Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2024 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    286KB

  • MD5

    b577c47aa071b75634a4e10a2ca2f63b

  • SHA1

    1198c518490434915efc7fb368bf5d1259855975

  • SHA256

    8aef68cf6479e2e614efb16018250ccaf84ac50adaea39ba9554f934f2b6497e

  • SHA512

    97f18fb8da882c4d4296dc9e5a258586703cc13052908866160b793e5c844db15f9451d96513dbdfd7757affccb165b60787ac00fc69eefba5d57427562da022

  • SSDEEP

    3072:+myDA8/GeFlY8r+XNdnJSSnjshFTOM6fZFmZI5i+p1t0dj9X5cdA:ZlqQ4bv2Sm5xt0dj9Xi

Score
10/10
stealcdiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAEHJJKFC.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Users\Admin\AppData\Local\Temp\HCAEHJJKFC.exe
        "C:\Users\Admin\AppData\Local\Temp\HCAEHJJKFC.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4220
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HCAEHJJKFC.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4020
          • C:\Windows\SysWOW64\PING.EXE
            ping 2.2.2.2 -n 1 -w 3000
            5⤵
            • Runs ping.exe
            PID:720
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 2476
      2⤵
      • Program crash
      PID:3724
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3544 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:3
    1⤵
      PID:1568
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3088 -ip 3088
      1⤵
        PID:3832
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3524 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2060

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Are.docx
          Filesize

          11KB

          MD5

          a33e5b189842c5867f46566bdbf7a095

          SHA1

          e1c06359f6a76da90d19e8fd95e79c832edb3196

          SHA256

          5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

          SHA512

          f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

          Download Submit

        • C:\ProgramData\mozglue.dll
          Filesize

          249KB

          MD5

          e6028ae272aa2046fd50cd6252177710

          SHA1

          0e3342f7087fcb8b30d4b099fc535452e6ece58a

          SHA256

          0a4a489f022dd86bdc5d2a7ef02105be9af6af9cfc4ab8d018eccbe53ff25e43

          SHA512

          21bf7f91bda4fab3b68dd8151a9e9246e9d53e09e48485ce3fc5d3905dc11ca933443ec575e54b76cb45cf02b1ada66231b3fad5acc2feaaaff5ef261e90adad

          Download Submit

        • C:\ProgramData\mozglue.dll
          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

          Download Submit

        • C:\ProgramData\nss3.dll
          Filesize

          2.0MB

          MD5

          1cc453cdf74f31e4d913ff9c10acdde2

          SHA1

          6e85eae544d6e965f15fa5c39700fa7202f3aafe

          SHA256

          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

          SHA512

          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
          Filesize

          2B

          MD5

          d751713988987e9331980363e24189ce

          SHA1

          97d170e1550eee4afc0af065b78cda302a97674c

          SHA256

          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

          SHA512

          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
          Filesize

          40B

          MD5

          20d4b8fa017a12a108c87f540836e250

          SHA1

          1ac617fac131262b6d3ce1f52f5907e31d5f6f00

          SHA256

          6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

          SHA512

          507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HCAEHJJKFC.exe
          Filesize

          106KB

          MD5

          fe380780b5c35bd6d54541791151c2be

          SHA1

          7fe3a583cf91474c733f85cebf3c857682e269e1

          SHA256

          b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

          SHA512

          ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

          Download Submit

        • memory/3088-103-0x0000000000B20000-0x0000000000C20000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/3088-3-0x0000000000400000-0x0000000000AF1000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3088-2-0x0000000002850000-0x0000000002877000-memory.dmp

          Filesize

          156KB

          Download

        • memory/3088-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/3088-1-0x0000000000B20000-0x0000000000C20000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/3088-69-0x0000000000400000-0x0000000000AF1000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3088-107-0x0000000000400000-0x0000000000AF1000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3088-108-0x0000000002850000-0x0000000002877000-memory.dmp

          Filesize

          156KB

          Download

        • memory/4220-109-0x00000000729B0000-0x0000000073160000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4220-110-0x0000000000170000-0x0000000000190000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4220-111-0x0000000004B00000-0x0000000004B10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4220-115-0x00000000729B0000-0x0000000073160000-memory.dmp

          Filesize

          7.7MB

          Download