Overview

overview

10

Static

static

5

stand.exe

windows7-x64

10

stand.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    47s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2025, 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    stand.exe

  • Size

    17.8MB

  • MD5

    4e45d159b2f482edac2ba45713c335a2

  • SHA1

    1b97c1e523ed4add9d952842a920b0c42ceacfb4

  • SHA256

    05ac40c0f8950fd6800e6663062d2a27cc466c5d3e2df8f50200fc1787e516f3

  • SHA512

    2a041d04cb5be086bae31a49d9eec94187fbd7459803111017421fde76f968f6369c78060ccafb22a59781f55730f446343df104fd0383ac2b336411b3554ed6

  • SSDEEP

    98304:QN4aC69mw0GrEW1bSc1AzMjir7ifGB0Kn9JtxTbF:Q270mw9bScyM4WObn9J3

Score
10/10
salatstealercredential_accessdiscoveryspywarestealerupx

Malware Config

Signatures

  • Detect SalatStealer payload 8 IoCs
  • Salatstealer family
    salatstealer
  • salatstealer

    SalatStealer is a stealer that takes sceenshot written in Golang.

    stealersalatstealer
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\stand.exe
    "C:\Users\Admin\AppData\Local\Temp\stand.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.Exe
      "C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.Exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe
        3⤵
        • Drops file in Drivers directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4884
        • C:\Windows\SysWOW64\ReAgentc.exe
          "C:\Windows\system32\ReAgentc.exe" /disable
          4⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:1336
      • C:\Program Files\Google\Chrome\Application\SppExtComObj.Exe
        "C:\Program Files\Google\Chrome\Application\SppExtComObj.Exe" -
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4432
      • C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.Exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.Exe" -
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:548
  • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
    1⤵
      PID:4060
    • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
      1⤵
        PID:5160
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3368

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.Exe
          Filesize

          17.8MB

          MD5

          4e45d159b2f482edac2ba45713c335a2

          SHA1

          1b97c1e523ed4add9d952842a920b0c42ceacfb4

          SHA256

          05ac40c0f8950fd6800e6663062d2a27cc466c5d3e2df8f50200fc1787e516f3

          SHA512

          2a041d04cb5be086bae31a49d9eec94187fbd7459803111017421fde76f968f6369c78060ccafb22a59781f55730f446343df104fd0383ac2b336411b3554ed6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gw3cxgvn.h1y.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/548-42-0x0000000000800000-0x000000000137F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/548-44-0x0000000000800000-0x000000000137F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2752-0-0x00000000000A0000-0x0000000000C1F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2752-9-0x00000000000A0000-0x0000000000C1F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4008-80-0x0000000000BE0000-0x000000000175F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4008-76-0x0000000000BE0000-0x000000000175F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4008-75-0x0000000000BE0000-0x000000000175F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4008-82-0x0000000000BE0000-0x000000000175F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4008-83-0x0000000000BE0000-0x000000000175F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4008-8-0x0000000000BE0000-0x000000000175F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4432-19-0x0000000000F70000-0x0000000001AEF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4432-34-0x0000000000F70000-0x0000000001AEF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4884-46-0x0000000006F40000-0x0000000006F5A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4884-68-0x0000000007320000-0x00000000073C3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/4884-35-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4884-36-0x0000000005C50000-0x0000000005C9C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4884-38-0x00000000060F0000-0x0000000006134000-memory.dmp

          Filesize

          272KB

          Download

        • memory/4884-21-0x00000000053C0000-0x0000000005426000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4884-22-0x0000000005530000-0x0000000005596000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4884-43-0x0000000006EA0000-0x0000000006F16000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4884-20-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4884-45-0x00000000075A0000-0x0000000007C1A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4884-48-0x0000000007080000-0x00000000070A2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4884-47-0x00000000070F0000-0x0000000007186000-memory.dmp

          Filesize

          600KB

          Download

        • memory/4884-49-0x00000000081D0000-0x0000000008774000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4884-56-0x00000000701A0000-0x00000000701EC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4884-57-0x00000000709A0000-0x0000000070CF4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4884-28-0x00000000055A0000-0x00000000058F4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4884-67-0x0000000007300000-0x000000000731E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4884-69-0x0000000007420000-0x000000000742A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4884-55-0x00000000072C0000-0x00000000072F2000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4884-70-0x0000000007430000-0x0000000007441000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4884-71-0x0000000007460000-0x000000000746E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4884-72-0x0000000007470000-0x0000000007484000-memory.dmp

          Filesize

          80KB

          Download

        • memory/4884-73-0x00000000074D0000-0x00000000074EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4884-74-0x00000000074C0000-0x00000000074C8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4884-15-0x0000000074380000-0x0000000074B30000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4884-77-0x000000007438E000-0x000000007438F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4884-78-0x0000000074380000-0x0000000074B30000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4884-13-0x0000000074380000-0x0000000074B30000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4884-79-0x0000000074380000-0x0000000074B30000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4884-14-0x0000000004D20000-0x0000000005348000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4884-12-0x00000000045D0000-0x0000000004606000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4884-10-0x000000007438E000-0x000000007438F000-memory.dmp

          Filesize

          4KB

          Download