Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2023 21:09

General

  • Target

    VN[A43369197BA4B9840A742079ADE515B8] [2022-12-15T03_11_33.4145147] lang-English (United States)/Wall.exe

  • Size

    1MB

  • MD5

    d529e0869cea70bf8d3bdec1f16048d9

  • SHA1

    10f0cb47a0494a02c6c6e81a68486918a12cecdd

  • SHA256

    a160899b9e4c43ca91293e96180e3ed9ad7dc554cd3ca1a6f231ca478d7adfae

  • SHA512

    43e135ea62b8815abd1e11d6447149f5b44b2a7dd780ddac62c5abe510aa14631c87a08257d1bdcb141bd236495ffc3a2781d74a86e7576c0389a62dd23fc5b5

  • SSDEEP

    49152:ABRevIzpuUaDNJJE+dwRivJdxCxvAgoylf+H35jOa:apz4pDN8+KRUJgy+f+XD

Score
10/10

Malware Config

Signatures

  • Panda Stealer payload 3 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VN[A43369197BA4B9840A742079ADE515B8] [2022-12-15T03_11_33.4145147] lang-English (United States)\Wall.exe
    "C:\Users\Admin\AppData\Local\Temp\VN[A43369197BA4B9840A742079ADE515B8] [2022-12-15T03_11_33.4145147] lang-English (United States)\Wall.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        work.exe -priverdD
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3884
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetWindowsHookEx
          PID:2192

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
    Filesize

    35B

    MD5

    ff59d999beb970447667695ce3273f75

    SHA1

    316fa09f467ba90ac34a054daf2e92e6e2854ff8

    SHA256

    065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

    SHA512

    d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    Filesize

    1MB

    MD5

    51a361bef59e8460f51890dcf0cc4db5

    SHA1

    474593ed74808e4249b12e97e35cb3d386ec9b71

    SHA256

    b6dbf8daa3bafea4f7ccd74921525b8e4a3b4993ef1049e6dc65c733e3a1ed9f

    SHA512

    f56c93e2f7edc4bb6874c98904877f67d75a2b64fe8bd3483905cfb5efc4cb3d0316a66feff34d3c1a6f82b1ca9d513950da42c44585f03c35db0dcf6c5be201

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    Filesize

    1MB

    MD5

    51a361bef59e8460f51890dcf0cc4db5

    SHA1

    474593ed74808e4249b12e97e35cb3d386ec9b71

    SHA256

    b6dbf8daa3bafea4f7ccd74921525b8e4a3b4993ef1049e6dc65c733e3a1ed9f

    SHA512

    f56c93e2f7edc4bb6874c98904877f67d75a2b64fe8bd3483905cfb5efc4cb3d0316a66feff34d3c1a6f82b1ca9d513950da42c44585f03c35db0dcf6c5be201

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe
    Filesize

    1MB

    MD5

    0b56d226dfd3e5771f0920e05940d408

    SHA1

    cb9c6a16a2aeddcc7864b36ee1cac1fd51f7b583

    SHA256

    b7c6baa369eaa5298ff5e41bf2bc61704cbf1311eb92236ea9b8d84493487f65

    SHA512

    cef9f93b4aa405486a555e5c7ec0b956ab46b21208c573f8b2c8bd86d3f106ea7f9f308eb7f9a63de9760bf8fd5b24740f3ec3229c60e02059dfa8dca2e9af2d

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe
    Filesize

    1MB

    MD5

    0b56d226dfd3e5771f0920e05940d408

    SHA1

    cb9c6a16a2aeddcc7864b36ee1cac1fd51f7b583

    SHA256

    b7c6baa369eaa5298ff5e41bf2bc61704cbf1311eb92236ea9b8d84493487f65

    SHA512

    cef9f93b4aa405486a555e5c7ec0b956ab46b21208c573f8b2c8bd86d3f106ea7f9f308eb7f9a63de9760bf8fd5b24740f3ec3229c60e02059dfa8dca2e9af2d

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\efthsf.exe
    Filesize

    1MB

    MD5

    0b56d226dfd3e5771f0920e05940d408

    SHA1

    cb9c6a16a2aeddcc7864b36ee1cac1fd51f7b583

    SHA256

    b7c6baa369eaa5298ff5e41bf2bc61704cbf1311eb92236ea9b8d84493487f65

    SHA512

    cef9f93b4aa405486a555e5c7ec0b956ab46b21208c573f8b2c8bd86d3f106ea7f9f308eb7f9a63de9760bf8fd5b24740f3ec3229c60e02059dfa8dca2e9af2d

  • memory/2192-153-0x0000000000640000-0x0000000000A4A000-memory.dmp
    Filesize

    4MB

  • memory/2192-152-0x0000000000640000-0x0000000000A4A000-memory.dmp
    Filesize

    4MB

  • memory/2192-154-0x0000000000640000-0x0000000000A4A000-memory.dmp
    Filesize

    4MB

  • memory/2192-155-0x0000000000640000-0x0000000000A4A000-memory.dmp
    Filesize

    4MB

  • memory/2192-156-0x0000000000640000-0x0000000000A4A000-memory.dmp
    Filesize

    4MB