Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe
Resource
win10v2004-20240802-en
General
-
Target
65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe
-
Size
217KB
-
MD5
65db2eb88c0efcfc9f58d8d7b47320a0
-
SHA1
f55df2d7ad79f6ac232cb1734c37ff97184f22fb
-
SHA256
65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a
-
SHA512
b1117b8145b9496c5e98b0ed5ab368bd8109f199ddbf5aceca0bcab2c27a8a5212f1c04bb0e066bf20d56ed1f16e50273b1e18ebcf2b6aa9fb124620e9bb6e32
-
SSDEEP
3072:FUcJWOKIpK3eTm+o21xroGhtypsch2wJYPPEV5g9Mo5yurTisSWWqwdASPF1CoIu:wqpcejo21doGssckZKsZQKTdyu0TCqEO
Malware Config
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exedescription pid process target process PID 2852 set thread context of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2644 2660 WerFault.exe RegAsm.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exeRegAsm.exedescription pid process target process PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2852 wrote to memory of 2660 2852 65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe RegAsm.exe PID 2660 wrote to memory of 2644 2660 RegAsm.exe WerFault.exe PID 2660 wrote to memory of 2644 2660 RegAsm.exe WerFault.exe PID 2660 wrote to memory of 2644 2660 RegAsm.exe WerFault.exe PID 2660 wrote to memory of 2644 2660 RegAsm.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe"C:\Users\Admin\AppData\Local\Temp\65356ac76d8f957aae149b790e52305ea0b285fe157a1e438c4500abc9bb810a.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 2523⤵
- Program crash
PID:2644