Analysis Overview
SHA256
0651c2d33fe45643e1e6c85297fd9a361dec41567daf035f00c8bfa81e12d122
Threat Level: Known bad
The file build.exe was found to be: Known bad.
Malicious Activity Summary
Stealerium
Stealerium family
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Delays execution with timeout.exe
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-24 22:26
Signatures
Stealerium family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 22:26
Reported
2024-05-24 22:29
Platform
win10-20240404-en
Max time kernel
135s
Max time network
136s
Command Line
Signatures
Stealerium
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\build.exe
C:\Users\Admin\AppData\Local\Temp\build.exe
C:\Users\Admin\AppData\Local\Temp\build.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp760B.tmp.bat
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 4772
C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4772-0-0x0000000073F8E000-0x0000000073F8F000-memory.dmp
memory/4772-1-0x0000000000BE0000-0x0000000000D72000-memory.dmp
memory/4772-2-0x0000000003130000-0x0000000003196000-memory.dmp
memory/4772-3-0x0000000073F80000-0x000000007466E000-memory.dmp
memory/4772-6-0x0000000005B40000-0x0000000005BD2000-memory.dmp
memory/4772-7-0x0000000005770000-0x0000000005796000-memory.dmp
memory/4772-8-0x00000000057A0000-0x00000000057A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp760B.tmp.bat
| MD5 | f522e9bea46a0724a916c7203e526276 |
| SHA1 | c29cfbdb4d291191c52b6933ca2ca70b66066afe |
| SHA256 | 8a02f5165b6b302d4993a41b3177d9c81d9fbdf6650c266b789aed612afe67a9 |
| SHA512 | b498cdeafc6f382ef994a49e176a630073ad86d7a4b9eea8763eb6e6eaa58e638c253a6cb63732332355ae2101290fc42beb3dafdfffbdc0d42e748f92c09a15 |
memory/4772-13-0x0000000073F80000-0x000000007466E000-memory.dmp