Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
04-05-2024 16:17
General
-
Target
stub.exe
-
Size
1.6MB
-
MD5
af79dfc8146768215e0bf4b450c8599f
-
SHA1
6377cb6ee690201f0f52e226c00430253a66594b
-
SHA256
18ba00b3a2ce55339ad848455df7fd708da30bbc7fe5df880a1affe11a548bc8
-
SHA512
cc2f53a492e10f0386459cb74bb0938421e62a2b6ccfb0a01be9bc60da0ed45f27a0e1572eeb8ef68885c741577b514e8642f81643513c13e1d0317aa860db4f
-
SSDEEP
24576:gdi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLaA:gUTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5D24.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 3163⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5D24.tmp.batFilesize
56B
MD52b82064348986191a88e345965ac2e99
SHA12d533ee8d09c7850d7a949680232f75579158e64
SHA256b1c6c3605852433062e0c2361bc309af6fa2ef1441f8d304931d01f3ae28b409
SHA512e8f75f8a821a75aea29406fdc48d705e5e200fe96a40e73284d4eb5915ad5c9dd96af29af49500dc8e9c18b0e920f2f754cf0ad4a5addc48e607c05d6824d4c4
-
memory/316-0-0x000000007488E000-0x000000007488F000-memory.dmpFilesize
4KB
-
memory/316-1-0x00000000007C0000-0x0000000000956000-memory.dmpFilesize
1.6MB
-
memory/316-2-0x00000000052F0000-0x0000000005356000-memory.dmpFilesize
408KB
-
memory/316-3-0x0000000074880000-0x0000000075030000-memory.dmpFilesize
7.7MB
-
memory/316-6-0x0000000005950000-0x00000000059E2000-memory.dmpFilesize
584KB
-
memory/316-7-0x00000000059E0000-0x0000000005A06000-memory.dmpFilesize
152KB
-
memory/316-8-0x0000000005A30000-0x0000000005A38000-memory.dmpFilesize
32KB
-
memory/316-13-0x0000000074880000-0x0000000075030000-memory.dmpFilesize
7.7MB