Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 03:48

General

  • Target

    0x000700000002320d-976.exe

  • Size

    1.6MB

  • MD5

    32482344f0d985670f8d87c463d732c4

  • SHA1

    9653d6f4282f0aaa0e22d454a72264f3287a1dfd

  • SHA256

    8bea801f9e9bb34de95156473919afb32a4a813b81c61b1e20374c5ab0ff010a

  • SHA512

    6060807aca6cd7dd996b46e20ac2e7c8a527f61b45880afd26fdcab736c1203e8903865e41e635bf8083c0ddc981e7e121773616c19aec03e3ca3ff5548ee7c4

  • SSDEEP

    49152:vkTq24GjdGSiqkqXfd+/9AqYanieKdsG:v1EjdGSiqkqXf0FLYW

Malware Config

Extracted

Family

stealerium

C2

https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000700000002320d-976.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000700000002320d-976.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1632
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:2736
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:892
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:1140
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1972
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:2424
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:2448
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:480

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              6dfec965b03d7e9445cf748b657b5520

              SHA1

              68c89e87a4c8e24e4851479dffe92e52b6d1d683

              SHA256

              ca77db45798a169acdee4cde8132cdac95ad3fb6552e9ce2ea3fe1c5ec293f65

              SHA512

              afc27a54aadb39bdd2d29d70d59be0b7c461d6498c192cc50d4091a281b8560a1da332ba4e549924d9ec5b05fac0140b2776ae0d6001f77fa563a387b607d564

            • C:\Users\Admin\AppData\Local\Temp\Cab66EF.tmp

              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            • C:\Users\Admin\AppData\Local\Temp\Tar6731.tmp

              Filesize

              171KB

              MD5

              9c0c641c06238516f27941aa1166d427

              SHA1

              64cd549fb8cf014fcd9312aa7a5b023847b6c977

              SHA256

              4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

              SHA512

              936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

            • C:\Users\Admin\AppData\Local\c953e488f1b1eb5bce8bc452da8f2765\Admin@OZEMQECW_en-US\Browsers\Firefox\Bookmarks.txt

              Filesize

              105B

              MD5

              2e9d094dda5cdc3ce6519f75943a4ff4

              SHA1

              5d989b4ac8b699781681fe75ed9ef98191a5096c

              SHA256

              c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

              SHA512

              d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

            • C:\Users\Admin\AppData\Local\c953e488f1b1eb5bce8bc452da8f2765\Admin@OZEMQECW_en-US\Directories\Startup.txt

              Filesize

              24B

              MD5

              68c93da4981d591704cea7b71cebfb97

              SHA1

              fd0f8d97463cd33892cc828b4ad04e03fc014fa6

              SHA256

              889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

              SHA512

              63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

            • C:\Users\Admin\AppData\Local\c953e488f1b1eb5bce8bc452da8f2765\Admin@OZEMQECW_en-US\Directories\Videos.txt

              Filesize

              23B

              MD5

              1fddbf1169b6c75898b86e7e24bc7c1f

              SHA1

              d2091060cb5191ff70eb99c0088c182e80c20f8c

              SHA256

              a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

              SHA512

              20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

            • C:\Users\Admin\AppData\Local\c953e488f1b1eb5bce8bc452da8f2765\Admin@OZEMQECW_en-US\System\Apps.txt

              Filesize

              3KB

              MD5

              b379693a97ef74001471e07de47bc306

              SHA1

              9fff1b6d58b1e1cb1c725fa469d402c008913965

              SHA256

              1e606dfcb3e03dedfb2ff00901514beb393ebb05afe0c5c4102de512611aa471

              SHA512

              0de3449f1a4bdfc19047e59f47ea30263b540b7509bf6516c4504fa2e7e5025e646cc24d9f1354c9e302e5ba9f936ef0e84574fb565bc6fcc754ed3566ed5409

            • C:\Users\Admin\AppData\Local\c953e488f1b1eb5bce8bc452da8f2765\Admin@OZEMQECW_en-US\System\Apps.txt

