Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
submitted
09/11/2024, 19:26
Static task
static1
Behavioral task
behavioral1
Sample
9d8339d342ed747583da03583afdb445.exe
Resource
win7-20240903-en
General
-
Target
9d8339d342ed747583da03583afdb445.exe
-
Size
451KB
-
MD5
9d8339d342ed747583da03583afdb445
-
SHA1
ab2bbc7c5af8913c66c75331d62b6fede68d46b7
-
SHA256
695b8d6b97edf8239d5ae772c2d726740d81a0b4893199c3be812406e0942123
-
SHA512
46be1b3eb7c57056625a1176ed77a620e9bd5a40713a3e4d61be5ebd7e215ec988977c0e5c9cba1ff1013eede89ae9bb07e6149d6d58fcb73f9f61415fbd3be1
-
SSDEEP
6144:dE0b6CikANLQUmtn37+tm/jEgEn7vZSwZjJP27UxQ76gXFu/s+2abgbqhT9bQu:dE0bzFqQdl7+tGjyj1fxQzXas+2O2a
Malware Config
Extracted
stealc
default10
http://62.204.41.163
-
url_path
/16fa04073490929d.php
Signatures
-
Stealc family
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 3044 4194.tmp.exe -
Loads dropped DLL 5 IoCs
pid Process 2752 9d8339d342ed747583da03583afdb445.exe 2752 9d8339d342ed747583da03583afdb445.exe 2752 9d8339d342ed747583da03583afdb445.exe 2752 9d8339d342ed747583da03583afdb445.exe 2752 9d8339d342ed747583da03583afdb445.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d8339d342ed747583da03583afdb445.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4194.tmp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2752 9d8339d342ed747583da03583afdb445.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2752 9d8339d342ed747583da03583afdb445.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2752 wrote to memory of 3044 2752 9d8339d342ed747583da03583afdb445.exe 31 PID 2752 wrote to memory of 3044 2752 9d8339d342ed747583da03583afdb445.exe 31 PID 2752 wrote to memory of 3044 2752 9d8339d342ed747583da03583afdb445.exe 31 PID 2752 wrote to memory of 3044 2752 9d8339d342ed747583da03583afdb445.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d8339d342ed747583da03583afdb445.exe"C:\Users\Admin\AppData\Local\Temp\9d8339d342ed747583da03583afdb445.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\4194.tmp.exe"C:\Users\Admin\AppData\Local\Temp\4194.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303KB
MD5f7e637924f021b359d158d31c93d239f
SHA1dfc068dc3c019741c56481bdc1d2ff216ac50765
SHA256f87fafe5077d57748093d125dccf8fb8d80bed99de2f11c5032ddd80ae09b3b1
SHA5122203fcb797198774dd9a43304a221849e2170c3c6dc8b55c7859a0482026c1dfdb6bcae74fe35c6296fa954fe0fd2b571c1f2b411259a667247d2d3b15ccfd9c