4 IoCs

Processes:

Stely.exeStely.exe

pid process

2512 Stely.exe
2512 Stely.exe
2896 Stely.exe
2896 Stely.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2512	Stely.exe
2512	Stely.exe
2896	Stely.exe
2896	Stely.exe

Modifies registry class 2 IoCs

Processes:

Archive-541b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Archive-541b.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Archive-541b.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

resourcefilehaha.exeresourcefilehaha.exe

pid	process
1500	resourcefilehaha.exe
1500	resourcefilehaha.exe
1500	resourcefilehaha.exe
1500	resourcefilehaha.exe
4092	resourcefilehaha.exe
4092	resourcefilehaha.exe
4092	resourcefilehaha.exe
4092	resourcefilehaha.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Stely.exeStely.exe

description pid process

Token: SeDebugPrivilege 2512 Stely.exe
Token: SeDebugPrivilege 2896 Stely.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Archive-541b.exe

pid process

744 Archive-541b.exe
744 Archive-541b.exe

description	pid	process
Token: SeDebugPrivilege	2512	Stely.exe
Token: SeDebugPrivilege	2896	Stely.exe

pid	process
744	Archive-541b.exe
744	Archive-541b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Stely.exeStely.exe

description	pid	process	target process
PID 2512 wrote to memory of 1500	2512	Stely.exe	resourcefilehaha.exe
PID 2512 wrote to memory of 1500	2512	Stely.exe	resourcefilehaha.exe
PID 2512 wrote to memory of 1500	2512	Stely.exe	resourcefilehaha.exe
PID 2512 wrote to memory of 3024	2512	Stely.exe	resourcefilehaha2.exe
PID 2512 wrote to memory of 3024	2512	Stely.exe	resourcefilehaha2.exe
PID 2512 wrote to memory of 3024	2512	Stely.exe	resourcefilehaha2.exe
PID 2896 wrote to memory of 4092	2896	Stely.exe	resourcefilehaha.exe
PID 2896 wrote to memory of 4092	2896	Stely.exe	resourcefilehaha.exe
PID 2896 wrote to memory of 4092	2896	Stely.exe	resourcefilehaha.exe
PID 2896 wrote to memory of 748	2896	Stely.exe	resourcefilehaha2.exe
PID 2896 wrote to memory of 748	2896	Stely.exe	resourcefilehaha2.exe
PID 2896 wrote to memory of 748	2896	Stely.exe	resourcefilehaha2.exe

C:\Users\Admin\AppData\Local\Temp\Archive-541b.exe
"C:\Users\Admin\AppData\Local\Temp\Archive-541b.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:744

C:\Users\Admin\Desktop\Stely.exe
"C:\Users\Admin\Desktop\Stely.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe
"C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe" /C /stext C:\Users\Admin\AppData\Local\Temp\credentialslmao.txt
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe
"C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe" /C /stext C:\Users\Admin\AppData\Local\Temp\cookieslmao.txt
2⤵
- Executes dropped EXE
PID:3024

C:\Users\Admin\Desktop\Stely.exe
"C:\Users\Admin\Desktop\Stely.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe
"C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe" /C /stext C:\Users\Admin\AppData\Local\Temp\credentialslmao.txt
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4092

C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe
"C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe" /C /stext C:\Users\Admin\AppData\Local\Temp\cookieslmao.txt
2⤵
- Executes dropped EXE
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Stely.exe.log
MD5
e9a77f993e802389e806cab5016e8019

SHA1
390e4d0a3f29d63f4098ce78c2b233738fe4a5b1

SHA256
4b983b3b8055c3ecab455b12d587aa1f53ef5f4dc69e32b0be5d34b4d600e615

SHA512
16541addd57ea0dba773c4a1de74f1c476e8333871de93d43908cd7bba7ee393223f1ba5a45c7d1695cab32b9a233cd56c9560f7ca1d3f154f1e604db47465e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookieslmao.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookieslmao.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\credentialslmao.txt
MD5
814b5ce4cad79d36055d2d4b5958cc31

SHA1
2a06a869615f0858479371b0415899681fb0c7d8

SHA256
6d1fa1a75faec2b39e8a2a1df8dd0f15e5256de7da7c527225ecf22fdacaf559

SHA512
a82fa1594ccbe1df93a973a01c787a6baa0ce8a97c0b0b0a844c90cb6be092b1094636b4d88c568fece95cd9bdfe4412875011abe318373a4fcfc218f93d1278

Download Submit
C:\Users\Admin\AppData\Local\Temp\credentialslmao.txt
MD5
814b5ce4cad79d36055d2d4b5958cc31

SHA1
2a06a869615f0858479371b0415899681fb0c7d8

SHA256
6d1fa1a75faec2b39e8a2a1df8dd0f15e5256de7da7c527225ecf22fdacaf559

SHA512
a82fa1594ccbe1df93a973a01c787a6baa0ce8a97c0b0b0a844c90cb6be092b1094636b4d88c568fece95cd9bdfe4412875011abe318373a4fcfc218f93d1278

Download Submit
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe
MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe
MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe
MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe
MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe
MD5
4a82a984210f0d4fcc24649f8248687e

