Analysis

  • max time kernel
    135s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2023 14:55

General

  • Target

    build.exe

  • Size

    1.6MB

  • MD5

    e8f26ecf5db066b87474e865b0de3cdc

  • SHA1

    80ec10fd56cacf66108b3280868c00078dea3c80

  • SHA256

    d2e4fa8ee4bf5be0fdef19c2445021b18046c9b47e9223b2ab5d750018e1bf03

  • SHA512

    14a014948e03b65018a28ebe0269b95111e41b606c95abba1fdc0a7a4fcadb18144e198d4a2365a618c11d9d2b7b88ab0c4fc57c58ee71f0ccbaeefe847a17dd

  • SSDEEP

    24576:L7i2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLDi:6Tq24GjdGSiqkqXfd+/9AqYanieKd

Score
10/10

Malware Config

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD15E.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:3420
        • C:\Windows\SysWOW64\taskkill.exe
          TaskKill /F /IM 2748
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1820
        • C:\Windows\SysWOW64\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:2328

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpD15E.tmp.bat

      Filesize

      57B

      MD5

      bf5fc08855d7b167cdd5b2c6440e9b37

      SHA1

      6c5ef3fbaa353dc4ae1974a4b697fb9fde69c579

      SHA256

      de96a8eb8c2a23644300025d2a7b25957e86b6cb46a5ac1f8545879d04ddecb2

      SHA512

      1a2f0b0d5fed2f05e986b71b33e996a522b807acbeb4906252c47e06213d991f659fea28c7a2b5733b5ae4415124da108b4a4e66ea65f9b958df3ad356935f85

    • memory/2748-133-0x0000000000070000-0x0000000000206000-memory.dmp

      Filesize

      1.6MB

    • memory/2748-134-0x0000000004BE0000-0x0000000004C46000-memory.dmp

      Filesize

      408KB

    • memory/2748-135-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

      Filesize

      64KB