Malware Analysis Report

2024-10-23 19:20

Sample ID 230705-qg3heace62
Target Stealeriumzip.zip
SHA256 d368aa9f74bac62cae479c0b4a41ab7b4c62162daee6e1d24c5fbedcb8afc80f
Tags
stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d368aa9f74bac62cae479c0b4a41ab7b4c62162daee6e1d24c5fbedcb8afc80f

Threat Level: Known bad

The file Stealeriumzip.zip was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium family

Stealerium

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-05 13:14

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win7-20230703-en

Max time kernel

105s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80ef6bcf42afd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F3CDFDA1-1B35-11EE-B867-62AE83E716DD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cacdb9c8f7e7d1478a5f6d5a6cb4c29000000000020000000000106600000001000020000000d6f8f5ced438c4b825f17f0c204a85321559ce2292f14830cff7d627c47d6c10000000000e80000000020000200000009e302704bed63d720d915766d730397340b8a4246e8e52d4af6d91635dd6f828200000001e3b7c1432adcc0e4b86cb701c43f391aed1e4fe4d2be3198fd7a4d6744a03e7400000008c02abb0acdaa421c692af338516a86627237b6b77f193d47684b7d47e36236fc68c29bc8fe8a248607f40439bb40c95c6358242be8f2ba60c7b6ef278b81bfb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cacdb9c8f7e7d1478a5f6d5a6cb4c29000000000020000000000106600000001000020000000cee5e3eaa728710d07aaceeb372ca33208b71d1bbcb21d024e39e505b0364170000000000e8000000002000020000000a5309e59dea9c629757717029ffdc05a7bebca3400e593565a915df3a4d9f329900000006dad6eb784325c2f169cdb16fd04688ed791945413cc547f775ef9295ce8871567d3245adc8312ec3439e70c8beb1688eb4f2bc476526a51bc33d65b905f92cefec142d9ad4e2d18906a24b3b7aec2a78e1fbf1c5eb8ea257c334e26e51de58eece4729fcef34d747a65d27b686aa378dca4aea3f139b7ac3a9ab98935a65739d6303a19e70e48526eaa8c5d55ed3b0240000000b50eeedc0bca0963d5ed324d5c47f8659ce899c2154c1b28a0c8d6120973271adcf0566df11badf5471e1cf0048c7827f306c1e842f17b250acaf5b18d5787f1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395327878" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=stub.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab6F2A.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar6F8B.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52cc19e9d121d2d1f1f5f32454bf228a
SHA1 352c6aa61483eaf6d2eb02d4e5e453cf68e7fcf9
SHA256 a02c2a4c1fd797dfd6f061651fbb9c0e853129ef65f375b7f9071fdb59913588
SHA512 4e3582596f43a245059c8b9e2bbbe6c553480eb842fb63031976a28c67807ef3bd081febdf7d7d4e7f72e8cec6b877a2bf76b250e1d780d4bd5713cfdeb76f84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30c44b1a6db74b044061dd4f611419cc
SHA1 391fba81b50961319978fc7ce821a27b719eeb68
SHA256 7ddcb22352fd4cbb9b1597c6d43e3e82f04ffc87cbfcd8901d9b8ff67d7b86ee
SHA512 2afc0dced43273a07f429396936dfcd84832007e892d882ecc1a1eb5c4ec232b8b6885dd279766ad6a5e1f1af06f26e840226c35d14039e11a12ec607cda0a0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81227b0bbb81a33db637ce7642f00d92
SHA1 ef92e7cc6f9fdc757f28a6cacdece87c0ae6c7bf
SHA256 058138b68cd1594bec9c0a3d496754e2a0d3ae912a4c4f3cdb0536edc0ae2ab3
SHA512 670c4f2554bfd1831533425c7d88a1b5bb2dd4b3cae7bc973126faf15df602b61ce2a5ebb6ecb62f19e69335a53adbbee4f543698f5ab332d27f7d509ba2f836

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ded198cc91410f3bd8d5726a2a4604e2
SHA1 42b0306705a8ef1474ee4cd9f5fd610635104626
SHA256 2a8a78e4e68f5a92551dfcb417da604bda75b26820fb7b76a6e6fb17507c84b8
SHA512 974bdfbdd51cea24de7229946c9bfae806e7ea53bef8d605c4fcbdfc0a498873ef9bde244f84816ddf632e81d2460ffc723d3baabbf710ef7cfdb308b1e0a03e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8965b12e18244e33eb332cfae11eb284
SHA1 45c5a8e8c67f2ba88094ec6234e527359e2eb749
SHA256 4e7c4ea7eb4b995bd5e39d90030ca77aab2dfa24f76883d0ee516dd030c3effd
SHA512 c580e158b522bcf0413449437a4e520642a0793b6b29b0a8dd33c67d97f949240b0ed06945c97fdbe3dfc2decee1cb37780684a54a10d2971208aac60e170a27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f939e8e7f6e282f01cf287a25f7d4140
SHA1 757ab9f2492eea386b7af62fc4977a2c59a075c6
SHA256 f1977c823a8c84d40607e6319bf76ed748785c43857911c77982a74043c5262e
SHA512 e6965a0c4c1119afd20d65f7297da671e939940ba376875f85e0ef3d87b1163c74b4b3f058d82c8079baebaf3b08a06e98a079d07514aa8fdfcf1ce0e28b6496

