stealc | 72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545

Analysis

max time kernel
125s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545.exe
Size

909KB
MD5

5e55a47b6d7053f9d1ff19539863b8c2
SHA1

0fc816248d3ee7605237b1c216dd95333f9edc44
SHA256

72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545
SHA512

53665b9d764a454aa5ed9f0037a4c36df169ee0fa2caf328b7b559c97006f8818cb33cdeb488333e37c266be041b8fcd4dc4aa683e69472d9c0e00850ad1807d
SSDEEP

12288:ECXVJY0G8ReIqcEV/cjrk/BO27mOCNcnjaEpEEt/xOJUnjz/j/aP3hLnqZ:Eys07eFv1/4PwG/C5OKnjz/zwlnqZ

Score

10^/10

stealc discovery stealer

Malware Config

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545.exe

Executes dropped EXE 1 IoCs

pid	Process
4092	Sleeping.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3340	tasklist.exe
4732	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LegacyAwful	72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545.exe
File opened for modification	C:\Windows\HeatherUnable	72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545.exe
File opened for modification	C:\Windows\AsusNorfolk	72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sleeping.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4092	Sleeping.pif

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4092	Sleeping.pif
4092	Sleeping.pif
4092	Sleeping.pif
4092	Sleeping.pif
4092	Sleeping.pif
4092	Sleeping.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3340	tasklist.exe
Token: SeDebugPrivilege	4732	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4092	Sleeping.pif
4092	Sleeping.pif
4092	Sleeping.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4092	Sleeping.pif
4092	Sleeping.pif
4092	Sleeping.pif

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 228	1492	72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545.exe	89
PID 1492 wrote to memory of 228	1492	72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545.exe	89
PID 1492 wrote to memory of 228	1492	72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545.exe	89
PID 228 wrote to memory of 3340	228	cmd.exe	91
PID 228 wrote to memory of 3340	228	cmd.exe	91
PID 228 wrote to memory of 3340	228	cmd.exe	91
PID 228 wrote to memory of 784	228	cmd.exe	92
PID 228 wrote to memory of 784	228	cmd.exe	92
PID 228 wrote to memory of 784	228	cmd.exe	92
PID 228 wrote to memory of 4732	228	cmd.exe	94
PID 228 wrote to memory of 4732	228	cmd.exe	94
PID 228 wrote to memory of 4732	228	cmd.exe	94
PID 228 wrote to memory of 3208	228	cmd.exe	95
PID 228 wrote to memory of 3208	228	cmd.exe	95
PID 228 wrote to memory of 3208	228	cmd.exe	95
PID 228 wrote to memory of 2168	228	cmd.exe	96
PID 228 wrote to memory of 2168	228	cmd.exe	96
PID 228 wrote to memory of 2168	228	cmd.exe	96
PID 228 wrote to memory of 1936	228	cmd.exe	97
PID 228 wrote to memory of 1936	228	cmd.exe	97
PID 228 wrote to memory of 1936	228	cmd.exe	97
PID 228 wrote to memory of 4472	228	cmd.exe	98
PID 228 wrote to memory of 4472	228	cmd.exe	98
PID 228 wrote to memory of 4472	228	cmd.exe	98
PID 228 wrote to memory of 4092	228	cmd.exe	99
PID 228 wrote to memory of 4092	228	cmd.exe	99
PID 228 wrote to memory of 4092	228	cmd.exe	99
PID 228 wrote to memory of 2972	228	cmd.exe	100
PID 228 wrote to memory of 2972	228	cmd.exe	100
PID 228 wrote to memory of 2972	228	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545.exe
"C:\Users\Admin\AppData\Local\Temp\72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Extends Extends.bat & Extends.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3340
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:784
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4732
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3208
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 376615
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "PieAttachedEndlessEz" Projected
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Presence + ..\Expenditures + ..\Settlement + ..\Daniel + ..\Javascript + ..\Packs y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4472
- - C:\Users\Admin\AppData\Local\Temp\376615\Sleeping.pif
    Sleeping.pif y
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4092
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=1316 /prefetch:8
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\376615\Sleeping.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\376615\y

Filesize
426KB

MD5
ae3d55e50e851e400c6276ea49e81e4f

SHA1
2447dd509e112be9d80520bcba5a0511320baaf7

SHA256
f64f9dfc4fce3514662636891549ab28f2314d5b5c50a12c2dcc0282cd052a8b

SHA512
2bb77a8b0a1e277839efe16de88852b1a23079de38ca47f4d562c11f9eb9931f4a733155137aa223b2e0c8665fd934bf52bfae700de6ca9ebc663f3aa7a46812

Download Submit
C:\Users\Admin\AppData\Local\Temp\Daniel

Filesize
94KB

MD5
dbb5b61f1db614c25d7ec9d101110a59

SHA1
baf31207e205d36645a0eff19e87c74be1b576ea

SHA256
3eb6724e3f69973f4df7a5026da55fcbe1b48b9ae0661ff79e454cde052d2381

SHA512
016e72fe2e3f68246e5e40e4f39e25a4ffa6ebf76d451bc71b0136768104f36a40d377456d9f5a8d5a4b49bc927e085a5677cbb1c7f67f27855b8d7c4e4948db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expenditures

