Analysis
-
max time kernel
1738s -
max time network
1173s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2023 03:52
Behavioral task
behavioral1
Sample
build.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
build.exe
Resource
win10v2004-20230915-en
General
-
Target
build.exe
-
Size
1.6MB
-
MD5
8ae754931d3fad28ddd1a546a7399dd9
-
SHA1
1a3aad1b59e23233085538490681119fb9f3e3f2
-
SHA256
a1d070e57e5d9002274f814372596fd59e4ed49ec373020c45ec2ed1f8bf847d
-
SHA512
f6ad9715f0638c0172c4ff151062778e94d4e5d3dd8bdb5fee92862963f497889dbea44210d785b02a3b25e20a1a040197b2e9c1949507f01577a44365f99628
-
SSDEEP
24576:Oi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLn:ZTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Extracted
stealerium
https://canary.discord.com/api/webhooks/1164771273088438373/LkV7kaD1cZ_ThsbQhH-c6fV9W3Srl_WFpWGvMsPDPwn78bGXZB91nVl5bieA39v-Xvru
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
build.exebuild.exebuild.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation build.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation build.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation build.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 4976 timeout.exe 3412 timeout.exe 2392 timeout.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3780 taskkill.exe 3664 taskkill.exe 2688 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
build.exebuild.exebuild.exepid process 2776 build.exe 2960 build.exe 4484 build.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
build.exetaskkill.exebuild.exetaskkill.exebuild.exebuild.exetaskkill.exesvchost.exedescription pid process Token: SeDebugPrivilege 2776 build.exe Token: SeDebugPrivilege 3780 taskkill.exe Token: SeDebugPrivilege 2960 build.exe Token: SeDebugPrivilege 3664 taskkill.exe Token: SeDebugPrivilege 4484 build.exe Token: SeDebugPrivilege 4476 build.exe Token: SeDebugPrivilege 2688 taskkill.exe Token: SeManageVolumePrivilege 3732 svchost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
build.execmd.exebuild.execmd.exebuild.execmd.exedescription pid process target process PID 2776 wrote to memory of 4792 2776 build.exe cmd.exe PID 2776 wrote to memory of 4792 2776 build.exe cmd.exe PID 2776 wrote to memory of 4792 2776 build.exe cmd.exe PID 4792 wrote to memory of 2392 4792 cmd.exe chcp.com PID 4792 wrote to memory of 2392 4792 cmd.exe chcp.com PID 4792 wrote to memory of 2392 4792 cmd.exe chcp.com PID 4792 wrote to memory of 3780 4792 cmd.exe taskkill.exe PID 4792 wrote to memory of 3780 4792 cmd.exe taskkill.exe PID 4792 wrote to memory of 3780 4792 cmd.exe taskkill.exe PID 4792 wrote to memory of 4976 4792 cmd.exe timeout.exe PID 4792 wrote to memory of 4976 4792 cmd.exe timeout.exe PID 4792 wrote to memory of 4976 4792 cmd.exe timeout.exe PID 2960 wrote to memory of 1440 2960 build.exe cmd.exe PID 2960 wrote to memory of 1440 2960 build.exe cmd.exe PID 2960 wrote to memory of 1440 2960 build.exe cmd.exe PID 1440 wrote to memory of 2020 1440 cmd.exe chcp.com PID 1440 wrote to memory of 2020 1440 cmd.exe chcp.com PID 1440 wrote to memory of 2020 1440 cmd.exe chcp.com PID 1440 wrote to memory of 3664 1440 cmd.exe taskkill.exe PID 1440 wrote to memory of 3664 1440 cmd.exe taskkill.exe PID 1440 wrote to memory of 3664 1440 cmd.exe taskkill.exe PID 1440 wrote to memory of 3412 1440 cmd.exe timeout.exe PID 1440 wrote to memory of 3412 1440 cmd.exe timeout.exe PID 1440 wrote to memory of 3412 1440 cmd.exe timeout.exe PID 4484 wrote to memory of 2944 4484 build.exe cmd.exe PID 4484 wrote to memory of 2944 4484 build.exe cmd.exe PID 4484 wrote to memory of 2944 4484 build.exe cmd.exe PID 2944 wrote to memory of 4180 2944 cmd.exe chcp.com PID 2944 wrote to memory of 4180 2944 cmd.exe chcp.com PID 2944 wrote to memory of 4180 2944 cmd.exe chcp.com PID 2944 wrote to memory of 2688 2944 cmd.exe taskkill.exe PID 2944 wrote to memory of 2688 2944 cmd.exe taskkill.exe PID 2944 wrote to memory of 2688 2944 cmd.exe taskkill.exe PID 2944 wrote to memory of 2392 2944 cmd.exe timeout.exe PID 2944 wrote to memory of 2392 2944 cmd.exe timeout.exe PID 2944 wrote to memory of 2392 2944 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp856C.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2392
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 27763⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3780 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:4976
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBB8F.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2020
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 29603⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3664 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:3412
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEEB5.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4180
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 44843⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2392
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD536460a086817968f4a4924cf9862a7d5
SHA1e4d9bd8c66c59128e919d7c799a9f1b5cabd63e1
SHA25682f70785f17d0dce2388340c654067c247ce5b37aff0fa1eeb9181380aad9f1c
SHA51210bc936392c487c8cfe0a6a481f80ddfaa7a79497296ee431b880ac829a11efe0df19fce2bfe8de366436b2d5436c32edccb666d4d8c4ecde0a2ab6b2b61cb71
-
Filesize
57B
MD55952ea205e38a6759603e9dfbfe89986
SHA1bd5be120e84a4854e02ad5daa8749a3b2192e46b
SHA25604f75331e9adb0502aae51a587ab7e88c82f92e20d9e79f5ae732c3ec438af87
SHA51283fe6492544716237244bfa13d7053924180fb1b4ec8601acd3afee0b4de50d0268e49a59bbc72db84fa7fbe15680710745d852f3a69b90e6d4f88711e2e25bd
-
Filesize
57B
MD56e5b41c630ab9c0c86a5e5c85b86c179
SHA1e3e7f2566a7eae1c102776fe1574088a1b61792c
SHA25642176faa51a463301e85d84a80eda9ee765ba1aa1822004fd8933d7553f40f03
SHA51294334e600871dd90c9e8dcbe0c0bbb326644405ef16dbd9023513bfdd976131c846392ceb6a7fc24b73bc1a1d09b83ac009b4c2fa74703d34b55220f5d827c0f