Analysis
-
max time kernel
92s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-04-2024 12:54
General
-
Target
9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe
-
Size
737KB
-
MD5
22840909e11530390e8f74c6a162ded1
-
SHA1
78d82f0ff396393e958553f25a47145916ea4e39
-
SHA256
9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e
-
SHA512
2a2214dc48b6942b19e439db189a9b2e7df6d91c26b24692fe370d552c70e828cb6d4ac344dc2fe36e08b0752e4ae8886f4d1f3f45970a65eaebae2d3069c130
-
SSDEEP
12288:tSQzdvYJ2Eao8pD3KamK4LMfjATKdyevFQZHX457m06BWu8Im3:IQzVYYe8B3qKkIjIKdyev6HIiNW9P
Score
10/10
Malware Config
Signatures
-
OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
-
OutSteel batch script 1 IoCs
Detects batch script dropped by OutSteel
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Program crash 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe"C:\Users\Admin\AppData\Local\Temp\9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e.exe"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.doc" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.pdf" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppt" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.xl" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.csv" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.rtf" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.mdb" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.accdb" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.pot" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.pps" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppa" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.rar" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.zip" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.tar" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "f:\*.7z" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c start /min r.bat2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K r.bat3⤵
-
C:\Windows\SysWOW64\cmd.execmd /min /c del "C:\Users\Admin\AppData\Local\Temp\r.bat"4⤵
-
-
C:\Windows\SysWOW64\taskkill.exeTaskkill /IM cmd.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 20042⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4952 -ip 49521⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD594fc7c014e50a09fdf04eeaa23c096de
SHA137c5bbf0678e876aff08d82c1db6bdbde38c937b
SHA256ca912e401fb1c5bf6deccf0cb5771fe34ba1b966468d3b9e8202a312a934348c
SHA5128a9b58845be4bf56341472dc3df978ceb46e0e34cc62a6171f9fb64e173db1125472eeccebc16c2951ae75fcae702d1955de77f13aa4514e7ab1f06903548712
-
Filesize
1024KB
-
Filesize
884KB
-
Filesize
19.9MB
-
Filesize
19.9MB
-
Filesize
884KB