Analysis

  • max time kernel
    299s
  • max time network
    295s
  • platform
    windows10-1703_x64
  • resource
    win10-20231023-en
  • resource tags

    arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10/12/2023, 22:35

General

  • Target

    920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe

  • Size

    2.3MB

  • MD5

    9277e82030f3f80d2acb91ca8a2e21bb

  • SHA1

    ea7e13d61fec22537017c241236a418bac2030e1

  • SHA256

    920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791

  • SHA512

    6333271a3e1ee84d0d0038c189c326832dabb4f1a4d1e3f8b63b367ff3ee3409d5b386da47ac40a3e6606a0ed69d1d06dccbc32308dc13da243e79e9d360b701

  • SSDEEP

    49152:7L2s5FXQ4EmojLjCRELVf7Avil+dHIsLp1thIikN+6u2hs8:7pzX71oDCRAZUviAHImDqia7hs8

Malware Config

Extracted

Family

stealc

C2

http://77.91.76.36

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
    "C:\Users\Admin\AppData\Local\Temp\920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3528
    • C:\Users\Admin\AppData\Local\Temp\nsr2EEE.tmp.exe
      C:\Users\Admin\AppData\Local\Temp\nsr2EEE.tmp.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsr2EEE.tmp.exe" & del "C:\ProgramData\*.dll"" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:64
  • C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    1⤵
    • Delays execution with timeout.exe
    PID:3208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Are.docx

    Filesize

    11KB

    MD5

    a33e5b189842c5867f46566bdbf7a095

    SHA1

    e1c06359f6a76da90d19e8fd95e79c832edb3196

    SHA256

    5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

    SHA512

    f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

  • C:\ProgramData\mozglue.dll

    Filesize

    301KB

    MD5

    31d94817d53eb8e6cf696b62708d2ac3

    SHA1

    221c6d910b6a37b201e675d4e8109ac3c717189f

    SHA256

    b31b07e67bfa6ea31aaeeb458f020d5f99a38b3db975dcb6219768c565f4067c

    SHA512

    def2ba5aa97b8d68cd2b22e2eb405b6b4f459c6ebd3afb0d3dbf4647a6d0b0c20ecbbc46211a161c56dc0fd9e3051e5f5de36e65a26db89caa8ae9ded073ae51

  • C:\Users\Admin\AppData\Local\Temp\Broom.exe

    Filesize

    5.3MB

    MD5

    00e93456aa5bcf9f60f84b0c0760a212

    SHA1

    6096890893116e75bd46fea0b8c3921ceb33f57d

    SHA256

    ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

    SHA512

    abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

  • C:\Users\Admin\AppData\Local\Temp\nsr2EEE.tmp.exe

    Filesize

    334KB

    MD5

    580930ca34bb39e081064bab11f16a97

    SHA1

    75afd6b341a833ebec15116da3672b203f81d067

    SHA256

    aaa8d75cc5a3aadf9d4d3c2c9f45217c85db2804bb9ec7a718319ad80311baf9

    SHA512

    2d0e4935a7ccacedb6a4a95077d3658aca1913da001cbb55d3756f3e581d5e2164d136241f86d91828099d8b3c882a68fee34478e041831c1ec9d9d5e1eb75ed

  • \ProgramData\mozglue.dll

    Filesize

    368KB

    MD5

    7e55d6f45330c77e48672a138c0c813a

    SHA1

    5313c2776bd31d2859d032ff0b8ad4d4b3563409

    SHA256

    26ae134b4dd0f458eaa20fdfe0a722e34584eef7a620881f03d5d19046242452

    SHA512

    ae5e185b54dad23c25a0749390f8da675d9ec752b8292bc8b131c03fbaf57ef2bae27da3d80f727309de48bc72a4faec8bf0e2150c3df48ff5cfdb985f0e8b84

  • \ProgramData\nss3.dll

    Filesize

    297KB

    MD5

    c5f2b221c9c74068eadf9e315981059d

    SHA1

    9414d3b2bbf48bc3ed589c06647e456892d1ce5c

    SHA256

    a9a491d5acc79a6b1b718d3325341d711ac86e3edbf3f08c9f5ee52b56673c8b

    SHA512

    09b619f2b719099cb3bdace79c2d9ab648c2d884203d753c9120ca91b6360068c2f6f756bfa6d65502bb9b3e03d1ee068fb2df0d8ec16a6cfc1c7d8dbe3f5ace

  • \Users\Admin\AppData\Local\Temp\nszD1B9.tmp\INetC.dll

    Filesize

    25KB

    MD5

    40d7eca32b2f4d29db98715dd45bfac5

    SHA1

    124df3f617f562e46095776454e1c0c7bb791cc7

    SHA256

    85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

    SHA512

    5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

  • memory/2952-31-0x0000000000400000-0x0000000000BB0000-memory.dmp

    Filesize

    7.7MB

  • memory/2952-29-0x0000000000C30000-0x0000000000D30000-memory.dmp

    Filesize

    1024KB

  • memory/2952-32-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

  • memory/2952-30-0x00000000027A0000-0x00000000027BC000-memory.dmp

    Filesize

    112KB

  • memory/2952-94-0x0000000000400000-0x0000000000BB0000-memory.dmp

    Filesize

    7.7MB

  • memory/2952-108-0x0000000000400000-0x0000000000BB0000-memory.dmp

    Filesize

    7.7MB

  • memory/2952-114-0x0000000000C30000-0x0000000000D30000-memory.dmp

    Filesize

    1024KB

  • memory/2952-115-0x0000000000400000-0x0000000000BB0000-memory.dmp

    Filesize

    7.7MB

  • memory/2952-116-0x0000000000400000-0x0000000000BB0000-memory.dmp

    Filesize

    7.7MB

  • memory/3528-18-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

    Filesize

    4KB

  • memory/3528-8-0x0000000000400000-0x0000000000965000-memory.dmp

    Filesize

    5.4MB

  • memory/3528-7-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

    Filesize

    4KB