Analysis Overview
SHA256
5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319
Threat Level: Known bad
The file 5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe was found to be: Known bad.
Malicious Activity Summary
Stealc
Stealc family
Reads data files stored by FTP clients
Deletes itself
Checks computer location settings
Unsecured Credentials: Credentials In Files
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 02:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 02:29
Reported
2024-11-14 02:31
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
97s
Command Line
Signatures
Stealc
Stealc family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | N/A |
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Checks installed software on the system
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2492 wrote to memory of 4144 | N/A | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2492 wrote to memory of 4144 | N/A | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2492 wrote to memory of 4144 | N/A | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4144 wrote to memory of 3204 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 4144 wrote to memory of 3204 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 4144 wrote to memory of 3204 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe
"C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2492 -ip 2492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 1464
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 62.204.41.177:80 | 62.204.41.177 | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.41.204.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/2492-1-0x0000000002BA0000-0x0000000002CA0000-memory.dmp
memory/2492-2-0x0000000004790000-0x00000000047DE000-memory.dmp
memory/2492-3-0x0000000000400000-0x0000000000661000-memory.dmp
memory/2492-6-0x0000000000400000-0x0000000000661000-memory.dmp
memory/2492-5-0x0000000004790000-0x00000000047DE000-memory.dmp
memory/2492-4-0x0000000000400000-0x0000000002B75000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 02:29
Reported
2024-11-14 02:31
Platform
win7-20240729-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Stealc
Stealc family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe
"C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5a134a9d053be5eeaaeb699bc9bc733e78e36114d8e1fe837efe86512a14d319N.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
Network
| Country | Destination | Domain | Proto |
| RU | 62.204.41.177:80 | 62.204.41.177 | tcp |
Files
memory/1656-1-0x0000000002C70000-0x0000000002D70000-memory.dmp
memory/1656-2-0x0000000000400000-0x0000000000661000-memory.dmp
memory/1656-3-0x0000000000400000-0x0000000002B75000-memory.dmp
memory/1656-4-0x0000000000400000-0x0000000002B75000-memory.dmp
memory/1656-5-0x0000000000400000-0x0000000000661000-memory.dmp