stealerium | 9475d84b7704e5f856f251c061ed7bd3c858829ff1c80741c1b5c36af5471edc

Analysis

max time kernel
28s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-03-2023 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Innovatoz/ressources/settings.exe
Size

1.5MB
MD5

c261bc5776da8ad95a63bd11e03e6b55
SHA1

7ec9ef39584a80c7a00347bcbee72c905a019275
SHA256

3be0dd7fed8cbb6fc0d5b8fe05cb47d4b6bbbbbcda5a204ba0ddd7aa2b51034a
SHA512

4f2cdc75cd93d6a20e2f5bf9cc1d8854d599e7b06c1950a71887ba94446efb6e6f81fddea40520eb0a61a3a026f8d3b53fbc69990daecaa82e5234a96e5ada19
SSDEEP

24576:g03i2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqnN:vSTq24GjdGSgw+W7SCRnVQTEQ/BA8

Score

10^/10

stealerium stealer

Malware Config

Extracted

Family

stealerium

https://discord.com/api/webhooks/1084268536513441892/Ev0RVleHBkKacsdmMZyVjiHoNcgq9YTQe6V0DWujQJR59Iu-Oy3G8rVC1GGDYUs2x_H9

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1516 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1644 taskkill.exe

flow	ioc
3	ip-api.com

pid	process
1516	timeout.exe

pid	process
1644	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

settings.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	settings.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	settings.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

settings.exe

pid process

2016 settings.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

settings.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2016 settings.exe
Token: SeDebugPrivilege 1644 taskkill.exe

pid	process
2016	settings.exe

description	pid	process
Token: SeDebugPrivilege	2016	settings.exe
Token: SeDebugPrivilege	1644	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

settings.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1616	2016	settings.exe	cmd.exe
PID 2016 wrote to memory of 1616	2016	settings.exe	cmd.exe
PID 2016 wrote to memory of 1616	2016	settings.exe	cmd.exe
PID 2016 wrote to memory of 1616	2016	settings.exe	cmd.exe
PID 1616 wrote to memory of 1732	1616	cmd.exe	chcp.com
PID 1616 wrote to memory of 1732	1616	cmd.exe	chcp.com
PID 1616 wrote to memory of 1732	1616	cmd.exe	chcp.com
PID 1616 wrote to memory of 1732	1616	cmd.exe	chcp.com
PID 1616 wrote to memory of 1644	1616	cmd.exe	taskkill.exe
PID 1616 wrote to memory of 1644	1616	cmd.exe	taskkill.exe
PID 1616 wrote to memory of 1644	1616	cmd.exe	taskkill.exe
PID 1616 wrote to memory of 1644	1616	cmd.exe	taskkill.exe
PID 1616 wrote to memory of 1516	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1516	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1516	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1516	1616	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Innovatoz\ressources\settings.exe
"C:\Users\Admin\AppData\Local\Temp\Innovatoz\ressources\settings.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4442.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1732

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 2016
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4442.tmp.bat
Filesize
57B

MD5
42e52bfaa667927b4b613a222f3a6f4c

SHA1
b699abc4ef08a6dfaf5ea210762057e1ecee0aa5

SHA256
ce07a3388114fc1f709a8fdf5b196d62771a3a79b2aafc9cf1aeedd9d32d7969

SHA512
af20cdc34fe0795d09ebd35816e3b294b37c9fc1a74800aa8347da33625e39d49556d59eff426d1de0753279d7f0a782492e072157cbf1d358fc4b653737d2bb

Download Submit
memory/2016-54-0x0000000000B10000-0x0000000000C94000-memory.dmp

Filesize
1.5MB

Download
memory/2016-55-0x00000000003E0000-0x0000000000420000-memory.dmp

Filesize
256KB

Download