Malware Analysis Report

2024-10-23 19:20

Sample ID 230531-w6wztahb75
Target Stealerium.zip
SHA256 2b55d3d5d47acf8e35fedf1fd612f81c9d10fdd84e8bdd9d6ad4b5bf1da04adf
Tags
stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b55d3d5d47acf8e35fedf1fd612f81c9d10fdd84e8bdd9d6ad4b5bf1da04adf

Threat Level: Known bad

The file Stealerium.zip was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium

Stealerium family

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Kills process with taskkill

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-31 18:32

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win10v2004-20230220-en

Max time kernel

136s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Network

Country Destination Domain Proto
US 13.107.4.50:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 133.17.126.40.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 93.184.220.29:80 tcp
NL 88.221.25.155:80 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 132.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win7-20230220-en

Max time kernel

25s

Max time network

29s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
NL 52.178.17.2:443 tcp
US 8.248.3.254:80 tcp
US 8.248.3.254:80 tcp
NL 173.223.113.164:443 tcp
US 40.125.122.176:443 tcp
US 8.248.3.254:80 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 40.125.122.176:443 tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win10v2004-20230220-en

Max time kernel

151s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
FR 51.11.192.49:443 tcp
IN 40.126.18.32:443 tcp
US 117.18.232.240:80 tcp
IN 20.190.146.32:443 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 39.146.190.20.in-addr.arpa udp
IN 20.190.146.33:443 tcp
IN 20.190.146.36:443 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win10v2004-20230220-en

Max time kernel

133s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.168.117.170:443 tcp
NL 173.223.113.164:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win7-20230220-en

Max time kernel

27s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win10v2004-20230220-en

Max time kernel

136s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 20.42.65.85:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 4.b.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win7-20230220-en

Max time kernel

28s

Max time network

31s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE822.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 1584

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
NL 173.223.113.164:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

memory/1584-133-0x00000000001F0000-0x0000000000382000-memory.dmp

memory/1584-134-0x0000000004CE0000-0x0000000004D46000-memory.dmp

memory/1584-135-0x0000000004E20000-0x0000000004E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE822.tmp.bat

MD5 b9637fef013e13ed67e92170a96ac0c4
SHA1 aae21fe744d7932dc89c583e4245774471eca6d7
SHA256 8e8db0838557e3e38ad6c47977e788daecab3e9a5e5583c0acfb51f26d836519
SHA512 5754c179f74468b81955d54f71a7a202877e7a33b7eebd6d866f1b4938aba786956d405931e63debbd74059527b2b346925ac5c2295e47daa8914e9f0d04de8d

Analysis: behavioral4

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win10v2004-20230220-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

Country Destination Domain Proto
IE 20.82.154.241:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 40.126.32.74:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 109.133.99.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 40.126.32.74:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 254.49.247.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win10v2004-20230220-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 141.145.190.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 40.79.150.121:443 tcp
NL 173.223.113.164:443 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
NL 173.223.113.131:80 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 131.17.126.40.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win10v2004-20230220-en

Max time kernel

131s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Network

Country Destination Domain Proto
US 40.125.122.151:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
NL 40.126.32.68:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
NL 20.50.201.200:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 37.184.99.20.in-addr.arpa udp
NL 40.126.32.140:443 tcp
US 117.18.237.29:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
NL 40.126.32.136:443 tcp
US 8.8.8.8:53 240.232.229.192.in-addr.arpa udp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
NL 40.126.32.76:443 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win7-20230220-en

Max time kernel

27s

Max time network

31s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win10v2004-20230220-en

Max time kernel

144s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Network

Country Destination Domain Proto
NL 8.238.21.126:80 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 52.242.101.226:443 tcp
NL 8.238.21.126:80 tcp
US 93.184.220.29:80 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 131.253.33.203:80 tcp
NL 173.223.113.164:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 8.238.21.126:80 tcp
NL 8.238.21.126:80 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-05-31 18:32

