Analysis
-
max time kernel
138s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
10-07-2024 17:18
General
-
Target
cstealer.pyc
-
Size
75KB
-
MD5
44d80709f492610a377eafff857aa413
-
SHA1
91e53c38437797bd7e0ae5bb45a3e03144c4ec21
-
SHA256
2312b7c1b6704e66d44d44971fed7492d2fa9655009e3cc00c6a7a79e59d8c53
-
SHA512
b3b42555de7648aa4a1d6dfc94ae0503964913af7baa9528b623e5f9991a560734d43b9c88608a3cca5f13c507debfd4711951230d2932933d981b7c0b31f0d0
-
SSDEEP
1536:DvIiOtbI3vkwsJlYaa2Is8qRai+jjV6P4grrRheEX:DvQ29t2Is8HdgP4grrRnX
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\cstealer.pyc"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\cstealer.pyc3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {263665be-0bb8-441e-a4cf-0279c08017e2} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2328 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6eb6bd7-df4b-432e-ac4c-1023e6227350} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3324 -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3296 -prefsLen 26816 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8231007-a1a0-44a8-b8b0-0deef646215b} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3176 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 2660 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04d61890-77a0-4a5e-9a5e-bc01ccf0f639} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 5012 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d97a194-ea89-4aed-bc65-a45e1955886f} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfd95e43-8462-4a16-bcae-cba0124d1708} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 4 -isForBrowser -prefsHandle 5320 -prefMapHandle 5324 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79b66f2a-96a7-42b9-ad34-4cad24a73371} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 5 -isForBrowser -prefsHandle 5668 -prefMapHandle 5672 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82cf8afb-1ab9-4e70-a082-251fe5560dd9} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab4⤵
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\cstealer.pyc"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\cstealer.pyc2⤵
- Checks processor information in registry
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5a8a8580b712420a1ae2ac968e65f085b
SHA12776b20f877f376a59191d92433d23dae1437dba
SHA256ee2542957d75f66a8c47f3102a3afe414d49067f0dbbc9fa11928e5c7aa8628a
SHA5120b380e7cf44f85650d2f657b1bb4a4b6eb592139819315650f9a46c6b3adedc3e90ff5020581106c6a7039306b578b38d8f1b87988512d84e70e9571ee4b2b70
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD59ced19ff6abc765eb7d7367943029854
SHA18369f4311ec18763dc6ae96f3ec166755ea2489d
SHA256cdbf3a88566ede978dc984f093a8260cf992501b306d936ff17ebf16d73d790b
SHA512a37b965905645daf54c27e49fd55f039dea146984f632f352d41b5ca31d8cecaeec848ee6b4660a651f6bae8687a5a991744ba35358fb5b1457b2b615fc85e4e
-
Filesize
6KB
MD5d906a25f1803e0344d2c6c724086b958
SHA1b7344afec2ae67956388f7c45448870c34552a18
