Analysis
-
max time kernel
72s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2023 19:28
Behavioral task
behavioral1
Sample
bsco-4v4t4r.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
bsco-4v4t4r.exe
Resource
win10v2004-20230220-en
General
-
Target
bsco-4v4t4r.exe
-
Size
1.6MB
-
MD5
c845ab96f7e195e9863395f24657f0cd
-
SHA1
0368773cf3c71fef84082f2068ffafb3ed5580b3
-
SHA256
95712d2264e3eb59cae19859ecb0ecab79dbb998189f56c1b697fe5c233d34d6
-
SHA512
d33b36254a2aeea23f21db8e1a4af17bec355d1840cb03f1892c15afd84c74a8560ea06ed62a2dbf5ffae9047ce2b45e16f18b6b1825ee8c30a30a242e17c9b9
-
SSDEEP
24576:Si2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLU:lTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1098436501517369394/JKCsN0HXfrE6Z1tY-USgbbvMdy8EidwbtI0dVIIjWIpD09R2nXrCi99850bnMqFKyC2a
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bsco-4v4t4r.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation bsco-4v4t4r.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4392 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 224 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
bsco-4v4t4r.exepid process 4804 bsco-4v4t4r.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bsco-4v4t4r.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4804 bsco-4v4t4r.exe Token: SeDebugPrivilege 224 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bsco-4v4t4r.execmd.exedescription pid process target process PID 4804 wrote to memory of 368 4804 bsco-4v4t4r.exe cmd.exe PID 4804 wrote to memory of 368 4804 bsco-4v4t4r.exe cmd.exe PID 4804 wrote to memory of 368 4804 bsco-4v4t4r.exe cmd.exe PID 368 wrote to memory of 1840 368 cmd.exe chcp.com PID 368 wrote to memory of 1840 368 cmd.exe chcp.com PID 368 wrote to memory of 1840 368 cmd.exe chcp.com PID 368 wrote to memory of 224 368 cmd.exe taskkill.exe PID 368 wrote to memory of 224 368 cmd.exe taskkill.exe PID 368 wrote to memory of 224 368 cmd.exe taskkill.exe PID 368 wrote to memory of 4392 368 cmd.exe timeout.exe PID 368 wrote to memory of 4392 368 cmd.exe timeout.exe PID 368 wrote to memory of 4392 368 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAB48.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1840
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 48043⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:224 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:4392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD59a2e54fd7f50d9099fee4ec50295b049
SHA19f4f2aecc2dec88ddf724bbc88f79c55f07403c6
SHA2566b3276fd0507d751fd980424ef66ff18737621a4983ac7341513b4c160ab277f
SHA512975bf16805461cc8f5e7e3bfb5cc083ac20cca84c17ac750c87370fd0e9c7ea8455089f78b6a6fd1be8c95d4f72c9c52fd180e10ed2fe03dca623c0836b273af