Reported

2023-05-31 18:36

Platform

win7-20230220-en

Max time kernel

106s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392330222" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f3e392a24bb20646b8f832a33b7e91bf00000000020000000000106600000001000020000000455fbab9cdd00c53a894f560f08dbfea263788636a20292e7f0809b4fcd6c245000000000e80000000020000200000009b968e1d539e28f56c82d431c1faeba10c184ba81123cb5b53391e975e13b208900000005cf3c8c4dcbb8257afed463ef78ef93723a3f04bc6b36699b4e8bd07e194e49a022194aa09ae50e86c3ccf8ef4eba038e6dc3e59730fd281f67ae35afdb6f7d1cb1af5cc57873c968626771bcb89e405c11b192962962d02e6997608d5f28600d83f35cd4ae81870a741ae27cc9146df310b9f6ac2c3710d6c7d54c02f158781ad15ba4fba536007ea080c78609c41d740000000b493c13442f460c336b3889b9f7fa213a7e9736a7416238b0178f7b4449acfcddad408fd0debea9591a0d39ec663ed76a04deed20339ad076ed171da7de7f6fb C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DBF31A1-FFF2-11ED-9E96-7621D5A708C1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f3e392a24bb20646b8f832a33b7e91bf00000000020000000000106600000001000020000000a467d528bf74bfbf8733b301e8d086420901ca2198136cb8016519691902d056000000000e8000000002000020000000dd780aac15501f0827c900d15cfe88ffb0927cfe1d8959278a596f66e7eba1fb20000000759aa0054c78ce0fba285af6f707a8e020ecb0de1ae6cd6dff89d116b8a50210400000006c6ebd7e4aa849ec30cf7c706455c290ff9f7742c3447d7f34a380da85325093221f69c0116bd946d2bf2d6cdd3ca29982fee55ed7f1998a1a3811e34fbfdb7a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0ecff5cff93d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=stub.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar7344.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd9ea2041f16c1106ee20262b6a82209
SHA1 25baed1e8a36021a0a98c428793ddb6da5cecc53
SHA256 38662a1d672d650bce13c499c78465b8525141b222eb524703c8baad08e518fb
SHA512 3caa40816aaf9be5d88d8f95d3d7043d4c245542cb0878a81d4a02c24aa01020f0946ba48f82df3e5d98de183a3695f75d7ef3a1d05ac2601fbee951ea6d38bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f0a5c8f142fa738e93648c14c504d13
SHA1 f65cea0e3843f0ad8aa20bd6b7b3e2ffcea987b8
SHA256 99f6c98f032ed221d7ab59d84cf6b445a1210238da357830ae5f5cbe6eed38a6
SHA512 58b98855b2d9a137b847ccca33c2a26a3387005b09742619478e04467a2c963c1a0f266543fd8ffe71a7626a2b603825533da777e0f8a66a76e296972156c0fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcbb89c3e9735ef2517e7e83cde02f64
SHA1 57b47f423d60452bdea35e43cd26aa1ffd54a7e3
SHA256 b8879628e7580823536946b10148bba523e621ae220edc0c85482c02d19dc16d
SHA512 a06c5f28c34411bfe720eb05838f5d68de45bee0eb169d62adfbbe6c4342b370f8cd7e278f9e82c6a3ee9e020577a57b4863537c25a86375302c112cf9b91153

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ddb00141bb2f1b70112045b597d6595
SHA1 c659c132cbdeb57533d8b80be4cc5764afd76e4d
SHA256 653360fd359baf5d9aecd133a894e811ce55960d53ae279b3ff885a838cb48b7
SHA512 94ed5d6bf787df393c3875859cd74e1424dac77de29a66dc6b28ddf8a2d9b8dcca60b4a919a65c448ceb7283015ccbf6e3594e7d970e8b7446bc4efb82ccb2e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d79322c1e3cd905a05c1cbdc8bedb5b
SHA1 73c93d6165d3a752e228c0b4381645376326fc9c
SHA256 9eff1d106285cdf9de6aec4980abd9f979098551a9435fff85cb8c7939a87bb5
SHA512 81f7879955496c157a713c784cfed490848998b36f59f245ac5ed81b1b697ce71097e9e83d0b8c613f2cf2975d711e2f5d615921b0546f620af75d433f1e8dcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 907a9776d7c2f421d0258120bd18ecee
SHA1 6b7a732d5486d98bd3aa3037845560b7bd287478
SHA256 e4287f7de586aff37c968c21b02e56a3285633d3820c6a86f61a0551df012683
SHA512 4686579c317e8088afb10a0b35fffdb4e866a1b708005eb084fae830ebcbd6b19987f5c8e08c963d920db991c7a539aac54ceada82245bf60fc2ab595dc75f38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5fbd56e2b65c3a0ea31597741936a2b
SHA1 0e9d598f5141e163779a6bd580dfccc14850032c
SHA256 b06a4b24d6d7e787fe763302c82fc23c66e9de97d9e7c757f53c49ef21f2f988
SHA512 ffe2794d28145a6b9be7ef1a668850642a4091fa942b191e90b47b7e6561beb7bf4e8c61e6e1d447d173808c223a29828733d43e316cc7be09e46faec4fc03b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f10aa065bb228b5226ae80776ef23518
SHA1 b381af1bb30ad0eca0ad176f2f993231f7f4462b
SHA256 ca4d16704c6604936fc1e209259c153e17035c5144100f5993fa1f3c72ae94a0
SHA512 400fde5b512760c263cf9aff87c3de687a1b7989470d48729f2e3dfa98e390115f6f8e3ca05689f5ab691fe072e7f793e999f9c084ab4134339384bca9707baf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b93f347419eb7f87464f446d5501ae9
SHA1 bb89df49afa8561861dba2ff299d464694e1bcf6
SHA256 a4f49e7c37eadd7c3a8ff854f58174bd566b39967a44633bbb09b78fcab4756b
SHA512 b11a95b5ca7fb570771c4eba0a15d0c7e6170acad393bbe08ec3ce0070e654efcffd300fbe7cde401e8f6b1b9b66c09e2abb110594cf169e0563512e3712d8c5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MZAMTENK.txt

MD5 ac1b402a3a3b3d77d33d1017772a1a34
SHA1 3dec87f518583cc5dd003733415a675cef2c3aa4
SHA256 0849e41fe1bd2d8906c56837fb89b6ab34cd2cda54846b8dd3e1eb659b77681e
SHA512 fa3208e3fb575e24777444ddb25f8974e4baf8421cd90189c2c79c6d58a7a22fb0f24b5951819053a648e00dec547702c879c38560e78856b87b7d98f3369de7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TEOMB6VC\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee