Analysis
-
max time kernel
121s -
max time network
159s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-10-2021 14:47
Static task
static1
Behavioral task
behavioral1
Sample
stub.bin.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
stub.bin.exe
-
Size
561KB
-
MD5
68260e77a8d3f9f51e06d351f9ec4a9a
-
SHA1
11dad0b9986ed9f8da5b8021bf1fdcef7aeba159
-
SHA256
fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e
-
SHA512
7801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 6 IoCs
Processes:
stub.bin.exedescription ioc process File created C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini stub.bin.exe File created C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini stub.bin.exe File created C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini stub.bin.exe File created C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini stub.bin.exe File created C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini stub.bin.exe File created C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini stub.bin.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2040 4356 WerFault.exe stub.bin.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
stub.bin.exeWerFault.exepid process 4356 stub.bin.exe 4356 stub.bin.exe 4356 stub.bin.exe 4356 stub.bin.exe 4356 stub.bin.exe 4356 stub.bin.exe 4356 stub.bin.exe 4356 stub.bin.exe 4356 stub.bin.exe 4356 stub.bin.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
stub.bin.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4356 stub.bin.exe Token: SeRestorePrivilege 2040 WerFault.exe Token: SeBackupPrivilege 2040 WerFault.exe Token: SeDebugPrivilege 2040 WerFault.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
stub.bin.execmd.execmd.exedescription pid process target process PID 4356 wrote to memory of 4700 4356 stub.bin.exe cmd.exe PID 4356 wrote to memory of 4700 4356 stub.bin.exe cmd.exe PID 4356 wrote to memory of 4700 4356 stub.bin.exe cmd.exe PID 4700 wrote to memory of 852 4700 cmd.exe chcp.com PID 4700 wrote to memory of 852 4700 cmd.exe chcp.com PID 4700 wrote to memory of 852 4700 cmd.exe chcp.com PID 4700 wrote to memory of 296 4700 cmd.exe netsh.exe PID 4700 wrote to memory of 296 4700 cmd.exe netsh.exe PID 4700 wrote to memory of 296 4700 cmd.exe netsh.exe PID 4700 wrote to memory of 1036 4700 cmd.exe findstr.exe PID 4700 wrote to memory of 1036 4700 cmd.exe findstr.exe PID 4700 wrote to memory of 1036 4700 cmd.exe findstr.exe PID 4356 wrote to memory of 1280 4356 stub.bin.exe cmd.exe PID 4356 wrote to memory of 1280 4356 stub.bin.exe cmd.exe PID 4356 wrote to memory of 1280 4356 stub.bin.exe cmd.exe PID 1280 wrote to memory of 1796 1280 cmd.exe chcp.com PID 1280 wrote to memory of 1796 1280 cmd.exe chcp.com PID 1280 wrote to memory of 1796 1280 cmd.exe chcp.com PID 1280 wrote to memory of 1860 1280 cmd.exe netsh.exe PID 1280 wrote to memory of 1860 1280 cmd.exe netsh.exe PID 1280 wrote to memory of 1860 1280 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\stub.bin.exe"C:\Users\Admin\AppData\Local\Temp\stub.bin.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 26202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/296-123-0x0000000000000000-mapping.dmp
-
memory/852-122-0x0000000000000000-mapping.dmp
-
memory/1036-124-0x0000000000000000-mapping.dmp
-
memory/1280-125-0x0000000000000000-mapping.dmp
-
memory/1796-126-0x0000000000000000-mapping.dmp
-
memory/1860-127-0x0000000000000000-mapping.dmp
-
memory/4356-115-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/4356-117-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/4356-118-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/4356-119-0x00000000073C0000-0x00000000073C1000-memory.dmpFilesize
4KB
-
memory/4356-121-0x0000000007960000-0x0000000007961000-memory.dmpFilesize
4KB
-
memory/4700-120-0x0000000000000000-mapping.dmp