Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 05:55
Behavioral task
behavioral1
Sample
updateload.exe
Resource
win10v2004-20240802-en
General
-
Target
updateload.exe
-
Size
3.1MB
-
MD5
4c5dbf388f5de761e45f268186f8be27
-
SHA1
918b198ad13af4c52b4518ff22a2a032e86e3679
-
SHA256
92a218b4b6cbd696cb07698a2da0fc8578ad1f966a88509e25db827fe85a2920
-
SHA512
4f9331107ec172cd3caa767a2af3e9f18e85ccf71b725be4bfbb0e83dcaf40d8e10581531a709227a6135efae8531a9d55bc22b32c0a8eaafdd8adc4c736dc94
-
SSDEEP
49152:DUvC/MTQYNsWy9aRV0NmZfClF/sKkTUD6CsRBJgsoDDeA:IjTQYNsWy6FClFUKkwWRBSpDDeA
Malware Config
Extracted
stealc
meowsterioland4
http://45.152.112.131
-
url_path
/8ee66a3c8f19e4b5.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral1/memory/4228-0-0x0000000000290000-0x00000000005A2000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 3944 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 4612 explorer.exe 4612 explorer.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/4228-0-0x0000000000290000-0x00000000005A2000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4228 set thread context of 3944 4228 updateload.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updateload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4228 updateload.exe 4228 updateload.exe 3944 cmd.exe 3944 cmd.exe 4612 explorer.exe 4612 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4228 updateload.exe 3944 cmd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4228 updateload.exe 4228 updateload.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4228 updateload.exe 4228 updateload.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4228 wrote to memory of 3944 4228 updateload.exe 86 PID 4228 wrote to memory of 3944 4228 updateload.exe 86 PID 4228 wrote to memory of 3944 4228 updateload.exe 86 PID 4228 wrote to memory of 3944 4228 updateload.exe 86 PID 3944 wrote to memory of 4612 3944 cmd.exe 89 PID 3944 wrote to memory of 4612 3944 cmd.exe 89 PID 3944 wrote to memory of 4612 3944 cmd.exe 89 PID 3944 wrote to memory of 4612 3944 cmd.exe 89 PID 3944 wrote to memory of 4612 3944 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\updateload.exe"C:\Users\Admin\AppData\Local\Temp\updateload.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
904KB
MD59452c19e078528a137d9c84d1893020d
SHA1fb48382c82a1d59086ffa834946614525b78e504
SHA256d30058da5e61f38e278e78d244a337a6bbd48d73574510cdd74b39da7d10c68a
SHA512b46085158359aab656075843c9fe4faf94274c80c47fc8a9ec451e88dd9fbc3c8c0baa97c386b3cd5f74ba95ea1ef72e9059601593f7137f63aac2ee0e1717c8