Overview

overview

10

Static

static

3

66fad513a3...n1.exe

windows7-x64

10

66fad513a3...n1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 06:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    66fad513a308f_SubstituteAgain1.exe

  • Size

    1.2MB

  • MD5

    35bab7028aa376556c3236b773506a9b

  • SHA1

    91a480da0fa5f785c3e4876f61d7c0ce54ac6752

  • SHA256

    3a03ef1bf1d9c906bbfbe60e96c21cc950d84695b1f0fe23ca6c0c12cbe0f97e

  • SHA512

    8fabd6c065da7ed6d056dcfd08567e0f96d9e077c987e8337b0803427229999f03c6428d6eaf416fd104ea344a78a533331e59ed5893e6fd4b38a5d9bcc8ecb7

  • SSDEEP

    24576:doP4FOo7B8Zbizh4H1voG+GBnh/AzWXWmPGuI:4CTiZblVvP/Az1mPGuI

Score
10/10
stealccredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66fad513a308f_SubstituteAgain1.exe
    "C:\Users\Admin\AppData\Local\Temp\66fad513a308f_SubstituteAgain1.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Tough Tough.bat & Tough.bat
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1908
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2728
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 550360
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2900
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "RatesWarningMouseLake" Contribute
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2872
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Cookies + ..\Nor + ..\Fence + ..\Interactions + ..\Doctor + ..\Monitoring t
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2960
      • C:\Users\Admin\AppData\Local\Temp\550360\Cal.pif
        Cal.pif t
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsFIEHDBGDHD.exe"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1764
          • C:\Users\Admin\DocumentsFIEHDBGDHD.exe
            "C:\Users\Admin\DocumentsFIEHDBGDHD.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2848
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\DocumentsFIEHDBGDHD.exe
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:3008
              • C:\Windows\SysWOW64\PING.EXE
                ping 2.2.2.2 -n 1 -w 3000
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2276
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2756

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\ExpandSkip.xlsx
          Filesize

          16KB

          MD5

          d8d423cb844128768e6a4288ff7fca48

          SHA1

          2ad8ed5800aeb7a18241d95b6e8e44ce9300bd77

          SHA256

          70c6d51e50d2d4298c73b0e8090cf597903ee2872f3c69b5130fb24c481b094a

          SHA512

          fbade28ce061a12da451fbb0ec7ceaa43bcf831cf3f8c8a8f2abc0623216b86841edfe00140b17467ef70dee9ce3f568271677199d5ee7fbbeefa28ca0aab1fe

          Download Submit

        • C:\ProgramData\InstallUnpublish.docx
          Filesize

          17KB

          MD5

          7efeeeb417d6365a829e534246b9e73b

          SHA1

          0759e28adc9c71de882184826f76f991e290ce88

          SHA256

          76a51ddcd46f7ca4bdd907a27c1cbb62b399da5afa7270e069f44545a2c118cd

          SHA512

          8c51fbf234e58af273bf61d09cb089e54758d92816d1223d6eb98ae53a6a913d402817bd85afc02c9ae01075981514be13ae1ecfb016c8abd2e2c092f9d6b09c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\550360\t
          Filesize

          441KB

          MD5

          2ee1a892d0c2ff0947ff93687fd27277

          SHA1

          062ca51b95e04495c5dd2872294b36a4703c91d5

          SHA256

          aecc6992193d8ef20a9188de2fadda74b95acafa4cc4d72fec9735d72b72fdb0

          SHA512

          ce65fbbbdc0d7df03da2b164712d2e96dd7bd1560715929c83928f34d591dc1ff6dd957ac6bcb7da1bc70edf641bbb3521a00b7fc0e4bfe9a8f13eaea431165d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Contribute
          Filesize

          5KB

          MD5

          7ec18996d0a46060a9179be7dd014ea9

          SHA1

          e29fc68e3473465ac376b88d36976da3865771d3

          SHA256

          eab8d7155ca478fcd3f3de68e1356c1bb427e07a8dc1de5b12be8cc1ddfc26c6

          SHA512

          f14badd8c21742c0aaaadef257b602d506868fd76066ea43ed48dbb8fa803b3925fa1b4b39097c45025c65c7c0ab4e4aee9e58c1db47d9dd40b7dd2951f7752d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cookies
          Filesize

          85KB

          MD5

          a9cbb34f39acff0a54b517a4a7ee0f57

          SHA1

          843476e1ba47c45c788a92cbf098ded54bcaa7a8

          SHA256

          371864dd007175af0f5bc8a786a3b23414050ff65711cf8adc5e3a4b1f96ba80

          SHA512

          5a6d441a21f392eff0834ef43f9c312f44fbe7310ac7381b2426fe9bcb8c9de6b0d4c36f7e9d62da9cd0ceffb9151504314bf9998025e05289cc0f7ca3850f8a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Doctor
          Filesize

          98KB

          MD5

          15f7084287fb38b518d002292a314075

          SHA1

          b370f5e35dbc8c9f149201abfc3d5d9d5db018b6

          SHA256

          d78a6785ced2c7484ccb093d29ebb5418c302801eb43dfc13285d70ca6845d97

          SHA512

          6e4b1c2ffce6c00ebe42ef970d669e3b26e387b889f67cb0143d1c377071d6bde4d9cfb501302725b24fcf4a4d03c2888c0b55143dbf13567f1bd98353fbc688

