Analysis Overview
SHA256
46ed6a8df27da6eeb92298a77ec1162e6e67884e7f07020b23c06137768506ae
Threat Level: Known bad
The file 46ed6a8df27da6eeb92298a77ec1162e6e67884e7f07020b23c06137768506ae.exe was found to be: Known bad.
Malicious Activity Summary
Stealc
Executes dropped EXE
Checks installed software on the system
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-21 01:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 01:14
Reported
2024-06-21 01:16
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\46ed6a8df27da6eeb92298a77ec1162e6e67884e7f07020b23c06137768506ae.exe
"C:\Users\Admin\AppData\Local\Temp\46ed6a8df27da6eeb92298a77ec1162e6e67884e7f07020b23c06137768506ae.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 01:14
Reported
2024-06-21 01:16
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Stealc
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2620 set thread context of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\46ed6a8df27da6eeb92298a77ec1162e6e67884e7f07020b23c06137768506ae.exe | C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴 | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\46ed6a8df27da6eeb92298a77ec1162e6e67884e7f07020b23c06137768506ae.exe
"C:\Users\Admin\AppData\Local\Temp\46ed6a8df27da6eeb92298a77ec1162e6e67884e7f07020b23c06137768506ae.exe"
C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
"C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1212 -ip 1212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 800
Network
| Country | Destination | Domain | Proto |
| US | 23.53.113.159:80 | tcp | |
| RU | 5.42.104.211:80 | tcp | |
| RU | 5.42.104.211:80 | tcp | |
| RU | 5.42.104.211:80 | tcp | |
| RU | 5.42.104.211:80 | tcp | |
| RU | 5.42.104.211:80 | tcp | |
| RU | 5.42.104.211:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\㜴䘸㐷㡑㡑䝺兺圴
| MD5 | 3992f464696b0eeff236aef93b1fdbd5 |
| SHA1 | 8dddabaea6b342efc4f5b244420a0af055ae691e |
| SHA256 | 0d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14 |
| SHA512 | 27a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6 |
memory/1212-6-0x0000000000400000-0x000000000063C000-memory.dmp
memory/1212-7-0x0000000000400000-0x000000000063C000-memory.dmp
memory/1212-2-0x0000000000400000-0x000000000063C000-memory.dmp
memory/1212-8-0x0000000000400000-0x000000000063C000-memory.dmp
memory/1212-9-0x0000000000400000-0x000000000063C000-memory.dmp