Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe
Resource
win7-20240903-en
General
-
Target
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe
-
Size
4.1MB
-
MD5
7fa5c660d124162c405984d14042506f
-
SHA1
69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f
-
SHA256
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2
-
SHA512
d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c
-
SSDEEP
98304:if7X0ZueTTPs6deIF+iHtcbBt2VSFjUCaZ:8bPeVdeIMiHmbeVS
Malware Config
Extracted
stealc
default
http://91.202.233.158
-
url_path
/e96ea2db21fa9a1b.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost015.exepid process 2796 svchost015.exe -
Loads dropped DLL 1 IoCs
Processes:
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exepid process 2196 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exedescription pid process target process PID 2196 set thread context of 2796 2196 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe svchost015.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exesvchost015.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exedescription pid process target process PID 2196 wrote to memory of 2796 2196 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe svchost015.exe PID 2196 wrote to memory of 2796 2196 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe svchost015.exe PID 2196 wrote to memory of 2796 2196 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe svchost015.exe PID 2196 wrote to memory of 2796 2196 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe svchost015.exe PID 2196 wrote to memory of 2796 2196 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe svchost015.exe PID 2196 wrote to memory of 2796 2196 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe svchost015.exe PID 2196 wrote to memory of 2796 2196 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe svchost015.exe PID 2196 wrote to memory of 2796 2196 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe svchost015.exe PID 2196 wrote to memory of 2796 2196 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe svchost015.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe"C:\Users\Admin\AppData\Local\Temp\fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exeC:\Users\Admin\AppData\Local\Temp\svchost015.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17