Analysis

  • max time kernel
    26s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2023 14:55

General

  • Target

    build.exe

  • Size

    1.6MB

  • MD5

    e8f26ecf5db066b87474e865b0de3cdc

  • SHA1

    80ec10fd56cacf66108b3280868c00078dea3c80

  • SHA256

    d2e4fa8ee4bf5be0fdef19c2445021b18046c9b47e9223b2ab5d750018e1bf03

  • SHA512

    14a014948e03b65018a28ebe0269b95111e41b606c95abba1fdc0a7a4fcadb18144e198d4a2365a618c11d9d2b7b88ab0c4fc57c58ee71f0ccbaeefe847a17dd

  • SSDEEP

    24576:L7i2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLDi:6Tq24GjdGSiqkqXfd+/9AqYanieKd

Score
10/10

Malware Config

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7F5E.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:2040
        • C:\Windows\SysWOW64\taskkill.exe
          TaskKill /F /IM 1196
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2012
        • C:\Windows\SysWOW64\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:1056

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp7F5E.tmp.bat

      Filesize

      57B

      MD5

      ad9325d23b14efef48697988f2dd9e7b

      SHA1

      8ca7d8100210230ed0328270db2a24d4e7ca3003

      SHA256

      09d54981bd1ad278c78ad7d046f18340be0559981928f58fb51fbab33b8fcf46

      SHA512

      b4d991924fab72a095d0a30f32a6bae1dbcc1c79d83fcfb2753fc9c95b4a25f73ab8f7c26c8c9c26dc1e776a5ff7db8893b4f44f15c9f9bc4807f430c5e2d7fc

    • memory/1196-54-0x0000000001020000-0x00000000011B6000-memory.dmp

      Filesize

      1.6MB

    • memory/1196-55-0x0000000004B50000-0x0000000004B90000-memory.dmp

      Filesize

      256KB