Overview

overview

10

Static

static

3

!ŞetUp_55...$$.rar

windows7-x64

3

!ŞetUp_55...$$.rar

windows10-2004-x64

3

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

cutline.ppt

windows7-x64

1

cutline.ppt

windows10-2004-x64

1

d3dx9_43.dll

windows7-x64

1

d3dx9_43.dll

windows10-2004-x64

1

hrtfs/chro...1].exe

windows7-x64

hrtfs/chro...1].exe

windows10-2004-x64

libvlc.dll

windows7-x64

1

libvlc.dll

windows10-2004-x64

1

libvlccore.dll

windows7-x64

1

libvlccore.dll

windows10-2004-x64

1

parabrake.rpm

windows7-x64

3

parabrake.rpm

windows10-2004-x64

3

plugins/ac...in.dll

windows7-x64

1

plugins/ac...in.dll

windows10-2004-x64

1

plugins/ac...in.dll

windows7-x64

1

plugins/ac...in.dll

windows10-2004-x64

1

plugins/au...in.dll

windows7-x64

1

plugins/au...in.dll

windows10-2004-x64

1

plugins/au...in.dll

windows7-x64

1

plugins/au...in.dll

windows10-2004-x64

1

plugins/co...in.dll

windows7-x64

1

plugins/co...in.dll

windows10-2004-x64

1

plugins/co...in.dll

windows7-x64

1

plugins/co...in.dll

windows10-2004-x64

1

plugins/vi...in.dll

windows7-x64

1

plugins/vi...in.dll

windows10-2004-x64

1

plugins/vi...in.dll

windows7-x64

1

plugins/vi...in.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    67s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 11:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    2.7MB

  • MD5

    870feaab725b148208dd12ffabe33f9d

  • SHA1

    9f3651ad5725848c880c24f8e749205a7e1e78c1

  • SHA256

    bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55

  • SHA512

    5bea301f85e6a55fd5730793b960442bc4dab92d0bf47e4e55c5490448a4a22ed6d0feb1dbe9d56d6b6ff8d06f163381807f83f467621f527bc6521857fc8e1a

  • SSDEEP

    49152:C11fbWXfBeBqTww8Gkfoa0yeL8zj9JLF+lP/MatsfHVnZbhG3EVsMI62Pseaj/1n:QbWkuwwjkULhlPUatsfBxhsE

Score
10/10
stealcpushkindiscoverypersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

stealc

Botnet

PUSHKIN

C2

https://safefiledownloadsoft.com

Attributes
  • url_path

    /725c63b56c99aa26.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Users\Admin\AppData\Local\Temp\TraceFmt.exe
        C:\Users\Admin\AppData\Local\Temp\TraceFmt.exe
        3⤵
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1200
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1340
          4⤵
          • Program crash
          PID:2416
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1200 -ip 1200
    1⤵
      PID:2464
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4892

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\TraceFmt.exe
            Filesize

            433KB

            MD5

            fea067901f48a5f1faf7ca3b373f1a8f

            SHA1

            e8abe0deb87de9fe3bb3a611234584e9a9b17cce

            SHA256

            bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

            SHA512

            07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a1503dff
            Filesize

            1.3MB

            MD5

            af0c47910aeae40659b832657084010e

            SHA1

            4c48a7a7f1c8a1f26f5c71aa3629128fc8729de7

            SHA256

            cb0352e69e6d7ff69eb547a2a6d62724851c11b5bac686c47c6c68fc184380d0

            SHA512

            b5ed204df05a166ed50d2fea9fa7280b3ac2022b60c5902f0d2c27026d681c14d0bd9f971af037ee407c42909f14e31251869e92953de0b47a59b651bde31e47

            Download Submit

          • memory/1200-17-0x0000000000350000-0x000000000058D000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/1200-25-0x0000000000350000-0x000000000058D000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/1200-23-0x00000000008E5000-0x00000000008ED000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1200-24-0x00000000008A0000-0x000000000095A000-memory.dmp

            Filesize

            744KB

            Download

          • memory/1200-21-0x0000000000350000-0x000000000058D000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/1200-20-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/2928-11-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/2928-13-0x000000007427E000-0x0000000074280000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2928-14-0x0000000074271000-0x000000007427F000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2928-16-0x0000000074271000-0x000000007427F000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2928-9-0x0000000074271000-0x000000007427F000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2928-26-0x000000007427E000-0x0000000074280000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4420-0-0x0000000074270000-0x00000000743EB000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4420-7-0x0000000074270000-0x00000000743EB000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4420-6-0x0000000074270000-0x00000000743EB000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4420-5-0x0000000074282000-0x0000000074284000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4420-1-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/4892-28-0x000001E68A770000-0x000001E68A771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4892-29-0x000001E68A770000-0x000001E68A771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4892-30-0x000001E68A770000-0x000001E68A771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4892-37-0x000001E68A770000-0x000001E68A771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4892-40-0x000001E68A770000-0x000001E68A771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4892-39-0x000001E68A770000-0x000001E68A771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4892-38-0x000001E68A770000-0x000001E68A771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4892-35-0x000001E68A770000-0x000001E68A771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4892-36-0x000001E68A770000-0x000001E68A771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4892-34-0x000001E68A770000-0x000001E68A771000-memory.dmp

            Filesize

            4KB

            Download