Overview

overview

10

Static

static

1

cb4a93864a...f1.exe

windows7-x64

10

cb4a93864a...f1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe

  • Size

    598KB

  • MD5

    e0ca9d7fdf345af474332533ee50dfb6

  • SHA1

    303f5df8841a33886413435a61809d338a66639b

  • SHA256

    cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1

  • SHA512

    93d04456ca2915ed7cbfe8058b4283198cd9851e73dd4d2e2271889be622c3aa498506cb7ceef63d0eb1243d9987373fe47f0f579e96c03a6a3e5f5321f9d616

  • SSDEEP

    12288:jN2vXjWMzp7E9Yy+PIPx2TQ1RABd89XBJm3QXNOZJxRYE601YlPmOU8L:jgrh7E6r5Q7AaJBo3QXerYfe0

Score
10/10
outsteelspywarestealer

Malware Config

Signatures

  • OutSteel

    OutSteel is a file uploader and document stealer written in AutoIT.

    stealeroutsteel
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 21 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
    "C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:424
    • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
      C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
      2⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
        3⤵
          PID:4488
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
          3⤵
            PID:1144
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
            3⤵
              PID:1976
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
              3⤵
                PID:560
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
                3⤵
                  PID:1440
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
                  3⤵
                    PID:432
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
                    3⤵
                      PID:1928
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
                      3⤵
                        PID:4104
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
                        3⤵
                          PID:4060
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
                          3⤵
                            PID:1104
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
                            3⤵
                              PID:3340
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
                              3⤵
                                PID:4748
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
                                3⤵
                                  PID:4480
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
                                  3⤵
                                    PID:2184
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
                                    3⤵
                                      PID:1176
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
                                      3⤵
                                        PID:4196
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
                                        3⤵
                                          PID:852
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
                                          3⤵
                                            PID:4604

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • memory/424-13-0x0000000075250000-0x0000000075A00000-memory.dmp

                                        Filesize

                                        7.7MB

                                        Download

                                      • memory/424-1-0x0000000075250000-0x0000000075A00000-memory.dmp

                                        Filesize

                                        7.7MB

                                        Download

                                      • memory/424-2-0x0000000007BE0000-0x0000000008184000-memory.dmp

                                        Filesize

                                        5.6MB

                                        Download

                                      • memory/424-3-0x0000000007710000-0x00000000077A2000-memory.dmp

                                        Filesize

                                        584KB

                                        Download

                                      • memory/424-4-0x0000000007960000-0x0000000007970000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/424-5-0x0000000002B40000-0x0000000002B4A000-memory.dmp

                                        Filesize

                                        40KB

                                        Download

                                      • memory/424-6-0x0000000007970000-0x00000000079E6000-memory.dmp

                                        Filesize

                                        472KB

                                        Download

                                      • memory/424-7-0x00000000076F0000-0x000000000770E000-memory.dmp

                                        Filesize

                                        120KB

                                        Download

                                      • memory/424-8-0x0000000007900000-0x0000000007910000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/424-0-0x00000000007B0000-0x000000000084A000-memory.dmp

                                        Filesize

                                        616KB

                                        Download

                                      • memory/1552-15-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-45-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-11-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-14-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-9-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-21-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-29-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-33-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-34-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-37-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-41-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-12-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-49-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-50-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-53-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-57-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-66-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-65-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-69-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-73-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download

                                      • memory/1552-87-0x0000000000400000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        904KB

                                        Download