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Fence
          Filesize

          86KB

          MD5

          dd70a769b3ab4f5f1aa5081a8d8df383

          SHA1

          e8d6d12e1f6aba647da1379968ef121fc41e7c35

          SHA256

          bb19ff3fa75174d76e10f7fb7df41f9b8eacabd6fe2e4e2eb4e1791d1ab1e6d8

          SHA512

          389e7a8063b0c1ad4fabbc65fcd6a146e35edfb9e781c1f69e92ad93eca8b4f0aa3a09aca18795decf13183af35f31087ae2c3d4de9cf1fed5eb867fdc0af757

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Interactions
          Filesize

          50KB

          MD5

          562f141d3a29c6dd533776ec5f4a46ea

          SHA1

          a036e120df20d9d5d84db52ca4664ea682886170

          SHA256

          719f8df256ee2e4bea4fdee798ac799366aa2a2f8fae55febcdfaadfaf7b4a53

          SHA512

          a94602464e74abf5bfe434d1e44fb11acfdba6025b2b3a2d2da97e14e56bb1a455d0f3f3ec59934acc39e0d2fbec64db25f8e6c92e46c89069eea46d93070551

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Labor
          Filesize

          867KB

          MD5

          69cd8cf03b80b94bb36b06cfbb262489

          SHA1

          ff6d9f64d1c496c4d721690cb102c588c17917ad

          SHA256

          54095dc56ad3c26ef12a465bd279418011b89caef55bd06977d03db436a1f359

          SHA512

          2006c58318989b9c94d927937817c124383d063a7b987614db275f020f3b2a50620dc46a83568ea37651c4b83d15c37a0356630722213421041b3cdd8a1f6520

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Monitoring
          Filesize

          49KB

          MD5

          8b3a8fc121a54a950eedc122c09932eb

          SHA1

          1f1bf25db09d268ca4c86b42ec1923e5e03bb275

          SHA256

          4ebd3e25b2d20e571c5eb5acf9384dd6f1ec99c66c0002cb4687d6d05a43c897

          SHA512

          13cd3b05a3bad3f874566e736e0012e267b679f05c0ec8aaaa1984c416e7c1bbee65a34861a598538b7f8bf485c79da13bfee10842479987cbd0005895a4d7b3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Nor
          Filesize

          73KB

          MD5

          39cbcfac2af36a2416f01bc5484ba6fb

          SHA1

          40539b7615b117975af6738a743b03664fafd072

          SHA256

          81c243d9d1c354f57ce78a36e709124a6bfe9b94e6088d9b009360abac470b7c

          SHA512

          2fb402f4279baa3002d39f539cbdb40af0ac6c85f362d0ba7448e791488605defa71234a59377a90504a1e0ad5a8e019eb38c709aff8cfe4d7f743647f9ec560

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tough
          Filesize

          9KB

          MD5

          84ea26756b40c084b69b45404ec99a0e

          SHA1

          70acb464e077d018fd13b250fb86d057c27eafc1

          SHA256

          fe384870caee86a6007c5ac37a1f15324090db94746496977f69c2eaa9e54490

          SHA512

          92d193662d0fb449932750251e84886e0c9fc9809f02fa2760c56bbe97ddb7ae5aeb8c1e45f53a580fabb6a92696a6da9638410e0ec539f55fd8f45c23102614

          Download Submit

        • \ProgramData\mozglue.dll
          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

          Download Submit

        • \ProgramData\nss3.dll
          Filesize

          2.0MB

          MD5

          1cc453cdf74f31e4d913ff9c10acdde2

          SHA1

          6e85eae544d6e965f15fa5c39700fa7202f3aafe

          SHA256

          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

          SHA512

          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

          Download Submit

        • \Users\Admin\AppData\Local\Temp\550360\Cal.pif
          Filesize

          872KB

          MD5

          18ce19b57f43ce0a5af149c96aecc685

          SHA1

          1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

          SHA256

          d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

          SHA512

          a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

          Download Submit

        • \Users\Admin\DocumentsFIEHDBGDHD.exe
          Filesize

          17KB

          MD5

          c52e326b3e71b7930cf6b314d1fa1cff

          SHA1

          990b9e596948ab2423d005c7633591cffee7436f

          SHA256

          de7ceb041799349b1fca65b06865087b37f488d0dceb744056d0ba5152551c07

          SHA512

          afbf73d7e879f0454d19e7716eb4e0daf7be24879b25ac409c0c075bf2dff22c74e3d8eae2143aa531b1b24244df829e9102565123d42357bf940723f8c76a86

          Download Submit

        • memory/2800-28-0x00000000035A0000-0x0000000003801000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2800-33-0x0000000061E00000-0x0000000061EF3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2800-30-0x00000000035A0000-0x0000000003801000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2800-31-0x00000000035A0000-0x0000000003801000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2800-27-0x00000000035A0000-0x0000000003801000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2800-29-0x00000000035A0000-0x0000000003801000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2848-91-0x00000000000E0000-0x00000000000EA000-memory.dmp

          Filesize

          40KB

          Download