Analysis
-
max time kernel
26s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-05-2023 14:55
Behavioral task
behavioral1
Sample
build.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
build.exe
Resource
win10v2004-20230220-en
General
-
Target
build.exe
-
Size
1.6MB
-
MD5
e8f26ecf5db066b87474e865b0de3cdc
-
SHA1
80ec10fd56cacf66108b3280868c00078dea3c80
-
SHA256
d2e4fa8ee4bf5be0fdef19c2445021b18046c9b47e9223b2ab5d750018e1bf03
-
SHA512
14a014948e03b65018a28ebe0269b95111e41b606c95abba1fdc0a7a4fcadb18144e198d4a2365a618c11d9d2b7b88ab0c4fc57c58ee71f0ccbaeefe847a17dd
-
SSDEEP
24576:L7i2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLDi:6Tq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1056 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2012 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
build.exepid process 1196 build.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
build.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1196 build.exe Token: SeDebugPrivilege 2012 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
build.execmd.exedescription pid process target process PID 1196 wrote to memory of 1240 1196 build.exe cmd.exe PID 1196 wrote to memory of 1240 1196 build.exe cmd.exe PID 1196 wrote to memory of 1240 1196 build.exe cmd.exe PID 1196 wrote to memory of 1240 1196 build.exe cmd.exe PID 1240 wrote to memory of 2040 1240 cmd.exe chcp.com PID 1240 wrote to memory of 2040 1240 cmd.exe chcp.com PID 1240 wrote to memory of 2040 1240 cmd.exe chcp.com PID 1240 wrote to memory of 2040 1240 cmd.exe chcp.com PID 1240 wrote to memory of 2012 1240 cmd.exe taskkill.exe PID 1240 wrote to memory of 2012 1240 cmd.exe taskkill.exe PID 1240 wrote to memory of 2012 1240 cmd.exe taskkill.exe PID 1240 wrote to memory of 2012 1240 cmd.exe taskkill.exe PID 1240 wrote to memory of 1056 1240 cmd.exe timeout.exe PID 1240 wrote to memory of 1056 1240 cmd.exe timeout.exe PID 1240 wrote to memory of 1056 1240 cmd.exe timeout.exe PID 1240 wrote to memory of 1056 1240 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7F5E.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2040
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 11963⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD5ad9325d23b14efef48697988f2dd9e7b
SHA18ca7d8100210230ed0328270db2a24d4e7ca3003
SHA25609d54981bd1ad278c78ad7d046f18340be0559981928f58fb51fbab33b8fcf46
SHA512b4d991924fab72a095d0a30f32a6bae1dbcc1c79d83fcfb2753fc9c95b4a25f73ab8f7c26c8c9c26dc1e776a5ff7db8893b4f44f15c9f9bc4807f430c5e2d7fc