Analysis

  • max time kernel
    1747s
  • max time network
    1159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2023 05:01

General

  • Target

    stub.exe

  • Size

    1.6MB

  • MD5

    a1ac9ba1ddc6808d7d9a301c9e546b65

  • SHA1

    928bfdea4586169b27c5c1ad23db19d9aede5e30

  • SHA256

    0fe68b8689e8d8439ae48b39dc96d6ab178e2a68c83a5cdfe577eb9d3b9537d2

  • SHA512

    c1082a59cba1736639ebd0ffea1e59fc8f2b98fc4ef3f60efdb77b9da2efb5af2f7e1bda0b28ca73eb2b61d671d0b3679603f7a4e21cffacba84683305a337c2

  • SSDEEP

    24576:Oi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLM:ZTq24GjdGSiqkqXfd+/9AqYanieKd

Score
10/10

Malware Config

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\stub.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC0EE.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:4208
        • C:\Windows\SysWOW64\taskkill.exe
          TaskKill /F /IM 2676
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4976
        • C:\Windows\SysWOW64\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpC0EE.tmp.bat

      Filesize

      57B

      MD5

      443a56f6e22108cd36332eb08811308f

      SHA1

      f31f1508879b28eab4ba701bf16c297f38ccae5a

      SHA256

      d5a2144dd696778a1e02ba5915e46f9e7dcaab4870ea2348b8870c9c9da38999

      SHA512

      6c1c0f008434ea45db1098f5e9f167843db3956f4fa4556020e4fe6bfdc95a0167503be680fa2153ff9a311c4d75b522bfd368e0f310a8217b77673570bfa39f

    • memory/2676-0-0x0000000074580000-0x0000000074D30000-memory.dmp

      Filesize

      7.7MB

    • memory/2676-1-0x00000000006D0000-0x0000000000866000-memory.dmp

      Filesize

      1.6MB

    • memory/2676-2-0x0000000005220000-0x0000000005286000-memory.dmp

      Filesize

      408KB

    • memory/2676-3-0x0000000002C70000-0x0000000002C80000-memory.dmp

      Filesize

      64KB

    • memory/2676-10-0x0000000074580000-0x0000000074D30000-memory.dmp

      Filesize

      7.7MB