Overview

overview

10

Static

static

3

Engine.js

windows7-x64

3

Engine.js

windows10-2004-x64

3

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

bin/UbuilderB.exe

windows7-x64

1

bin/UbuilderB.exe

windows10-2004-x64

7

bin/scv.jar

windows7-x64

1

bin/scv.jar

windows10-2004-x64

1

cutline.ppt

windows7-x64

1

cutline.ppt

windows10-2004-x64

1

d3dx9_43.dll

windows7-x64

1

d3dx9_43.dll

windows10-2004-x64

1

packages/D...1].exe

windows7-x64

1

packages/D...1].exe

windows10-2004-x64

1

xNet.dll

windows7-x64

1

xNet.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    37s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    2.7MB

  • MD5

    870feaab725b148208dd12ffabe33f9d

  • SHA1

    9f3651ad5725848c880c24f8e749205a7e1e78c1

  • SHA256

    bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55

  • SHA512

    5bea301f85e6a55fd5730793b960442bc4dab92d0bf47e4e55c5490448a4a22ed6d0feb1dbe9d56d6b6ff8d06f163381807f83f467621f527bc6521857fc8e1a

  • SSDEEP

    49152:C11fbWXfBeBqTww8Gkfoa0yeL8zj9JLF+lP/MatsfHVnZbhG3EVsMI62Pseaj/1n:QbWkuwwjkULhlPUatsfBxhsE

Score
10/10
stealcanna2persistenceprivilege_escalationstealer

Malware Config

Extracted

Family

stealc

Botnet

ANNA2

C2

https://safefiledownloadsoft.com

Attributes
  • url_path

    /725c63b56c99aa26.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\AppData\Local\Temp\TraceFmt.exe
        C:\Users\Admin\AppData\Local\Temp\TraceFmt.exe
        3⤵
        • Loads dropped DLL
        PID:4692
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 2500
          4⤵
          • Program crash
          PID:4480
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4692 -ip 4692
    1⤵
      PID:4752

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit
    • C:\ProgramData\nss3.dll
      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TraceFmt.exe
      Filesize

      433KB

      MD5

      fea067901f48a5f1faf7ca3b373f1a8f

      SHA1

      e8abe0deb87de9fe3bb3a611234584e9a9b17cce

      SHA256

      bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

      SHA512

      07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\a1f40a73
      Filesize

      1.3MB

      MD5

      ee42b4e474deb2fad749a48b64e41f3f

      SHA1

      0d33f458d58d97f09a134e8da63823fbaa54e206

      SHA256

      0bd162d3cdc68c9bfa482a437807f410243410d7877110d70266cb102050c2aa

      SHA512

      bb135d599d4e04a7cd3bb9b7c26cd7bfb2ab3b1934d1c401f11723ecd5ba50efe128f63a3bd795b479514564538c7c94387a91dffbb09d16358aaf081d0b8c08

      Download Submit
    • memory/2668-16-0x0000000074541000-0x000000007454F000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2668-11-0x00007FFFBC790000-0x00007FFFBC985000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/2668-14-0x0000000074541000-0x000000007454F000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2668-13-0x000000007454E000-0x0000000074550000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2668-104-0x000000007454E000-0x0000000074550000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2668-9-0x0000000074541000-0x000000007454F000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3520-6-0x0000000074540000-0x00000000746BB000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3520-7-0x0000000074540000-0x00000000746BB000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3520-0-0x0000000074540000-0x00000000746BB000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3520-5-0x0000000074552000-0x0000000074554000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3520-1-0x00007FFFBC790000-0x00007FFFBC985000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/4692-20-0x00007FFFBC790000-0x00007FFFBC985000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/4692-23-0x0000000000095000-0x000000000009D000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4692-31-0x0000000061E00000-0x0000000061EF3000-memory.dmp
      Filesize

      972KB

      Download
    • memory/4692-24-0x0000000000050000-0x000000000010A000-memory.dmp
      Filesize

      744KB

      Download
    • memory/4692-21-0x0000000000480000-0x00000000006BE000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/4692-103-0x0000000000480000-0x00000000006BE000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/4692-17-0x0000000000480000-0x00000000006BE000-memory.dmp
      Filesize

      2.2MB

      Download