Analysis
-
max time kernel
87s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2023 20:09
Behavioral task
behavioral1
Sample
HP Mouse USB.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
HP Mouse USB.exe
Resource
win10v2004-20230621-en
General
-
Target
HP Mouse USB.exe
-
Size
1.6MB
-
MD5
58f5d3f738283351db8a2dbafb50be24
-
SHA1
9c18d5b5957ecf187fb5a2e68a6868a8cd719265
-
SHA256
0ddb866d33fa7277ea51dbaadd197e08318d1c6cd524c352ecb325cad85b82ba
-
SHA512
80bbf70fc808c593f1b9c58d11d2d32624040917ae54d0c0eb577bde522a1bb1b914c8578a811743bcbc2dbe62a0b8609cc65093d81ca296662e33c71913e3d0
-
SSDEEP
24576:Di2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgL/:mTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1122279032260665414/W-unCHniD2YI670Bytn7FIpY-nux43_owoRzlVZOux3NvAnntnyH_9eSHWkJsi-nQBDo
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HP Mouse USB.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation HP Mouse USB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
HP Mouse USB.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HP Mouse USB.exe Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HP Mouse USB.exe Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HP Mouse USB.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 36 icanhazip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
HP Mouse USB.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 HP Mouse USB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier HP Mouse USB.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1528 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1864 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
HP Mouse USB.exepid process 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe 4100 HP Mouse USB.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
HP Mouse USB.exemsiexec.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4100 HP Mouse USB.exe Token: SeSecurityPrivilege 4228 msiexec.exe Token: SeDebugPrivilege 1864 taskkill.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
HP Mouse USB.execmd.execmd.execmd.exedescription pid process target process PID 4100 wrote to memory of 1164 4100 HP Mouse USB.exe cmd.exe PID 4100 wrote to memory of 1164 4100 HP Mouse USB.exe cmd.exe PID 4100 wrote to memory of 1164 4100 HP Mouse USB.exe cmd.exe PID 1164 wrote to memory of 1720 1164 cmd.exe chcp.com PID 1164 wrote to memory of 1720 1164 cmd.exe chcp.com PID 1164 wrote to memory of 1720 1164 cmd.exe chcp.com PID 1164 wrote to memory of 64 1164 cmd.exe netsh.exe PID 1164 wrote to memory of 64 1164 cmd.exe netsh.exe PID 1164 wrote to memory of 64 1164 cmd.exe netsh.exe PID 1164 wrote to memory of 3448 1164 cmd.exe findstr.exe PID 1164 wrote to memory of 3448 1164 cmd.exe findstr.exe PID 1164 wrote to memory of 3448 1164 cmd.exe findstr.exe PID 4100 wrote to memory of 3952 4100 HP Mouse USB.exe cmd.exe PID 4100 wrote to memory of 3952 4100 HP Mouse USB.exe cmd.exe PID 4100 wrote to memory of 3952 4100 HP Mouse USB.exe cmd.exe PID 3952 wrote to memory of 5056 3952 cmd.exe chcp.com PID 3952 wrote to memory of 5056 3952 cmd.exe chcp.com PID 3952 wrote to memory of 5056 3952 cmd.exe chcp.com PID 3952 wrote to memory of 1776 3952 cmd.exe netsh.exe PID 3952 wrote to memory of 1776 3952 cmd.exe netsh.exe PID 3952 wrote to memory of 1776 3952 cmd.exe netsh.exe PID 4100 wrote to memory of 440 4100 HP Mouse USB.exe cmd.exe PID 4100 wrote to memory of 440 4100 HP Mouse USB.exe cmd.exe PID 4100 wrote to memory of 440 4100 HP Mouse USB.exe cmd.exe PID 440 wrote to memory of 1968 440 cmd.exe chcp.com PID 440 wrote to memory of 1968 440 cmd.exe chcp.com PID 440 wrote to memory of 1968 440 cmd.exe chcp.com PID 440 wrote to memory of 1864 440 cmd.exe taskkill.exe PID 440 wrote to memory of 1864 440 cmd.exe taskkill.exe PID 440 wrote to memory of 1864 440 cmd.exe taskkill.exe PID 440 wrote to memory of 1528 440 cmd.exe timeout.exe PID 440 wrote to memory of 1528 440 cmd.exe timeout.exe PID 440 wrote to memory of 1528 440 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
HP Mouse USB.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HP Mouse USB.exe -
outlook_win_path 1 IoCs
Processes:
HP Mouse USB.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HP Mouse USB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HP Mouse USB.exe"C:\Users\Admin\AppData\Local\Temp\HP Mouse USB.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4100 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1720
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:64
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:3448
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:5056
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵PID:1776
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3A65.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1968
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 41003⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1528
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\582b4779843b04256a7d1bdcd881c198\Admin@FNCPTJBF_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\582b4779843b04256a7d1bdcd881c198\Admin@FNCPTJBF_en-US\Directories\OneDrive.txt
Filesize25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\582b4779843b04256a7d1bdcd881c198\Admin@FNCPTJBF_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\582b4779843b04256a7d1bdcd881c198\Admin@FNCPTJBF_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
4KB
MD5c095ca5577c83b472e56ff78e8d775a0
SHA1d260be0bcf1a90466d35fef641185d54f4ee3a82
SHA256719b11119bbe9d1b2df046221d9020e615e742992f44230af2c19b826aa992bd
SHA512fa9e863e7aba6db7fcf8a8d5d9ebdd8da490c864844bc9f14633bdbc7b3fb5bf93c36e0fdf71aaeb0dcde2d67982a389ae672c19b981f64819c026b6e063edba
-
C:\Users\Admin\AppData\Local\582b4779843b04256a7d1bdcd881c198\Admin@FNCPTJBF_en-US\System\Process.txt
Filesize4KB
MD5244db54f039993b6535a513e8ee946c9
SHA1689ede50ce805ddc9689316b6850500168b6abc2
SHA256528b211bc74c55ea51f57b1b7dfa161bdddfa3c27394ad526c0be8c0655099ed
SHA51204ad929c5b5cfab1002e68f3fc5adc66647291171257e56e593691a57c4c5e95b2eda9271abb9a3b1ab4b6255eef5fab2c92d8a8298540c74e925727fc647e1a
-
C:\Users\Admin\AppData\Local\582b4779843b04256a7d1bdcd881c198\Admin@FNCPTJBF_en-US\System\ProductKey.txt
Filesize29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
Filesize
19B
MD5d917bd6141617c77b555e59fbd66c701
SHA1a238ac149ecd3a67740799c20e5fb79432548a43
SHA256229d47f53905ea44e18a66581389aaba66f14624d3b674f8f3cb688387c5f51a
SHA512b2032dc78492f717f0f74ed982ba5d2b0598bb97bcd089149d18c8bfc4d6c7bb0a0080d5eda92e2b5d3942ba2c15492eaec79f2e1b9df3f02531dc4a1d756dd3
-
Filesize
57B
MD53c317b1ab17a3e3497ebc232cb50670a
SHA1752b873dfc8682b220713cf7b8e23a8f68867f0e
SHA2562aee0a5bc8a04193f6e161faf9ef3740dae54e14a6e1384b64b0e52c0c8cf52b
SHA51244c385d28dee9791cd11c95edc11745f263b3660e316badc7c4b34fd9051c396da4ab087324150e1eecb5212cbdfb24ec5f95373ca11f48d984148c24d9459c6