Analysis

  • max time kernel
    30s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2023 19:28

General

  • Target

    bsco-4v4t4r.exe

  • Size

    1.6MB

  • MD5

    c845ab96f7e195e9863395f24657f0cd

  • SHA1

    0368773cf3c71fef84082f2068ffafb3ed5580b3

  • SHA256

    95712d2264e3eb59cae19859ecb0ecab79dbb998189f56c1b697fe5c233d34d6

  • SHA512

    d33b36254a2aeea23f21db8e1a4af17bec355d1840cb03f1892c15afd84c74a8560ea06ed62a2dbf5ffae9047ce2b45e16f18b6b1825ee8c30a30a242e17c9b9

  • SSDEEP

    24576:Si2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLU:lTq24GjdGSiqkqXfd+/9AqYanieKd

Score
10/10

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1098436501517369394/JKCsN0HXfrE6Z1tY-USgbbvMdy8EidwbtI0dVIIjWIpD09R2nXrCi99850bnMqFKyC2a

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe
    "C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp866F.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:880
        • C:\Windows\SysWOW64\taskkill.exe
          TaskKill /F /IM 820
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:748
        • C:\Windows\SysWOW64\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:1684

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp866F.tmp.bat

      Filesize

      56B

      MD5

      90dcdd150b66114840c4539dec10d954

      SHA1

      07b020f5324ad737209964643355630a37c5e9d9

      SHA256

      e50506f3ac1d84ee33dda7f5ea8cc8e63c9321f6a954f08d03fd845d097dee59

      SHA512

      74272952d721fdb33ee064191494c85636167dc15f38d2a6ed7f6a9e0da6e7f3ebbd22371c2c8b9e21aedaff61b99f1130a700a0e47b8b007704af977bbc423a

    • memory/820-54-0x0000000000C20000-0x0000000000DB2000-memory.dmp

      Filesize

      1.6MB

    • memory/820-55-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

      Filesize

      256KB