Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2023 14:55
Behavioral task
behavioral1
Sample
build.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
build.exe
Resource
win10v2004-20230220-en
General
-
Target
build.exe
-
Size
1.6MB
-
MD5
e8f26ecf5db066b87474e865b0de3cdc
-
SHA1
80ec10fd56cacf66108b3280868c00078dea3c80
-
SHA256
d2e4fa8ee4bf5be0fdef19c2445021b18046c9b47e9223b2ab5d750018e1bf03
-
SHA512
14a014948e03b65018a28ebe0269b95111e41b606c95abba1fdc0a7a4fcadb18144e198d4a2365a618c11d9d2b7b88ab0c4fc57c58ee71f0ccbaeefe847a17dd
-
SSDEEP
24576:L7i2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLDi:6Tq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
build.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation build.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2328 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1820 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
build.exepid process 2748 build.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
build.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2748 build.exe Token: SeDebugPrivilege 1820 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
build.execmd.exedescription pid process target process PID 2748 wrote to memory of 1976 2748 build.exe cmd.exe PID 2748 wrote to memory of 1976 2748 build.exe cmd.exe PID 2748 wrote to memory of 1976 2748 build.exe cmd.exe PID 1976 wrote to memory of 3420 1976 cmd.exe chcp.com PID 1976 wrote to memory of 3420 1976 cmd.exe chcp.com PID 1976 wrote to memory of 3420 1976 cmd.exe chcp.com PID 1976 wrote to memory of 1820 1976 cmd.exe taskkill.exe PID 1976 wrote to memory of 1820 1976 cmd.exe taskkill.exe PID 1976 wrote to memory of 1820 1976 cmd.exe taskkill.exe PID 1976 wrote to memory of 2328 1976 cmd.exe timeout.exe PID 1976 wrote to memory of 2328 1976 cmd.exe timeout.exe PID 1976 wrote to memory of 2328 1976 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD15E.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:3420
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 27483⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD5bf5fc08855d7b167cdd5b2c6440e9b37
SHA16c5ef3fbaa353dc4ae1974a4b697fb9fde69c579
SHA256de96a8eb8c2a23644300025d2a7b25957e86b6cb46a5ac1f8545879d04ddecb2
SHA5121a2f0b0d5fed2f05e986b71b33e996a522b807acbeb4906252c47e06213d991f659fea28c7a2b5733b5ae4415124da108b4a4e66ea65f9b958df3ad356935f85