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1911b2958dfb58c94ca16e04f58473f5
SHA1 cefcbf06610dd3e80bf04dda43b965fb933866e7
SHA256 825cd5ba68a02aec732031f4416b5faf903e1255296864490113ecb7484d3a89
SHA512 f15d58afae89b9e9ee3810de11f5b4f033c4beba5b9baf622e3ce32b107080b3cf07d7b0ef9941fb674143d4ff4b9d8332094e5cf58848c7d1c7fca6b0c5fcb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d48bbb32a7c6c4652208779002eca1be
SHA1 4b2ae3b0d4e53787c1cf5f1ee0bec7ffa9915ded
SHA256 b914deb1751182303498f1eadaf3fb7d80ca0bed0d0b38a56bbb79340c27d4da
SHA512 6a8e4a5c02d9c429c665352a8ae1e0f229280715b78811c71c744da65e79c7f159f8c7a6be1243f36d4512904f1d5d5b31b368f0ce02fb9470c67246f66c2196

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b0f13539d8984932a51d8ebee6f7d8b
SHA1 f80562ecdd684110074c8768d8b795c658058737
SHA256 6b3499e5b5cd4cd1fd3fcab10135e3a9cae8b1b7439d1271584082dd8275fadc
SHA512 a6759f90a1a76473f9a24a12af378d51c40a17b358d031939e461c7c476c9f50976205fac33f0afa8d892b15f44886930be6a605f5791515dad230a8e2d0da08

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PB7AGJFH.txt

MD5 41ec6b9c6aeb32a4f58cd19370faba6f
SHA1 8ad54a971d3aa9deff6b8c1777d1f102144101e4
SHA256 97a0d405bb3d15baf60630a41d4c937561b63daf7468554132ea3a26fe0ec789
SHA512 b1dbd7f292daa7391df08810c58cee76c98ad6ffa3e551a4d231552efbd3518a2c71568764df031d1831b258bd630d12fdb376cba8f8252e672a9e7089481236

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V6CQZ6HZ\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral20

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win10v2004-20230703-en

Max time kernel

9s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7B6A.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 4920

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

N/A

Files

memory/4920-133-0x0000000000BF0000-0x0000000000D82000-memory.dmp

memory/4920-134-0x0000000005730000-0x0000000005796000-memory.dmp

memory/4920-135-0x00000000056B0000-0x00000000056C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7B6A.tmp.bat

MD5 fd457c1be8e15c90e2d4c911c7325b49
SHA1 cd97c994dc9cf8549a61a39a1eb2382803fe6c83
SHA256 240a8c5a4249edd768792499da0ef3ed8011c03614b2473ca9bdcef76ac06291
SHA512 875dc246a7fa770a74ed531854a9c70b8c77c8ac5ba29f0dfea5fab2714a5ccc097fae301f02f316837c0bb0e039b135107a8392edbd4076ddf8aa8832e35581

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win10v2004-20230621-en

Max time kernel

85s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 219.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.74.101.95.in-addr.arpa udp
US 20.189.173.15:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
GB 96.16.110.41:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win7-20230703-en

Max time kernel

26s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win10v2004-20230621-en

Max time kernel

107s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
DE 23.218.209.198:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win7-20230703-en

Max time kernel

30s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win7-20230621-en

Max time kernel

30s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win10v2004-20230703-en

Max time kernel

7s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win7-20230703-en

Max time kernel

31s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.133.241.8.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win10v2004-20230703-en

Max time kernel

7s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win7-20230703-en

Max time kernel

74s

Max time network

80s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Network

Country Destination Domain Proto
US 192.229.211.108:80 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win10v2004-20230703-en

Max time kernel

7s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win10v2004-20230703-en

Max time kernel

7s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win7-20230703-en

Max time kernel

30s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win7-20230703-en

Max time kernel

27s

Max time network

31s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win10v2004-20230703-en

Max time kernel

7s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win7-20230703-en

Max time kernel

31s

Max time network

35s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-07-05 13:14

Reported

2023-07-05 13:17

Platform

win7-20230703-en

Max time kernel

28s

Max time network

32s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Network

N/A

Files

N/A