Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
24/12/2024, 21:33
General
-
Target
Setup.exe
-
Size
98.2MB
-
MD5
c681f05fe3025f3a23833da6e100ba9d
-
SHA1
7e862b1895561bc3aca9595210276b0f6597636a
-
SHA256
94215092f8c5b6b91c39458b51665a3cd62c35706ad8c2908d7eb6d74d17702b
-
SHA512
106d6d41738691fa6fe49ae313bc2d85fa8d7a7dd8283899aa01c6d056053a23d5bf569af601a42c65eca2bdee334af65fd745cfbf26c67b4a1eb6f1fe9158d3
-
SSDEEP
12288:upjQGbC5X/m4WTfzf2ugUNkYn40lhETt3EqEELHZIQnlT1H:kjLmXRyfTNfNki/ktUqEEL5IO
Malware Config
Extracted
stealc
670052684
http://178.63.148.7
-
url_path
/875489374a8fad8f.php
Signatures
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Loads dropped DLL 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"3⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 12604⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2956 -ip 29561⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
625KB
MD5b3d94421e2b58e3f439e5a98637962af
SHA1c8d54b23bb58962d6a428371953e1d0ab36d5987
SHA256c21e28073425ea6fd725c176beb617589562d41819fd909383223176113c56f5
SHA512935979ed19747ea79f4b91681d3769acd369ef3261d3251570e203f1644041516db486bfc91dbf055441a5b1798d9ed2002728537d83fcdfec8179f5cbc5943e
-
Filesize
582KB
MD5fc75d66b8daf935a4bee91d24f3609c3
SHA1b34ef2128e4c36bf6fcc09af08bcef50d35e0227
SHA2567adc248b5efc0cceb3a2e4540dab54a6a4dec434950443342657c99c4dc18952
SHA512a6eaafab8224c158b9772edfed9934f7dfecc231c393382643cb67ac0283596156479a63a9b6f8824d5f2bf9943ff60a7fbc209896f6730b3b8c66d6adc91608
-
Filesize
7.7MB
-
Filesize
568KB
-
Filesize
24KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
24KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
456KB
-
Filesize
7.7MB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
7.7MB
-
Filesize
456KB
-
Filesize
392KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB