Analysis
-
max time kernel
36s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
04-05-2024 16:24
General
-
Target
build.exe
-
Size
1.6MB
-
MD5
63acc4e186a38ca51588c82988f245ce
-
SHA1
a5a1279bb1b13aae2f9fcf762b85b12edaebaaab
-
SHA256
cac65612657f8286cbc762e58b140881b133b06bdfecf70970dd1b4ebca05200
-
SHA512
633526dd11c8c22ddaa33fd19cb1fb06d9bcf30f8a4d1e0ef914ac2af1800a24f844f88614725247720251b41519653ebf234e05110f0a37d737a281b1de674a
-
SSDEEP
24576:li2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgL4B:MTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Extracted
stealerium
bc1qea9m68q0zex4gpp8wgpaswg6hd03skjlap4j74
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp607A.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 35083⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp607A.tmp.batFilesize
57B
MD55f86451f14ef787786e584ddc5a81796
SHA1a83e7ab6b61fef15dbd9568b585fb7e2d41d290a
SHA2560e4cd0fc5d568af535b3996efc94e46f8b5c8a95329e413715447da47fb35534
SHA5127c7153cdf35b0e5fe86d3cdb7eed32c56e12e566e0a686374e6b8644460db1c43058e288daa1030d1d5b7fca57296905790bf10ac16e4d41b4002956af6a9ecc
-
memory/3508-0-0x00000000747CE000-0x00000000747CF000-memory.dmpFilesize
4KB
-
memory/3508-1-0x0000000000AC0000-0x0000000000C56000-memory.dmpFilesize
1.6MB
-
memory/3508-2-0x00000000055E0000-0x0000000005646000-memory.dmpFilesize
408KB
-
memory/3508-3-0x00000000747C0000-0x0000000074F70000-memory.dmpFilesize
7.7MB
-
memory/3508-6-0x00000000747CE000-0x00000000747CF000-memory.dmpFilesize
4KB
-
memory/3508-7-0x0000000005E90000-0x0000000005F22000-memory.dmpFilesize
584KB
-
memory/3508-8-0x00000000056D0000-0x00000000056F6000-memory.dmpFilesize
152KB
-
memory/3508-9-0x0000000005F30000-0x0000000005F38000-memory.dmpFilesize
32KB
-
memory/3508-14-0x00000000747C0000-0x0000000074F70000-memory.dmpFilesize
7.7MB