SHA1
54127c2d922ac623741be36857cd6ba737016a0c

SHA256
c95ed6164ca6ed4f2ea67807d1d1c9e99c19ed244dc53a5ddb2ba34c4aa2efd6

SHA512
1ac051019f430f16048759de8c9e97b5600e7ac537016c71e771fc14b4a6c3bda139b16449a251abe3b1ad3faa8afd718d573d079ce6d425e9217b540bbdffdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe
MD5
4a82a984210f0d4fcc24649f8248687e

SHA1
54127c2d922ac623741be36857cd6ba737016a0c

SHA256
c95ed6164ca6ed4f2ea67807d1d1c9e99c19ed244dc53a5ddb2ba34c4aa2efd6

SHA512
1ac051019f430f16048759de8c9e97b5600e7ac537016c71e771fc14b4a6c3bda139b16449a251abe3b1ad3faa8afd718d573d079ce6d425e9217b540bbdffdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\resourcefilehaha2.exe
MD5
4a82a984210f0d4fcc24649f8248687e

SHA1
54127c2d922ac623741be36857cd6ba737016a0c

SHA256
c95ed6164ca6ed4f2ea67807d1d1c9e99c19ed244dc53a5ddb2ba34c4aa2efd6

SHA512
1ac051019f430f16048759de8c9e97b5600e7ac537016c71e771fc14b4a6c3bda139b16449a251abe3b1ad3faa8afd718d573d079ce6d425e9217b540bbdffdb

Download Submit
C:\Users\Admin\Desktop\AForge.Video.DirectShow.dll
MD5
17ed442e8485ac3f7dc5b3c089654a61

SHA1
d3a17c1fdd6d54951141053f88bf8238dea0b937

SHA256
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b

SHA512
9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

Download Submit
C:\Users\Admin\Desktop\Stely.exe
MD5
e7c3f530cf00076c250c6bcbc64c0a06

SHA1
85e15cb1322674b2e244cc454964e7af63618081

SHA256
9acd171925e00b11abed564f3eddd2dcb62f00731060d786affe4490de4a7517

SHA512
ef35342d8d16a7ea0cfde172eb919aa8b4798e21718d17990975b114bacfc5fe97b779468e0895ccd33ce59fceb788054fc1f4135f83238b333d27c742bda682

Download Submit
C:\Users\Admin\Desktop\Stely.exe
MD5
e7c3f530cf00076c250c6bcbc64c0a06

SHA1
85e15cb1322674b2e244cc454964e7af63618081

SHA256
9acd171925e00b11abed564f3eddd2dcb62f00731060d786affe4490de4a7517

SHA512
ef35342d8d16a7ea0cfde172eb919aa8b4798e21718d17990975b114bacfc5fe97b779468e0895ccd33ce59fceb788054fc1f4135f83238b333d27c742bda682

Download Submit
C:\Users\Admin\Desktop\Stely.exe
MD5
e7c3f530cf00076c250c6bcbc64c0a06

SHA1
85e15cb1322674b2e244cc454964e7af63618081

SHA256
9acd171925e00b11abed564f3eddd2dcb62f00731060d786affe4490de4a7517

SHA512
ef35342d8d16a7ea0cfde172eb919aa8b4798e21718d17990975b114bacfc5fe97b779468e0895ccd33ce59fceb788054fc1f4135f83238b333d27c742bda682

Download Submit
\Users\Admin\Desktop\AForge.Video.DirectShow.dll
MD5
17ed442e8485ac3f7dc5b3c089654a61

SHA1
d3a17c1fdd6d54951141053f88bf8238dea0b937

SHA256
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b

SHA512
9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

Download Submit
\Users\Admin\Desktop\AForge.Video.DirectShow.dll
MD5
17ed442e8485ac3f7dc5b3c089654a61

SHA1
d3a17c1fdd6d54951141053f88bf8238dea0b937

SHA256
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b

SHA512
9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

Download Submit
\Users\Admin\Desktop\AForge.Video.DirectShow.dll
MD5
17ed442e8485ac3f7dc5b3c089654a61

SHA1
d3a17c1fdd6d54951141053f88bf8238dea0b937

SHA256
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b

SHA512
9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

Download Submit
\Users\Admin\Desktop\AForge.Video.DirectShow.dll
MD5
17ed442e8485ac3f7dc5b3c089654a61

SHA1
d3a17c1fdd6d54951141053f88bf8238dea0b937

SHA256
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b

SHA512
9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

Download Submit
memory/748-48-0x0000000000000000-mapping.dmp

Download
memory/1500-20-0x0000000000000000-mapping.dmp

Download
memory/2512-13-0x00000000098B0000-0x00000000098B1000-memory.dmp

Filesize
4KB

Download
memory/2512-19-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/2512-14-0x00000000099C0000-0x00000000099C1000-memory.dmp

Filesize
4KB

Download
memory/2512-9-0x00000000095B0000-0x00000000095B1000-memory.dmp

Filesize
4KB

Download
memory/2512-8-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2512-6-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2512-18-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2512-5-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-34-0x0000000009110000-0x0000000009111000-memory.dmp

Filesize
4KB

Download
memory/2896-30-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/3024-24-0x0000000000000000-mapping.dmp

Download
memory/4092-44-0x0000000000000000-mapping.dmp

Download