Analysis Overview
SHA256
d2e4fa8ee4bf5be0fdef19c2445021b18046c9b47e9223b2ab5d750018e1bf03
Threat Level: Known bad
The file build.exe was found to be: Known bad.
Malicious Activity Summary
Stealerium
Stealerium family
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Kills process with taskkill
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-20 14:55
Signatures
Stealerium family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-20 14:55
Reported
2023-05-20 14:57
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
154s
Command Line
Signatures
Stealerium
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD15E.tmp.bat
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 2748
C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 117.18.237.29:80 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 20.189.173.1:443 | tcp | |
| NL | 8.238.177.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| NL | 8.238.177.126:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp |
Files
memory/2748-133-0x0000000000070000-0x0000000000206000-memory.dmp
memory/2748-134-0x0000000004BE0000-0x0000000004C46000-memory.dmp
memory/2748-135-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD15E.tmp.bat
| MD5 | bf5fc08855d7b167cdd5b2c6440e9b37 |
| SHA1 | 6c5ef3fbaa353dc4ae1974a4b697fb9fde69c579 |
| SHA256 | de96a8eb8c2a23644300025d2a7b25957e86b6cb46a5ac1f8545879d04ddecb2 |
| SHA512 | 1a2f0b0d5fed2f05e986b71b33e996a522b807acbeb4906252c47e06213d991f659fea28c7a2b5733b5ae4415124da108b4a4e66ea65f9b958df3ad356935f85 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-20 14:55
Reported
2023-05-20 14:57
Platform
win7-20230220-en
Max time kernel
26s
Max time network
30s
Command Line
Signatures
Stealerium
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7F5E.tmp.bat
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 1196
C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
memory/1196-54-0x0000000001020000-0x00000000011B6000-memory.dmp
memory/1196-55-0x0000000004B50000-0x0000000004B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7F5E.tmp.bat
| MD5 | ad9325d23b14efef48697988f2dd9e7b |
| SHA1 | 8ca7d8100210230ed0328270db2a24d4e7ca3003 |
| SHA256 | 09d54981bd1ad278c78ad7d046f18340be0559981928f58fb51fbab33b8fcf46 |
| SHA512 | b4d991924fab72a095d0a30f32a6bae1dbcc1c79d83fcfb2753fc9c95b4a25f73ab8f7c26c8c9c26dc1e776a5ff7db8893b4f44f15c9f9bc4807f430c5e2d7fc |