Analysis
-
max time kernel
140s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
submitted
09/11/2024, 19:26
Static task
static1
Behavioral task
behavioral1
Sample
9d8339d342ed747583da03583afdb445.exe
Resource
win7-20240903-en
General
-
Target
9d8339d342ed747583da03583afdb445.exe
-
Size
451KB
-
MD5
9d8339d342ed747583da03583afdb445
-
SHA1
ab2bbc7c5af8913c66c75331d62b6fede68d46b7
-
SHA256
695b8d6b97edf8239d5ae772c2d726740d81a0b4893199c3be812406e0942123
-
SHA512
46be1b3eb7c57056625a1176ed77a620e9bd5a40713a3e4d61be5ebd7e215ec988977c0e5c9cba1ff1013eede89ae9bb07e6149d6d58fcb73f9f61415fbd3be1
-
SSDEEP
6144:dE0b6CikANLQUmtn37+tm/jEgEn7vZSwZjJP27UxQ76gXFu/s+2abgbqhT9bQu:dE0bzFqQdl7+tGjyj1fxQzXas+2O2a
Malware Config
Extracted
stealc
default10
http://62.204.41.163
-
url_path
/16fa04073490929d.php
Signatures
-
Stealc family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 9d8339d342ed747583da03583afdb445.exe -
Executes dropped EXE 1 IoCs
pid Process 2396 E6C6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1428 2396 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d8339d342ed747583da03583afdb445.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E6C6.tmp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4628 9d8339d342ed747583da03583afdb445.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4628 9d8339d342ed747583da03583afdb445.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4628 wrote to memory of 2396 4628 9d8339d342ed747583da03583afdb445.exe 100 PID 4628 wrote to memory of 2396 4628 9d8339d342ed747583da03583afdb445.exe 100 PID 4628 wrote to memory of 2396 4628 9d8339d342ed747583da03583afdb445.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d8339d342ed747583da03583afdb445.exe"C:\Users\Admin\AppData\Local\Temp\9d8339d342ed747583da03583afdb445.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\E6C6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\E6C6.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 10163⤵
- Program crash
PID:1428
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2396 -ip 23961⤵PID:3424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303KB
MD5f7e637924f021b359d158d31c93d239f
SHA1dfc068dc3c019741c56481bdc1d2ff216ac50765
SHA256f87fafe5077d57748093d125dccf8fb8d80bed99de2f11c5032ddd80ae09b3b1
SHA5122203fcb797198774dd9a43304a221849e2170c3c6dc8b55c7859a0482026c1dfdb6bcae74fe35c6296fa954fe0fd2b571c1f2b411259a667247d2d3b15ccfd9c