Analysis

  • max time kernel
    147s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 02:16

General

  • Target

    cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe

  • Size

    8.2MB

  • MD5

    5d297e4bcb36a4a1481c32fa7c0088a6

  • SHA1

    bf0947415396624d6dbd08469c490b30637ab7d7

  • SHA256

    cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e

  • SHA512

    2e124967d0833ac856758417ba61d2b316b6021fc50b36ad9cb5e7b9d33812bfcd9bb654ce2933132d691ca57fa276ea5556a7826317b2d3168372c401da3ca4

  • SSDEEP

    196608:kB+S/N8G+oHIpNKvhLozkAx6Dh1GxzCnCj8X9ehQTLrOfweA:kcgxDHIp8ozkAxzzIC7WTO6

Score
10/10

Malware Config

Extracted

Family

stealc

rc4.plain

Signatures

  • Detect Vidar Stealer 1 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
  • Detects executables containing potential Windows Defender anti-emulation checks 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe
    "C:\Users\Admin\AppData\Local\Temp\cd0f5fc05c89bdb7bb3f1bffb179eb8f2d0fc8758811587466a927cfb45bc30e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      2⤵
        PID:4676
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
        2⤵
          PID:4200
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
          2⤵
            PID:1692
          • C:\Windows\System32\svchost.exe
            "C:\Windows\System32\svchost.exe"
            2⤵
              PID:3212
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe"
              2⤵
                PID:3260
              • C:\Windows\System32\notepad.exe
                "C:\Windows\System32\notepad.exe"
                2⤵
                  PID:3564
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                  2⤵
                    PID:332
                  • C:\Windows\regedit.exe
                    "C:\Windows\regedit.exe"
                    2⤵
                    • Runs regedit.exe
                    PID:2888
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
                    2⤵
                      PID:3820
                    • C:\Program Files (x86)\Windows Mail\wab.exe
                      "C:\Program Files (x86)\Windows Mail\wab.exe"
                      2⤵
                        PID:4500
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                        2⤵
                          PID:1032
                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                          2⤵
                          • Checks processor information in registry
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3700
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Program Files (x86)\Internet Explorer\iexplore.exe" & rd /s /q "C:\ProgramData\DGHDHIDGHIDG" & exit
                            3⤵
                              PID:3644
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout /t 10
                                4⤵
                                • Delays execution with timeout.exe
                                PID:1904

                        Network

                        MITRE ATT&CK Matrix ATT&CK v13

                        Execution

                        Scripting

                        1
                        T1064

                        Defense Evasion

                        Scripting

                        1
                        T1064

                        Discovery

                        Query Registry

                        1
                        T1012

                        System Information Discovery

                        1
                        T1082

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/3700-0-0x0000000000400000-0x0000000000B4A000-memory.dmp
                          Filesize

                          7.3MB