Analysis
-
max time kernel
1566s -
max time network
1569s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
20-10-2023 03:52
Behavioral task
behavioral1
Sample
build.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
build.exe
Resource
win10v2004-20230915-en
General
-
Target
build.exe
-
Size
1.6MB
-
MD5
8ae754931d3fad28ddd1a546a7399dd9
-
SHA1
1a3aad1b59e23233085538490681119fb9f3e3f2
-
SHA256
a1d070e57e5d9002274f814372596fd59e4ed49ec373020c45ec2ed1f8bf847d
-
SHA512
f6ad9715f0638c0172c4ff151062778e94d4e5d3dd8bdb5fee92862963f497889dbea44210d785b02a3b25e20a1a040197b2e9c1949507f01577a44365f99628
-
SSDEEP
24576:Oi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLn:ZTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Extracted
stealerium
https://canary.discord.com/api/webhooks/1164771273088438373/LkV7kaD1cZ_ThsbQhH-c6fV9W3Srl_WFpWGvMsPDPwn78bGXZB91nVl5bieA39v-Xvru
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1156 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2580 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
build.exepid process 1596 build.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
build.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1596 build.exe Token: SeDebugPrivilege 2580 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
build.execmd.exedescription pid process target process PID 1596 wrote to memory of 2524 1596 build.exe cmd.exe PID 1596 wrote to memory of 2524 1596 build.exe cmd.exe PID 1596 wrote to memory of 2524 1596 build.exe cmd.exe PID 1596 wrote to memory of 2524 1596 build.exe cmd.exe PID 2524 wrote to memory of 2556 2524 cmd.exe chcp.com PID 2524 wrote to memory of 2556 2524 cmd.exe chcp.com PID 2524 wrote to memory of 2556 2524 cmd.exe chcp.com PID 2524 wrote to memory of 2556 2524 cmd.exe chcp.com PID 2524 wrote to memory of 2580 2524 cmd.exe taskkill.exe PID 2524 wrote to memory of 2580 2524 cmd.exe taskkill.exe PID 2524 wrote to memory of 2580 2524 cmd.exe taskkill.exe PID 2524 wrote to memory of 2580 2524 cmd.exe taskkill.exe PID 2524 wrote to memory of 1156 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 1156 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 1156 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 1156 2524 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp59DB.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2556
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 15963⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
57B
MD59cc15ed957db45f77c91b55ac7b568e0
SHA18f1a1641022c3a4cd6ee245d5fcd1a06dea99b8e
SHA2569155cc5f3d597f636169a7bdd84119f84495837809937a170e1bf2170eea0e65
SHA512d0d8eb140050f40643774b21e23ba72fdb8274335d53da2e4db605a2b6d622d291e31bfc5a8494bce5890945fd54a1d5761436b22ff33542732e84261db3bf6b