Analysis
-
max time kernel
28s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
05-07-2023 13:15
Behavioral task
behavioral1
Sample
stub.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
stub.exe
Resource
win10v2004-20230703-en
General
-
Target
stub.exe
-
Size
1.6MB
-
MD5
303df0ff45fc487db83f9a14a7eb3594
-
SHA1
e36f528cefba775bf21f04cc208e90b815df8234
-
SHA256
35b48e9472a04ef28d51e5af06dafc8d8573d22bd4159cfc5007b7321a0aa337
-
SHA512
1ebaec29abe8bf659255a3e78893921a5916f8ab8c8d9f607da27e6284cc885c0951bcda7bcbc6cfb47e650a3f1f96c575f0e38881474a227c02ce84821e11a2
-
SSDEEP
24576:Di2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLs:mTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 992 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2764 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
stub.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2352 stub.exe Token: SeDebugPrivilege 2764 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
stub.execmd.exedescription pid process target process PID 2352 wrote to memory of 1408 2352 stub.exe cmd.exe PID 2352 wrote to memory of 1408 2352 stub.exe cmd.exe PID 2352 wrote to memory of 1408 2352 stub.exe cmd.exe PID 2352 wrote to memory of 1408 2352 stub.exe cmd.exe PID 1408 wrote to memory of 336 1408 cmd.exe chcp.com PID 1408 wrote to memory of 336 1408 cmd.exe chcp.com PID 1408 wrote to memory of 336 1408 cmd.exe chcp.com PID 1408 wrote to memory of 336 1408 cmd.exe chcp.com PID 1408 wrote to memory of 2764 1408 cmd.exe taskkill.exe PID 1408 wrote to memory of 2764 1408 cmd.exe taskkill.exe PID 1408 wrote to memory of 2764 1408 cmd.exe taskkill.exe PID 1408 wrote to memory of 2764 1408 cmd.exe taskkill.exe PID 1408 wrote to memory of 992 1408 cmd.exe timeout.exe PID 1408 wrote to memory of 992 1408 cmd.exe timeout.exe PID 1408 wrote to memory of 992 1408 cmd.exe timeout.exe PID 1408 wrote to memory of 992 1408 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3766.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:336
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 23523⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD5f0fcfd0d77c58b3964a023019fe217ac
SHA1a1ce4f6f596901778c3fa4222809771bf901c263
SHA256f0c1609f938b9911c4ed9859d79dfe7a3997001bb5453bc386af8dab53e7ad4c
SHA512e1e66b8ff546eca25acf947106f11d66db408ee1445c0fef7c7d385eea82a8535147c9db650a8aa34f095022cd36b1571f9e33cb945ffc78bea6802b3d114c05