Analysis
-
max time kernel
15s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 06:33
Behavioral task
behavioral1
Sample
stealcy11.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
stealcy11.exe
Resource
win10v2004-20241007-en
General
-
Target
stealcy11.exe
-
Size
240KB
-
MD5
004431fc72fc1228abf10e298efa0271
-
SHA1
05195b1a70f078c9116998d7486e672d90e93218
-
SHA256
082796fccb8ffb566a99ba188cae572eac30f1bf6e11a7bf4e5ebe757bc66c88
-
SHA512
8e1c87b177cd3cd687760f002fea6851ae34b2543df434ed1db4146a33a684f5a386e4e6d9d76bd14e064dd29fe6cc1cb0407cac10abf0c9cd4513eefcac8335
-
SSDEEP
3072:sCFW6ZRlcV3K+gqCClq/oPk1U894z1tJS7pmLUMOmjoRWwhSeUReHeP3KqX+n:j1J7+go0U8evIFmLu6kKeot+
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2156 2412 WerFault.exe 28 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealcy11.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealcy11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealcy11.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2412 stealcy11.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2156 2412 stealcy11.exe 30 PID 2412 wrote to memory of 2156 2412 stealcy11.exe 30 PID 2412 wrote to memory of 2156 2412 stealcy11.exe 30 PID 2412 wrote to memory of 2156 2412 stealcy11.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\stealcy11.exe"C:\Users\Admin\AppData\Local\Temp\stealcy11.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 6602⤵
- Program crash
PID:2156
-