Analysis
-
max time kernel
125s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
04-05-2024 16:11
General
-
Target
build.exe
-
Size
1.6MB
-
MD5
e7b2f3e0b794bf5fa93620cf7d0493f3
-
SHA1
841a92af5c5c71a27379ad1e9acd426d0c4739b4
-
SHA256
1d0a104ed7ac079e1d15b29288eab5c9fdd6691817b37ed7fff8af14c378b9d4
-
SHA512
1d96b921857c559071a8a4fb19780126b594f85cd3464d1d8755d0bafc30d8e8baed6dd22446ffa92d9edcea932724931336598aa8d13c1f9cf1648ced796c3a
-
SSDEEP
24576:zi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgL4L:2Tq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Extracted
stealerium
bc1qea9m68q0zex4gpp8wgpaswg6hd03skjlap4j74
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6040.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 3963⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6040.tmp.batFilesize
56B
MD59ff71c9e0971c54ad2be7ffc4a55ae0e
SHA19feeec91d12541a041d7c5745f4e567cef31c3ef
SHA2566741dd14ecdedbcc4da21d9c867a1dbc5ebdb7863039948de628f565103763ce
SHA512549a93f70d12d9f1248bc203ba4b50d5a59b44310e401aef7742cdbe25b71de94c24b73d0e874c567fde7d01af49c564ddccdbbb47a502c093758f7031fc2f48
-
memory/396-0-0x00000000751AE000-0x00000000751AF000-memory.dmpFilesize
4KB
-
memory/396-1-0x0000000000950000-0x0000000000AE6000-memory.dmpFilesize
1.6MB
-
memory/396-2-0x0000000005360000-0x00000000053C6000-memory.dmpFilesize
408KB
-
memory/396-3-0x00000000751A0000-0x0000000075950000-memory.dmpFilesize
7.7MB
-
memory/396-6-0x00000000059A0000-0x0000000005A32000-memory.dmpFilesize
584KB
-
memory/396-7-0x0000000005A30000-0x0000000005A56000-memory.dmpFilesize
152KB
-
memory/396-8-0x0000000005A80000-0x0000000005A88000-memory.dmpFilesize
32KB
-
memory/396-13-0x00000000751A0000-0x0000000075950000-memory.dmpFilesize
7.7MB