Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
07-10-2023 06:13
General
-
Target
file.exe
-
Size
344KB
-
MD5
ca4982bccfd8ac278771661a745cc364
-
SHA1
e2b269e7b951e59e47f5d151ecc023a893b9c0b2
-
SHA256
12cd64a6d63eb4c7ae10c011a65ea69f9ce0022197d39cb454cc63fc7e147f78
-
SHA512
7d11cc6245c28efba27f7c5edfb2aa2e4ed64e97881bd3a0e264537aeb2825e675bf1d567348fbce839f3a07674d22281074721b9c38af5cd13a67241d9f9ca2
-
SSDEEP
3072:4+dBqIZBDFjqGJB6tSmhi00OzMltSxc4QSoz7Meu5xjp+oexinsoQPPgJfJAP/oX:tRZ1FjN6/ultP7rCxF+oHsowgJfiAi
Malware Config
Extracted
stealc
http://aidandylan.top
-
url_path
/3886d2276f6914c4.php
Signatures
-
Stealc
Stealc is an infostealer written in C++.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1357423072.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1357423072.exe"C:\Users\Admin\AppData\Local\Temp\1357423072.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "file.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
273KB
MD55730849eb052bd4101316c2f5611a0e5
SHA1c2c3281370939ecbf8be5e7860f8e9a917dc26c0
SHA256e883fa7f59e03330f417e03108e69508124fb6d44a7a65f2170a1eb56f44009d
SHA5123c67fadce973e74ac6b5af03accf655c863c2c5445cdcb06f954947847053c0116796a5786f6f2e0db42974950ced068cb26cd8d61f971e6d469b507c5ba12b9
-
Filesize
273KB
MD55730849eb052bd4101316c2f5611a0e5
SHA1c2c3281370939ecbf8be5e7860f8e9a917dc26c0
SHA256e883fa7f59e03330f417e03108e69508124fb6d44a7a65f2170a1eb56f44009d
SHA5123c67fadce973e74ac6b5af03accf655c863c2c5445cdcb06f954947847053c0116796a5786f6f2e0db42974950ced068cb26cd8d61f971e6d469b507c5ba12b9
-
Filesize
273KB
MD55730849eb052bd4101316c2f5611a0e5
SHA1c2c3281370939ecbf8be5e7860f8e9a917dc26c0
SHA256e883fa7f59e03330f417e03108e69508124fb6d44a7a65f2170a1eb56f44009d
SHA5123c67fadce973e74ac6b5af03accf655c863c2c5445cdcb06f954947847053c0116796a5786f6f2e0db42974950ced068cb26cd8d61f971e6d469b507c5ba12b9
-
Filesize
273KB
MD55730849eb052bd4101316c2f5611a0e5
SHA1c2c3281370939ecbf8be5e7860f8e9a917dc26c0
SHA256e883fa7f59e03330f417e03108e69508124fb6d44a7a65f2170a1eb56f44009d
SHA5123c67fadce973e74ac6b5af03accf655c863c2c5445cdcb06f954947847053c0116796a5786f6f2e0db42974950ced068cb26cd8d61f971e6d469b507c5ba12b9
-
Filesize
30.6MB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
30.6MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
30.6MB
-
Filesize
30.5MB
-
Filesize
1024KB
-
Filesize
108KB
-
Filesize
30.5MB
-
Filesize
1024KB
-
Filesize
30.5MB