Analysis

  • max time kernel
    72s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2023 19:28

General

  • Target

    bsco-4v4t4r.exe

  • Size

    1.6MB

  • MD5

    c845ab96f7e195e9863395f24657f0cd

  • SHA1

    0368773cf3c71fef84082f2068ffafb3ed5580b3

  • SHA256

    95712d2264e3eb59cae19859ecb0ecab79dbb998189f56c1b697fe5c233d34d6

  • SHA512

    d33b36254a2aeea23f21db8e1a4af17bec355d1840cb03f1892c15afd84c74a8560ea06ed62a2dbf5ffae9047ce2b45e16f18b6b1825ee8c30a30a242e17c9b9

  • SSDEEP

    24576:Si2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLU:lTq24GjdGSiqkqXfd+/9AqYanieKd

Score
10/10

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1098436501517369394/JKCsN0HXfrE6Z1tY-USgbbvMdy8EidwbtI0dVIIjWIpD09R2nXrCi99850bnMqFKyC2a

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe
    "C:\Users\Admin\AppData\Local\Temp\bsco-4v4t4r.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAB48.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:1840
        • C:\Windows\SysWOW64\taskkill.exe
          TaskKill /F /IM 4804
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:224
        • C:\Windows\SysWOW64\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4392

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpAB48.tmp.bat

      Filesize

      57B

      MD5

      9a2e54fd7f50d9099fee4ec50295b049

      SHA1

      9f4f2aecc2dec88ddf724bbc88f79c55f07403c6

      SHA256

      6b3276fd0507d751fd980424ef66ff18737621a4983ac7341513b4c160ab277f

      SHA512

      975bf16805461cc8f5e7e3bfb5cc083ac20cca84c17ac750c87370fd0e9c7ea8455089f78b6a6fd1be8c95d4f72c9c52fd180e10ed2fe03dca623c0836b273af

    • memory/4804-133-0x00000000001A0000-0x0000000000332000-memory.dmp

      Filesize

      1.6MB

    • memory/4804-134-0x0000000004CC0000-0x0000000004D26000-memory.dmp

      Filesize

      408KB

    • memory/4804-135-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

      Filesize

      64KB