Analysis

  • max time kernel
    59s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    29-06-2023 20:09

General

  • Target

    HP Mouse USB.exe

  • Size

    1.6MB

  • MD5

    58f5d3f738283351db8a2dbafb50be24

  • SHA1

    9c18d5b5957ecf187fb5a2e68a6868a8cd719265

  • SHA256

    0ddb866d33fa7277ea51dbaadd197e08318d1c6cd524c352ecb325cad85b82ba

  • SHA512

    80bbf70fc808c593f1b9c58d11d2d32624040917ae54d0c0eb577bde522a1bb1b914c8578a811743bcbc2dbe62a0b8609cc65093d81ca296662e33c71913e3d0

  • SSDEEP

    24576:Di2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgL/:mTq24GjdGSiqkqXfd+/9AqYanieKd

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1122279032260665414/W-unCHniD2YI670Bytn7FIpY-nux43_owoRzlVZOux3NvAnntnyH_9eSHWkJsi-nQBDo

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HP Mouse USB.exe
    "C:\Users\Admin\AppData\Local\Temp\HP Mouse USB.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1696
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:600
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:2036
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:1252
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:1920
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:952
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:1692
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:2036
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAD1E.tmp.bat
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1772
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  3⤵
                    PID:1968
                  • C:\Windows\SysWOW64\taskkill.exe
                    TaskKill /F /IM 1696
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1480
                  • C:\Windows\SysWOW64\timeout.exe
                    Timeout /T 2 /Nobreak
                    3⤵
                    • Delays execution with timeout.exe
                    PID:772
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1052

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                a7da8f8ec66a9391db9f993577f7c971

                SHA1

                1df8c656dcba9b6766754aea53ff9642c89639ec

                SHA256

                b970f91792ec9dc73dd54d580bae3fcc0ce21cb1f69f2d0cb6dcd3433e10dc54

                SHA512

                3869293e9b8d62b28340db61ee177088a84732cd450ffe99bc7b362cac7ecd81165f69fc9ea9aa17230ae96bfa423a4e6b1135c59aef655a20ab4a77b2ca3dbd

              • C:\Users\Admin\AppData\Local\6924f613c70f741e564a6a1b4017c16a\Admin@HHVWDVKF_en-US\Browsers\Firefox\Bookmarks.txt

                Filesize

                105B

                MD5

                2e9d094dda5cdc3ce6519f75943a4ff4

                SHA1

                5d989b4ac8b699781681fe75ed9ef98191a5096c

                SHA256

                c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                SHA512

                d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

              • C:\Users\Admin\AppData\Local\6924f613c70f741e564a6a1b4017c16a\Admin@HHVWDVKF_en-US\Directories\Startup.txt

                Filesize

                24B

                MD5

                68c93da4981d591704cea7b71cebfb97

                SHA1

                fd0f8d97463cd33892cc828b4ad04e03fc014fa6

                SHA256

                889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

                SHA512

                63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

              • C:\Users\Admin\AppData\Local\6924f613c70f741e564a6a1b4017c16a\Admin@HHVWDVKF_en-US\Directories\Videos.txt

                Filesize

                23B

                MD5

                1fddbf1169b6c75898b86e7e24bc7c1f

                SHA1

                d2091060cb5191ff70eb99c0088c182e80c20f8c

                SHA256

                a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

                SHA512

                20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

              • C:\Users\Admin\AppData\Local\6924f613c70f741e564a6a1b4017c16a\Admin@HHVWDVKF_en-US\System\Apps.txt

                Filesize

                5KB

                MD5

                a8e916667ae083f44aaaf4f9156a8382

                SHA1

                330a9f75db4f79a2eb62b088ca4e5931c33e0421

                SHA256

                3225939decf68ade19b9bb43ca190f1e972a971aa5ee9fd5ae7f29141eb6477c

                SHA512

                9aa775e49c8eb4e3b3f98b98511212d0f703c9e6983ad08c1e7e725f3131fcc24e36fb012be0cf80b47be10bdede3a30aaad695df22c28b08e14d409a28d82c6

              • C:\Users\Admin\AppData\Local\6924f613c70f741e564a6a1b4017c16a\Admin@HHVWDVKF_en-US\System\ProductKey.txt

                Filesize

                29B

                MD5

                cad6c6bee6c11c88f5e2f69f0be6deb7

                SHA1

                289d74c3bebe6cca4e1d2e084482ad6d21316c84

                SHA256

                dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

                SHA512

                e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

              • C:\Users\Admin\AppData\Local\6924f613c70f741e564a6a1b4017c16a\msgid.dat

                Filesize

                19B

                MD5

                b451dcc4a7fc38516fd542f24c134f18

                SHA1

                6df9d3a6c26f283f0ad9740d6ca3ea14feab7e5b

                SHA256

                dba8487f8d4c02fca5f6b28bf942b2e89eb6dbaec5c5a51bfd42eae40c3fbb4d

                SHA512

                bfa88ebce56680505639455a232738c9e95c041cc2ebbbeaed4fc44efa5d78f555d5242672eafbe1edc48e29cbae391459fb9051ba00a4434710998a71daae45

              • C:\Users\Admin\AppData\Local\Temp\Cab87FF.tmp

                Filesize

                62KB

                MD5

                3ac860860707baaf32469fa7cc7c0192

                SHA1

                c33c2acdaba0e6fa41fd2f00f186804722477639

                SHA256

                d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

                SHA512

                d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

              • C:\Users\Admin\AppData\Local\Temp\Tar887F.tmp

                Filesize

                164KB

                MD5

                4ff65ad929cd9a367680e0e5b1c08166

                SHA1

                c0af0d4396bd1f15c45f39d3b849ba444233b3a2

                SHA256

                c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

                SHA512

                f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

              • C:\Users\Admin\AppData\Local\Temp\tmpAD1E.tmp.bat

                Filesize

                57B

                MD5

                e1a7bc17e29c007926718c8394473ab0

                SHA1

                710dfe809aa2dacea1834b8ed332a4b4c0004760

                SHA256

                f7134ab0bf10574f341ddd6cf085299258a26e6e72c3175179a96ec394c13b49

                SHA512

                ecf617ee7f94b082136f0346f8c9d7df3b2dee2de5de70cebfe15121e2c0c98e7832d95eebec855b387e4d1a4c8d3ed5e19232bb3b8b74289920f3e54190cf76

              • memory/1696-168-0x0000000005830000-0x00000000058AA000-memory.dmp

                Filesize

                488KB

              • memory/1696-226-0x00000000067D0000-0x0000000006882000-memory.dmp

                Filesize

                712KB

              • memory/1696-125-0x0000000004460000-0x00000000044A0000-memory.dmp

                Filesize

                256KB

              • memory/1696-54-0x0000000000DD0000-0x0000000000F62000-memory.dmp

                Filesize

                1.6MB

              • memory/1696-56-0x0000000004460000-0x00000000044A0000-memory.dmp

                Filesize

                256KB

              • memory/1696-298-0x0000000005C50000-0x0000000005CE2000-memory.dmp

                Filesize

                584KB

              • memory/1696-318-0x0000000004460000-0x00000000044A0000-memory.dmp

                Filesize

                256KB

              • memory/1696-55-0x0000000004460000-0x00000000044A0000-memory.dmp

                Filesize

                256KB