Analysis
-
max time kernel
195s -
max time network
255s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
10-10-2024 01:49
Behavioral task
behavioral1
Sample
7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe
Resource
win7-20240903-en
General
-
Target
7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe
-
Size
307KB
-
MD5
6ead977356a0302d5712c5c72bf82b65
-
SHA1
efc7e990984a170dd352e8290fedd1d4d748851c
-
SHA256
7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce
-
SHA512
7f0b88c74179866956e2358e21e4700ed9baf1c28712ee78aea689a8027c62aa05c781984c0e3bdca83657b7d34570d5f1e670ef95c91f46f48680c07e53325a
-
SSDEEP
6144:aAichYtUokCulxMfpbC2e+PuGEFNnE7w+Uw3NKR9hU/W9:StUoH342pSF94wx8KRF9
Malware Config
Extracted
stealc
zalupa
http://95.217.92.42:22
-
url_path
/7db38bfff9324bbe.php
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4700 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 600 7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe 600 7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 600 wrote to memory of 2764 600 7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe 72 PID 600 wrote to memory of 2764 600 7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe 72 PID 600 wrote to memory of 2764 600 7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe 72 PID 2764 wrote to memory of 4700 2764 cmd.exe 74 PID 2764 wrote to memory of 4700 2764 cmd.exe 74 PID 2764 wrote to memory of 4700 2764 cmd.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe"C:\Users\Admin\AppData\Local\Temp\7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4700
-
-