Analysis
-
max time kernel
190s -
max time network
294s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
04-02-2024 07:37
Static task
static1
Behavioral task
behavioral1
Sample
3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe
Resource
win7-20231215-en
General
-
Target
3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe
-
Size
175KB
-
MD5
2ff6ee1ef4ea7c63588e3c904e066cf4
-
SHA1
85a5d659cdcdd358af7320a39dd129601b9e8c41
-
SHA256
3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30
-
SHA512
5d00ea2bbe6384e6f4375210f485b80e8109e4c578775d146423696ce8e6b4beac93d240df329ad443f0b03d13ec46cfdd06e80d52946f662263169fffdb6713
-
SSDEEP
3072:NwLDaY5OIQfqCanVKeZccMBt1n/W77i5ftMwQx6TN45:uLDf5Yo3ZccMB3nAwQ7
Malware Config
Extracted
stealc
http://185.172.128.24
-
url_path
/40d570f44e84a454.php
Signatures
-
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
pid Process 428 3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe 428 3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2824 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 428 3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe 428 3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 428 wrote to memory of 2232 428 3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe 75 PID 428 wrote to memory of 2232 428 3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe 75 PID 428 wrote to memory of 2232 428 3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe 75 PID 2232 wrote to memory of 2824 2232 cmd.exe 73 PID 2232 wrote to memory of 2824 2232 cmd.exe 73 PID 2232 wrote to memory of 2824 2232 cmd.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe"C:\Users\Admin\AppData\Local\Temp\3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3ff61ca2f5d065e7b09031ba27eb2a7e4000359d75a788245f12fcf6bba0ae30.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2232
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 51⤵
- Delays execution with timeout.exe
PID:2824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
150KB
MD5e2200df51b2a1c28a3174e4f9dfe487b
SHA173e9339f187c22cff92e699fbc9d1e9d761ee80f
SHA25691c93fe1a0e521092f635da8438fceeed83c6f1e4bd6e6e839069b165e12f08a
SHA5123175946f88d4bb769af14fb64e21f27d8f13ece47c8c79680c748303467f9cb3db669912cb0b15276ba88939e22e001b28a5192c3d39ace9345f735ec779e9ff
-
Filesize
110KB
MD54433da2077d975207f170d052c6fe2d5
SHA1dbbd21953017fb6e1ab50b0d8c1bb241b5c4cf7a
SHA256295d37b1e05d90337f1d95e69ccf7c17a5bf62481cd720cffd088e8f9620ffea
SHA512878a5d05fcf4b1e7446764dbedc5be58ce831557e11aa55399f7cae8e6d166c8627babcf85a434d0dab8594772c6629f90d0c305f12238add318f8c09d0af984
-
Filesize
98KB
MD5ea17bdbc1d962080975e82f5a805f53a
SHA13bbcfca796ded835bf7807f495a19ebd94ceccc4
SHA256ee3457d1021ac42f683efd824792dcbbc077726835f75f6adfe70f6a0797be76
SHA51275de4d75ff95eeb6f02d34d3e9d86da3c983e1186d202540a6a06d9a97f005db11a378cd761068be247094998ae978719307d33bc3ba4cff2a7c75b94b8f0ecd