Analysis
-
max time kernel
1747s -
max time network
1159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2023 05:01
Behavioral task
behavioral1
Sample
stub.exe
Resource
win10v2004-20231020-en
General
-
Target
stub.exe
-
Size
1.6MB
-
MD5
a1ac9ba1ddc6808d7d9a301c9e546b65
-
SHA1
928bfdea4586169b27c5c1ad23db19d9aede5e30
-
SHA256
0fe68b8689e8d8439ae48b39dc96d6ab178e2a68c83a5cdfe577eb9d3b9537d2
-
SHA512
c1082a59cba1736639ebd0ffea1e59fc8f2b98fc4ef3f60efdb77b9da2efb5af2f7e1bda0b28ca73eb2b61d671d0b3679603f7a4e21cffacba84683305a337c2
-
SSDEEP
24576:Oi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLM:ZTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
stub.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation stub.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4768 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4976 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
stub.exepid process 2676 stub.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
stub.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2676 stub.exe Token: SeDebugPrivilege 4976 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
stub.execmd.exedescription pid process target process PID 2676 wrote to memory of 1784 2676 stub.exe cmd.exe PID 2676 wrote to memory of 1784 2676 stub.exe cmd.exe PID 2676 wrote to memory of 1784 2676 stub.exe cmd.exe PID 1784 wrote to memory of 4208 1784 cmd.exe chcp.com PID 1784 wrote to memory of 4208 1784 cmd.exe chcp.com PID 1784 wrote to memory of 4208 1784 cmd.exe chcp.com PID 1784 wrote to memory of 4976 1784 cmd.exe taskkill.exe PID 1784 wrote to memory of 4976 1784 cmd.exe taskkill.exe PID 1784 wrote to memory of 4976 1784 cmd.exe taskkill.exe PID 1784 wrote to memory of 4768 1784 cmd.exe timeout.exe PID 1784 wrote to memory of 4768 1784 cmd.exe timeout.exe PID 1784 wrote to memory of 4768 1784 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC0EE.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4208
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 26763⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4976 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:4768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD5443a56f6e22108cd36332eb08811308f
SHA1f31f1508879b28eab4ba701bf16c297f38ccae5a
SHA256d5a2144dd696778a1e02ba5915e46f9e7dcaab4870ea2348b8870c9c9da38999
SHA5126c1c0f008434ea45db1098f5e9f167843db3956f4fa4556020e4fe6bfdc95a0167503be680fa2153ff9a311c4d75b522bfd368e0f310a8217b77673570bfa39f