Analysis
-
max time kernel
139s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2023 13:15
Behavioral task
behavioral1
Sample
stub.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
stub.exe
Resource
win10v2004-20230703-en
General
-
Target
stub.exe
-
Size
1.6MB
-
MD5
303df0ff45fc487db83f9a14a7eb3594
-
SHA1
e36f528cefba775bf21f04cc208e90b815df8234
-
SHA256
35b48e9472a04ef28d51e5af06dafc8d8573d22bd4159cfc5007b7321a0aa337
-
SHA512
1ebaec29abe8bf659255a3e78893921a5916f8ab8c8d9f607da27e6284cc885c0951bcda7bcbc6cfb47e650a3f1f96c575f0e38881474a227c02ce84821e11a2
-
SSDEEP
24576:Di2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLs:mTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
stub.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation stub.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5032 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3588 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
stub.exetaskkill.exedescription pid process Token: SeDebugPrivilege 456 stub.exe Token: SeDebugPrivilege 3588 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
stub.execmd.exedescription pid process target process PID 456 wrote to memory of 560 456 stub.exe cmd.exe PID 456 wrote to memory of 560 456 stub.exe cmd.exe PID 456 wrote to memory of 560 456 stub.exe cmd.exe PID 560 wrote to memory of 4448 560 cmd.exe chcp.com PID 560 wrote to memory of 4448 560 cmd.exe chcp.com PID 560 wrote to memory of 4448 560 cmd.exe chcp.com PID 560 wrote to memory of 3588 560 cmd.exe taskkill.exe PID 560 wrote to memory of 3588 560 cmd.exe taskkill.exe PID 560 wrote to memory of 3588 560 cmd.exe taskkill.exe PID 560 wrote to memory of 5032 560 cmd.exe timeout.exe PID 560 wrote to memory of 5032 560 cmd.exe timeout.exe PID 560 wrote to memory of 5032 560 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2390.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4448
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 4563⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3588 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:5032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56B
MD5b5b0fa5de86c26b5f0e953a6ed275293
SHA16a8d6e2d51bf560511dbce57a9924861aaf8e057
SHA256c2c3f15391251c01599300ed32800ac4780c10b65da430d1c343c5cf1ba3419c
SHA512fe769db6faf7986fd3e2286d2da0a20f40c4ac7b32cd4968735f8c00367691a3160199c662a28710c4fb10d12e26fbec565efe704c3d4b5344dbac5cd7c0a28c