SHA256bde873b0c4abf6f2d91ef4808fdd933f0fbd7fa2da94e04566e8fee0ea1c101d
SHA51201853b46771a66855ae032926666f4caab2bf96a07e50e52c1ad3e3ff0f9b8dea01a4f3baa2710ed818d608f0d7e153b46d60c0933545bb556d575bc1c635251
-
Filesize
22KB
MD52728c6696f8ca1c2e93871fd995cda01
SHA17c7cba260bfea62238f334477c6002d6df934cb5
SHA2566d29b692b5023ba7999f9cea93c35394ef19fe339f2965eb15c339643f2add89
SHA5122cdbb568ddb225d7e4367b3442e45c31401ebc4dbc5fda53e467c035a86f707a269e6c6306aaccf096ebaeaf27efb87f4eb9143022b9e9d692cfcc909a1f6548
-
Filesize
5KB
MD502caf1463e5a1a1e9f6158b4d249680c
SHA122dcf57ef3f5530ecc3c819de9bcb5e0485e9c1f
SHA2561a41ccf52bbbbd19bc15f1be393c56cfd916c7eada59e2314124105138a9e133
SHA51264c324fee5dfce765bf5cd6814b5d9af750af839690f7b6cdf7e1222f506327cf27cd988d5cfeccf68070d428eb687807112c8ba8ec1500c912213c0d93fcc2e
-
Filesize
5KB
MD5ec7ac05dc87d6726ef00ff327e674e49
SHA108ef5f2329776431586139ba82f9aec9bd2475e2
SHA256a5d1db7b017d0d22761bfa996bbb4e26b4ea5b5cefc9fcf048659ae085a58bf6
SHA512d751f00672b2f3a4156f8375f068ff1b419be2e3f9c7a7763d8ba97ca700699c2a861f2d96614598b0c632d84661233db00f032f42c3f8d975026ff625e86a02
-
Filesize
26KB
MD5e13c2ea876ef2ffc9e5029f6a4c65a73
SHA16cb7de898e8019c7ae0553f24c0fa8133a336e1f
SHA25656251f6f5e11710c113c9bc4a96e0fd454a6b04deb8bcdcde175f0cd20f1d507
SHA51215cac6c15cba27b2375af3fbd56a018356e14950112a22a28478b6a2668b71a2f3e7f364c3eb9e2b4986f97c8c7dd67d4855ae336fb7a04e33d51bd10fb0914a
-
Filesize
982B
MD5224247d27535a716c40e0bd5975e388d
SHA145f40a81ed80156288793151a15b548b69583357
SHA2562d1035d493b3dfdaa57199556262c6efcb6048c7a2bd587dc913fb248520fe4d
SHA5121cfbfec03ee2e45438572da15cc0a781bb9213cb88da4c0846ddf86f8f107605957ad456f97592d5b2360294215d40d0afa587f28a2ef9392839dbccfe605245
-
Filesize
671B
MD558ef48a38a445fc72b389a3bf5d13a0f
SHA13969945ef5df270434e273ed83c6b366750ba69b
SHA25629b9c7427920b28bd5c987f6b1edf102d7ca009f892428059c048b2ef564fcfd
SHA51258259dd3a9d7bd212dac3a1e5c2613e0da09425a2d007aa96cffb2fed2da008c2c6f3c1580a1c74686b41b6b014721260f84e14054b63e794896cb294c4ff93d
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5492a34c22b4c027a08bf307995145481
SHA1b85c6095d6961c8ae7c0ab3f0a1c7238fe919cbd
SHA2562459d8b83dccc2e10941b79a2a5a083fb57c361fc205d196d0b7ff6548805f0a
SHA512fbddd9e2b58a81f6bbdca759c62a2ea35e29e568ae8132d768347d1fd53fb96b8cba45b0150d30a10886f603278f7dd6098fd60290aedb70dc176a0cb9629acd
-
Filesize
1KB
MD517ba153e2e67c6bb586050fb9c520091
SHA1c7ff4bedfefc629e59845b1a9ea9cf8bbe0676e4
SHA256a03411c79076ce4133005dc5b879cf491589e983933b356be839a01fd499734c
SHA51248e6e59a533cfb714587e0b34123adc76af0e10854bd457e5817895158600f6257dc1d1045d50e60aabe45d6f90aee19a6e2cfaa96a6abb1753b00f841c5d479
-
Filesize
75KB
MD544d80709f492610a377eafff857aa413
SHA191e53c38437797bd7e0ae5bb45a3e03144c4ec21
SHA2562312b7c1b6704e66d44d44971fed7492d2fa9655009e3cc00c6a7a79e59d8c53
SHA512b3b42555de7648aa4a1d6dfc94ae0503964913af7baa9528b623e5f9991a560734d43b9c88608a3cca5f13c507debfd4711951230d2932933d981b7c0b31f0d0