Analysis
-
max time kernel
30s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-05-2023 19:28
Behavioral task
behavioral1
Sample
bsco-4v4t4r.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
bsco-4v4t4r.exe
Resource
win10v2004-20230220-en
General
-
Target
bsco-4v4t4r.exe
-
Size
1.6MB
-
MD5
c845ab96f7e195e9863395f24657f0cd
-
SHA1
0368773cf3c71fef84082f2068ffafb3ed5580b3
-
SHA256
95712d2264e3eb59cae19859ecb0ecab79dbb998189f56c1b697fe5c233d34d6
-
SHA512
d33b36254a2aeea23f21db8e1a4af17bec355d1840cb03f1892c15afd84c74a8560ea06ed62a2dbf5ffae9047ce2b45e16f18b6b1825ee8c30a30a242e17c9b9
-
SSDEEP
24576:Si2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLU:lTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1098436501517369394/JKCsN0HXfrE6Z1tY-USgbbvMdy8EidwbtI0dVIIjWIpD09R2nXrCi99850bnMqFKyC2a
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1684 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 748 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
bsco-4v4t4r.exepid process 820 bsco-4v4t4r.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bsco-4v4t4r.exetaskkill.exedescription pid process Token: SeDebugPrivilege 820 bsco-4v4t4r.exe Token: SeDebugPrivilege 748 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
bsco-4v4t4r.execmd.exedescription pid process target process PID 820 wrote to memory of 928 820 bsco-4v4t4r.exe cmd.exe PID 820 wrote to memory of 928 820 bsco-4v4t4r.exe cmd.exe PID 820 wrote to memory of 928 820 bsco-4v4t4r.exe cmd.exe PID 820 wrote to memory of 928 820 bsco-4v4t4r.exe cmd.exe PID 928 wrote to memory of 880 928 cmd.exe chcp.com PID 928 wrote to memory of 880 928 cmd.exe chcp.com PID 928 wrote to memory of 880 928 cmd.exe chcp.com PID 928 wrote to memory of 880 928 cmd.exe chcp.com PID 928 wrote to memory of 748 928 cmd.exe taskkill.exe PID 928 wrote to memory of 748 928 cmd.exe taskkill.exe PID 928 wrote to memory of 748 928 cmd.exe taskkill.exe PID 928 wrote to memory of 748 928 cmd.exe taskkill.exe PID 928 wrote to memory of 1684 928 cmd.exe timeout.exe PID 928 wrote to memory of 1684 928 cmd.exe timeout.exe PID 928 wrote to memory of 1684 928 cmd.exe timeout.exe PID 928 wrote to memory of 1684 928 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp866F.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:880
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 8203⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56B
MD590dcdd150b66114840c4539dec10d954
SHA107b020f5324ad737209964643355630a37c5e9d9
SHA256e50506f3ac1d84ee33dda7f5ea8cc8e63c9321f6a954f08d03fd845d097dee59
SHA51274272952d721fdb33ee064191494c85636167dc15f38d2a6ed7f6a9e0da6e7f3ebbd22371c2c8b9e21aedaff61b99f1130a700a0e47b8b007704af977bbc423a