Overview
overview
10Static
static
10Innovatoz/...oz.bat
windows7-x64
10Innovatoz/...oz.bat
windows10-2004-x64
1Innovatoz/menu.py
windows7-x64
3Innovatoz/menu.py
windows10-2004-x64
3Innovatoz/menu2.py
windows7-x64
3Innovatoz/menu2.py
windows10-2004-x64
3Innovatoz/menu3.py
windows7-x64
3Innovatoz/menu3.py
windows10-2004-x64
3Innovatoz/...de.exe
windows7-x64
7Innovatoz/...de.exe
windows10-2004-x64
7Innovatoz/...in.bat
windows7-x64
1Innovatoz/...in.bat
windows10-2004-x64
3Innovatoz/...es.exe
windows7-x64
7Innovatoz/...es.exe
windows10-2004-x64
7Innovatoz/...es.exe
windows7-x64
7Innovatoz/...es.exe
windows10-2004-x64
7Innovatoz/...gs.exe
windows7-x64
10Innovatoz/...gs.exe
windows10-2004-x64
10Innovatoz/runner.bat
windows7-x64
10Innovatoz/runner.bat
windows10-2004-x64
10Analysis
-
max time kernel
28s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 19:47
Behavioral task
behavioral1
Sample
Innovatoz/Innovatoz.bat
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Innovatoz/Innovatoz.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Innovatoz/menu.py
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Innovatoz/menu.py
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Innovatoz/menu2.py
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Innovatoz/menu2.py
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Innovatoz/menu3.py
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Innovatoz/menu3.py
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Innovatoz/ressources/code.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Innovatoz/ressources/code.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Innovatoz/ressources/explain.bat
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
Innovatoz/ressources/explain.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
Innovatoz/ressources/properties.exe
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
Innovatoz/ressources/properties.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
Innovatoz/ressources/ressources.exe
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
Innovatoz/ressources/ressources.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
Innovatoz/ressources/settings.exe
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
Innovatoz/ressources/settings.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
Innovatoz/runner.bat
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
Innovatoz/runner.bat
Resource
win10v2004-20230220-en
General
-
Target
Innovatoz/ressources/settings.exe
-
Size
1.5MB
-
MD5
c261bc5776da8ad95a63bd11e03e6b55
-
SHA1
7ec9ef39584a80c7a00347bcbee72c905a019275
-
SHA256
3be0dd7fed8cbb6fc0d5b8fe05cb47d4b6bbbbbcda5a204ba0ddd7aa2b51034a
-
SHA512
4f2cdc75cd93d6a20e2f5bf9cc1d8854d599e7b06c1950a71887ba94446efb6e6f81fddea40520eb0a61a3a026f8d3b53fbc69990daecaa82e5234a96e5ada19
-
SSDEEP
24576:g03i2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqnN:vSTq24GjdGSgw+W7SCRnVQTEQ/BA8
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1084268536513441892/Ev0RVleHBkKacsdmMZyVjiHoNcgq9YTQe6V0DWujQJR59Iu-Oy3G8rVC1GGDYUs2x_H9
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1516 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1644 taskkill.exe -
Processes:
settings.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 settings.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 settings.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
settings.exepid process 2016 settings.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
settings.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2016 settings.exe Token: SeDebugPrivilege 1644 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
settings.execmd.exedescription pid process target process PID 2016 wrote to memory of 1616 2016 settings.exe cmd.exe PID 2016 wrote to memory of 1616 2016 settings.exe cmd.exe PID 2016 wrote to memory of 1616 2016 settings.exe cmd.exe PID 2016 wrote to memory of 1616 2016 settings.exe cmd.exe PID 1616 wrote to memory of 1732 1616 cmd.exe chcp.com PID 1616 wrote to memory of 1732 1616 cmd.exe chcp.com PID 1616 wrote to memory of 1732 1616 cmd.exe chcp.com PID 1616 wrote to memory of 1732 1616 cmd.exe chcp.com PID 1616 wrote to memory of 1644 1616 cmd.exe taskkill.exe PID 1616 wrote to memory of 1644 1616 cmd.exe taskkill.exe PID 1616 wrote to memory of 1644 1616 cmd.exe taskkill.exe PID 1616 wrote to memory of 1644 1616 cmd.exe taskkill.exe PID 1616 wrote to memory of 1516 1616 cmd.exe timeout.exe PID 1616 wrote to memory of 1516 1616 cmd.exe timeout.exe PID 1616 wrote to memory of 1516 1616 cmd.exe timeout.exe PID 1616 wrote to memory of 1516 1616 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Innovatoz\ressources\settings.exe"C:\Users\Admin\AppData\Local\Temp\Innovatoz\ressources\settings.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4442.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 20163⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4442.tmp.batFilesize
57B
MD542e52bfaa667927b4b613a222f3a6f4c
SHA1b699abc4ef08a6dfaf5ea210762057e1ecee0aa5
SHA256ce07a3388114fc1f709a8fdf5b196d62771a3a79b2aafc9cf1aeedd9d32d7969
SHA512af20cdc34fe0795d09ebd35816e3b294b37c9fc1a74800aa8347da33625e39d49556d59eff426d1de0753279d7f0a782492e072157cbf1d358fc4b653737d2bb
-
memory/2016-54-0x0000000000B10000-0x0000000000C94000-memory.dmpFilesize
1.5MB
-
memory/2016-55-0x00000000003E0000-0x0000000000420000-memory.dmpFilesize
256KB