Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/06/2024, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
cstealer.py
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
cstealer.py
Resource
win10v2004-20240226-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
cstealer.py
-
Size
55KB
-
MD5
894d1bc6bf8695cced5c554916bf4114
-
SHA1
c86fb2540150ea1e7feea1a697ac310c848cc5b0
-
SHA256
d307bc5c3565c2dc77b4c0ca03338fb1ca0a49fda9849969f8e7571ab23652b5
-
SHA512
6b13d48d2e31d74f39a6d94bf241585edd96a4be3b240e6628dbce4740856bc1f3462e8095d61790a5ff01e987af2cf45d719b06c8fc3d8b336ba61c60eabbeb
-
SSDEEP
1536:dTjwFKWGs8SMApj48b9tTLCUDJ9JN18KTI6+y:dRswKj48b9lLDJ9N8KTR
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2660 rundll32.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2660 2872 cmd.exe 29 PID 2872 wrote to memory of 2660 2872 cmd.exe 29 PID 2872 wrote to memory of 2660 2872 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.py1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cstealer.py2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2660
-