              Filesize

              6KB

              MD5

              90e05e64959dcc96ed6dfb89d65334a6

              SHA1

              76840a3fb0a3a37a497a2232912753f9a9e5733a

              SHA256

              5b7c50db5b426b201287418c6032f1b300370beb66534f8cca03cf3fa5d02876

              SHA512

              f9b909093eea8743f08ce5428909d5a3a4c087e4faf28c5617784c81e511505de37f1bbc9069fbedb8a0e0e45ec5880f70d1de34908ae45ff35706115e79f510

            • C:\Users\Admin\AppData\Local\c953e488f1b1eb5bce8bc452da8f2765\Admin@OZEMQECW_en-US\System\Debug.txt

              Filesize

              293B

              MD5

              0fd7975ec3900be005f60ce14df1517d

              SHA1

              dc582744c92cd1d589bc111a26b4619e17b0094c

              SHA256

              17c3ef7cf1cb15f5b8afb6ce776367a689f4e6806e20b88033a3b9d1c676b919

              SHA512

              c9fcb68717e54eb74ee2cd632ad5d6102cb73df9743b937452b6ab2bb04b28788b7c772b296c4b9cde7d9daeae430bdb4b0279ac082aa2e73eed686ba4fb1499

            • C:\Users\Admin\AppData\Local\c953e488f1b1eb5bce8bc452da8f2765\Admin@OZEMQECW_en-US\System\ProductKey.txt

              Filesize

              29B

              MD5

              cad6c6bee6c11c88f5e2f69f0be6deb7

              SHA1

              289d74c3bebe6cca4e1d2e084482ad6d21316c84

              SHA256

              dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

              SHA512

              e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

            • C:\Users\Admin\AppData\Local\c953e488f1b1eb5bce8bc452da8f2765\msgid.dat

              Filesize

              19B

              MD5

              a3254993673e89fe434912b24a376bc2

              SHA1

              3c566f2c2230b688abb607dee047d94ba6ea49c7

              SHA256

              2963b002b0263a67a692861e10b36adf9570dd3451a29405660c0746861537ac

              SHA512

              99bbc7c4aebdd59e1b0128c4c0bf726e97df65bae78a6cc0096fca999a56d1fc4c6c9dbae5c04ca2aaeae43839f238064248a414a9eeb96ef781243a2933c61b

            • memory/1632-2-0x0000000000F80000-0x0000000000FC0000-memory.dmp

              Filesize

              256KB

            • memory/1632-0-0x0000000001120000-0x00000000012B2000-memory.dmp

              Filesize

              1.6MB

            • memory/1632-7-0x00000000003C0000-0x00000000003C8000-memory.dmp

              Filesize

              32KB

            • memory/1632-6-0x0000000000390000-0x00000000003B6000-memory.dmp

              Filesize

              152KB

            • memory/1632-164-0x0000000006170000-0x00000000061EA000-memory.dmp

              Filesize

              488KB

            • memory/1632-5-0x0000000004990000-0x0000000004A22000-memory.dmp

              Filesize

              584KB

            • memory/1632-43-0x0000000000B00000-0x0000000000B08000-memory.dmp

              Filesize

              32KB

            • memory/1632-119-0x0000000000F80000-0x0000000000FC0000-memory.dmp

              Filesize

              256KB

            • memory/1632-42-0x0000000000780000-0x000000000078A000-memory.dmp

              Filesize

              40KB

            • memory/1632-228-0x0000000006C70000-0x0000000006D22000-memory.dmp

              Filesize

              712KB

            • memory/1632-1-0x0000000074A10000-0x00000000750FE000-memory.dmp

              Filesize

              6.9MB

            • memory/1632-312-0x0000000074A10000-0x00000000750FE000-memory.dmp

              Filesize

              6.9MB

            • memory/1632-314-0x0000000000F80000-0x0000000000FC0000-memory.dmp

              Filesize

              256KB

            • memory/1632-44-0x0000000000B50000-0x0000000000B6E000-memory.dmp

              Filesize

              120KB

            • memory/1632-326-0x0000000000F80000-0x0000000000FC0000-memory.dmp

              Filesize

              256KB