Analysis
-
max time kernel
67s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
28-04-2024 14:17
General
-
Target
build.exe
-
Size
1.6MB
-
MD5
03c0235c09b30b61f40fbb65d5bee883
-
SHA1
31d971d0fc6293ad67a0c84ea88d0e7e15c4ce29
-
SHA256
9a6b55d533c291f4b8706630f55663db1a11b2a1af3bf536b4a2abfa9761633e
-
SHA512
454288409757bc72c4b66ab66de02cb3d8559c1fdabac032885752819560f2d4c968674aca85ffa6430addd5a9fbfa12cb80cf9f131dcefb09c343eddafff540
-
SSDEEP
49152:DcTq24GjdGSiqkqXfd+/9AqYanieKdYX:D9EjdGSiqkqXf0FLYW
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1234145797856038953/Qx5Y46YXxYE_v9-5-5iTyAlkR-pe2Cn2DAdNinRgP7FgwC51wV8RMBhojwvQHc9imqqi
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp74D2.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 34003⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp74D2.tmp.batFilesize
57B
MD5a906b711838dbeb94b564e15e7321638
SHA125761313e1c959df80f239631355af7821a2f9a5
SHA256108b2b0d66f5ba121854c935dde842ee0d225decf9270692872c348060454e2c
SHA5121956a15e60bd2368628951e00a31e1c8446cfa23bdc55965d24b475365b06eeb8e86bf2987c3623d2fa84a427d882098fea7d1e2d99e4d33f21072daea26175b
-
memory/3400-0-0x0000000000550000-0x00000000006E4000-memory.dmpFilesize
1.6MB
-
memory/3400-1-0x0000000075200000-0x00000000759B0000-memory.dmpFilesize
7.7MB
-
memory/3400-2-0x0000000005070000-0x00000000050D6000-memory.dmpFilesize
408KB
-
memory/3400-3-0x0000000005200000-0x0000000005210000-memory.dmpFilesize
64KB
-
memory/3400-6-0x0000000005600000-0x0000000005692000-memory.dmpFilesize
584KB
-
memory/3400-7-0x0000000005690000-0x00000000056B6000-memory.dmpFilesize
152KB
-
memory/3400-8-0x00000000056C0000-0x00000000056C8000-memory.dmpFilesize
32KB
-
memory/3400-13-0x0000000075200000-0x00000000759B0000-memory.dmpFilesize
7.7MB