Malware Analysis Report

2024-09-22 06:59

Sample ID 240620-t38hbs1flm
Target 3D808F3A657C3DB4BDFF5F4F60121711.exe
SHA256 46ed6a8df27da6eeb92298a77ec1162e6e67884e7f07020b23c06137768506ae
Tags
stealc default discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46ed6a8df27da6eeb92298a77ec1162e6e67884e7f07020b23c06137768506ae

Threat Level: Known bad

The file 3D808F3A657C3DB4BDFF5F4F60121711.exe was found to be: Known bad.

Malicious Activity Summary

stealc default discovery stealer

Stealc

Executes dropped EXE

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 16:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 16:36

Reported

2024-06-20 16:38

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe

"C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 16:36

Reported

2024-06-20 16:38

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe"

Signatures

Stealc

stealer stealc

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3392 set thread context of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
PID 3392 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴

Processes

C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe

"C:\Users\Admin\AppData\Local\Temp\3D808F3A657C3DB4BDFF5F4F60121711.exe"

C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴

"C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2192 -ip 2192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 1304

Network

Country Destination Domain Proto
RU 5.42.104.211:80 tcp
RU 5.42.104.211:80 tcp
RU 5.42.104.211:80 tcp
RU 5.42.104.211:80 tcp
RU 5.42.104.211:80 tcp
RU 5.42.104.211:80 tcp

Files

memory/2192-2-0x0000000000400000-0x000000000063C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴

MD5 3992f464696b0eeff236aef93b1fdbd5
SHA1 8dddabaea6b342efc4f5b244420a0af055ae691e
SHA256 0d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14
SHA512 27a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6

memory/2192-6-0x0000000000400000-0x000000000063C000-memory.dmp

memory/2192-7-0x0000000000400000-0x000000000063C000-memory.dmp

memory/2192-8-0x0000000000400000-0x000000000063C000-memory.dmp

memory/2192-9-0x0000000000400000-0x000000000063C000-memory.dmp