Overview

overview

10

Static

static

9a72e56ac0...8e.exe

windows7_x64

10

9a72e56ac0...8e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    28-02-2022 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe

  • Size

    737KB

  • MD5

    22840909e11530390e8f74c6a162ded1

  • SHA1

    78d82f0ff396393e958553f25a47145916ea4e39

  • SHA256

    9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e

  • SHA512

    2a2214dc48b6942b19e439db189a9b2e7df6d91c26b24692fe370d552c70e828cb6d4ac344dc2fe36e08b0752e4ae8886f4d1f3f45970a65eaebae2d3069c130

Score
10/10
outsteelspywarestealer

Malware Config

Signatures

  • OutSteel

    OutSteel is a file uploader and document stealer written in AutoIT.

    stealeroutsteel
  • OutSteel batch script 1 IoCs

    Detects batch script dropped by OutSteel

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
    "C:\Users\Admin\AppData\Local\Temp\9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
      2⤵
        PID:3700
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
        2⤵
          PID:4480
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
          2⤵
            PID:728
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
            2⤵
              PID:1332
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
              2⤵
                PID:2292
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
                2⤵
                  PID:1508
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
                  2⤵
                    PID:4692
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
                    2⤵
                      PID:1316
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
                      2⤵
                        PID:4852
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
                        2⤵
                          PID:1604
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
                          2⤵
                            PID:4580
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
                            2⤵
                              PID:368
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
                              2⤵
                                PID:2988
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
                                2⤵
                                  PID:3332
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
                                  2⤵
                                    PID:3432
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
                                    2⤵
                                      PID:204
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
                                      2⤵
                                        PID:4388
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c start /min r.bat
                                        2⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:4328
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /K r.bat
                                          3⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:4112
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /min /c del "C:\Users\Admin\AppData\Local\Temp\r.bat"
                                            4⤵
                                              PID:2860
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              Taskkill /IM cmd.exe /F
                                              4⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3744
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 620
                                          2⤵
                                          • Program crash
                                          • Checks processor information in registry
                                          • Enumerates system info in registry
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3176
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3768 -ip 3768
                                        1⤵
                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                        • Suspicious use of WriteProcessMemory
                                        PID:4008

                                      Network

                                      MITRE ATT&CK Enterprise v6

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\r.bat
                                        MD5

                                        94fc7c014e50a09fdf04eeaa23c096de

                                        SHA1

                                        37c5bbf0678e876aff08d82c1db6bdbde38c937b

                                        SHA256

                                        ca912e401fb1c5bf6deccf0cb5771fe34ba1b966468d3b9e8202a312a934348c

                                        SHA512

                                        8a9b58845be4bf56341472dc3df978ceb46e0e34cc62a6171f9fb64e173db1125472eeccebc16c2951ae75fcae702d1955de77f13aa4514e7ab1f06903548712

                                        Download Submit

                                      • memory/3768-130-0x0000000001A4A000-0x0000000001AC5000-memory.dmp

                                        Filesize

                                        492KB

                                        Download

                                      • memory/3768-131-0x0000000001A4A000-0x0000000001AC5000-memory.dmp

                                        Filesize

                                        492KB

                                        Download

                                      • memory/3768-132-0x0000000001C80000-0x0000000001D5D000-memory.dmp

                                        Filesize

                                        884KB

                                        Download

                                      • memory/3768-133-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download