Filesize
86KB

MD5
49f0222027ce9239edfe22653b2cabd4

SHA1
c8326622726f76cdaf79a47fadc9eb5beac32237

SHA256
b9921b700b9725b83e0c59c33bc14af9cc1c16a15fc5c6794fbb0225187b93ec

SHA512
5c4c92304713f4cbc3f08214c5b12bc056c5694c1893d6e916c6cb069e176740ca3b0dbc67b507c45e7119cb9eb26668c923dc138ec1f4a1e6e1d603bb2d343e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extends

Filesize
8KB

MD5
1d84284b8942f58060e1d05f0b1e188a

SHA1
b67d7f48760822e8af325f78d897e2d915de565c

SHA256
352e14e0acd212b3152ce18c1145028da38a7fbedf5cf736995e806f2388a113

SHA512
1de99eda612855e4303caa5fef13917081bcfa3bd6c7bbb363000dd0a8a19f98c15cdab9b8a8d5b86915b632589a831d4578b82ace71f0443792cc6e899d182a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Feedback

Filesize
866KB

MD5
47f486f9a09c3c92d6c63df8a59e4964

SHA1
0b83d8336e74a094c9e4a85df296dcb3ef8f0a02

SHA256
49038116a1180b904492a7df13f7f37803f192e9f778c01e83d0378c5b842437

SHA512
f8c05cbf2a95d1fc86d78ff58abe4d2c1ff9d296815f44c9db89225f87043e34553a0d1062f9f2e89910957c13b2fe4766ad80769a1e746949ac16d85917dd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Javascript

Filesize
60KB

MD5
e74399d04f69a683d98046ab88f5bba0

SHA1
c88af22c8c29c3405ea385fa6c792e490a12aec8

SHA256
961d4241d2a91eea86a27a5c746f65bce321b2bdca8048ae775a713a7cbc3ed6

SHA512
23074aeb05050c89ba14d30c99b580bc929745eaca718f937c3d7666a8165efb55f55b05257002035bd2f17b6de8b51355d2f4025996f0a81dc2d8b3c91359ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Packs

Filesize
38KB

MD5
5cbc78e7462b03104122bfcea6c0570f

SHA1
4b9f078f630e2f5530f247ea3e194e7b3877056b

SHA256
75f7b16d57b7956bb74e3640c616f432b773951855297743c90b735284a74165

SHA512
e6d0a80386fc4eb77c073fa1d0c6f49b36fe216276b64dd90c24de1ec77703cd0db6f4a586063579255d79cd85ef5e1a39578d48c3ca4023dc17e6701da5aa93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Presence

Filesize
60KB

MD5
ee2ef75583f3d5eabc9de0aeeb588752

SHA1
072fbac659a8878a5ed39b8710ced7256d0a8b31

SHA256
3fc3907a25dea94f2848f8431111f1270a033277212fadff68cb1541dc7abb22

SHA512
7fa97e919747ce1bdf94012089ef50e2fa3b3b167b072f6deccb966009c4a94d37c60e89b6e1592593d0bcb6196cb9d781a370e727815bce1246d642278e49d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Projected

Filesize
6KB

MD5
93e1c03496c73ce0227eebfe83b0bd3d

SHA1
e571d6fdee00475b54029a6af43ab1341abac5dc

SHA256
f36376d6c3ca12b169ec967ac62ffab30840073edb1d6f6128dfd294753a1444

SHA512
20a24d9bf4aaa49f9ffcf6774678aef655b924c93dc42d5520bc312dbb8023ef90747e12ab0436f8e61a754abfd840bbf854a061d90d395f8a422200649a5c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Settlement

Filesize
88KB

MD5
7c56f2bf9a311376e68263ee9c5a8393

SHA1
797bd5804a7a3f9425e23f9caf70aa473a46adaf

SHA256
fdbafb85b95cd634ec53a63e29e0a2d34704ed22e356907961a5eb9e7d056e1a

SHA512
2b0fdb236c7ec2434ccc3d9036dd80a37e8d3bf433d241809e9f869f6a8731955787230da22a1ed200677ecdceb65b40cca57dfb2c3f74ff68d3640bbbb729b5

Download Submit
memory/4092-25-0x0000000004890000-0x0000000004AF1000-memory.dmp

Filesize
2.4MB

Download
memory/4092-26-0x0000000004890000-0x0000000004AF1000-memory.dmp

Filesize
2.4MB

Download
memory/4092-27-0x0000000004890000-0x0000000004AF1000-memory.dmp

Filesize
2.4MB

Download
memory/4092-28-0x0000000004890000-0x0000000004AF1000-memory.dmp

Filesize
2.4MB

Download
memory/4092-29-0x0000000004890000-0x0000000004AF1000-memory.dmp

Filesize
2.4MB

Download