Analysis
-
max time kernel
94s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2024 11:16
Static task
static1
Behavioral task
behavioral1
Sample
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe
Resource
win7-20241010-en
General
-
Target
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe
-
Size
2.0MB
-
MD5
7b48de772acb4f632429a89bcf8cb58b
-
SHA1
739be1230fe5ce22ae867e7a4b74de7a4c9af487
-
SHA256
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f
-
SHA512
1cd425cd9492bf74eeec7ee1b9a58a48f626cb91048c603595083b9e4597ea72b69ad57e829c3930488535d162a08c8c68f845248dcc6ca2f4f4554c0cbe2e0d
-
SSDEEP
49152:48zJ008G4nL9Z2GiVrvaQsZBdDLgAPOrCPh:4ixGiVSBdDbPOrCPh
Malware Config
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Signatures
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe -
Loads dropped DLL 1 IoCs
Processes:
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exepid Process 5072 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exepid Process 5072 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.execmd.exetimeout.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 2376 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exepid Process 5072 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe 5072 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe 5072 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe 5072 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.execmd.exedescription pid Process procid_target PID 5072 wrote to memory of 2164 5072 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe 87 PID 5072 wrote to memory of 2164 5072 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe 87 PID 5072 wrote to memory of 2164 5072 8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe 87 PID 2164 wrote to memory of 2376 2164 cmd.exe 89 PID 2164 wrote to memory of 2376 2164 cmd.exe 89 PID 2164 wrote to memory of 2376 2164 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe"C:\Users\Admin\AppData\Local\Temp\8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8efd270db517e7b0680011cf1ac803a2675507d8701ed1b86c8ddab7b2823a6f.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2376
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
676KB
MD5eda18948a989176f4eebb175ce806255
SHA1ff22a3d5f5fb705137f233c36622c79eab995897
SHA25681a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85