Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2024 06:21
Static task
static1
Behavioral task
behavioral1
Sample
9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe
Resource
win7-20240708-en
General
-
Target
9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe
-
Size
493KB
-
MD5
7c6083bf70e2919d0957ffcb7b75ebeb
-
SHA1
89254f92c908c0d99d150649aab4fdea7fc10b34
-
SHA256
9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8
-
SHA512
ba7c4f25f83cfde35252920821707322e3523b3e47bb221239082fce3e3eb6811d302a24c1583bed3d8ddb54a6bb3e99ee6d2c5d3d2f5425ded550b82bcf16e8
-
SSDEEP
12288:PtVE8S9QVK+gLgDWuaQ3HQ0RJaE5hZVQgqt2oRAAn4S:PfS9RkKO3w0RJaOQgq0oRAA4
Malware Config
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
MSBuild.exepid Process 844 MSBuild.exe 844 MSBuild.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exedescription pid Process procid_target PID 3320 set thread context of 844 3320 9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4884 3320 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MSBuild.execmd.exe9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MSBuild.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
MSBuild.exepid Process 844 MSBuild.exe 844 MSBuild.exe 844 MSBuild.exe 844 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid Process 212 cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exeMSBuild.exedescription pid Process procid_target PID 3320 wrote to memory of 844 3320 9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe 86 PID 3320 wrote to memory of 844 3320 9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe 86 PID 3320 wrote to memory of 844 3320 9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe 86 PID 3320 wrote to memory of 844 3320 9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe 86 PID 3320 wrote to memory of 844 3320 9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe 86 PID 3320 wrote to memory of 844 3320 9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe 86 PID 3320 wrote to memory of 844 3320 9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe 86 PID 3320 wrote to memory of 844 3320 9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe 86 PID 3320 wrote to memory of 844 3320 9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe 86 PID 844 wrote to memory of 212 844 MSBuild.exe 94 PID 844 wrote to memory of 212 844 MSBuild.exe 94 PID 844 wrote to memory of 212 844 MSBuild.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe"C:\Users\Admin\AppData\Local\Temp\9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\IIJEBAECGC.exe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:212
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 2362⤵
- Program crash
PID:4884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3320 -ip 33201⤵PID:1956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571