Overview

overview

10

Static

static

10

ccf5a47144...35.exe

windows7-x64

10

ccf5a47144...35.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccf5a47144d4d2e99d2cb7fa4d620c18422e1a85da05ed46f2f574cd671cc335.exe

  • Size

    1.6MB

  • MD5

    2b295d7ed694fd5f8d154e2809dde5c7

  • SHA1

    8fe4226bfd0795bc92ad62a518e1c5313a1063c2

  • SHA256

    ccf5a47144d4d2e99d2cb7fa4d620c18422e1a85da05ed46f2f574cd671cc335

  • SHA512

    f1cc93b2bd0d56c604dd601dc34a5152382b553e847d08fedc48f08ad1badfdd7dace981e2e1837db2bda22f3b3f1be2269047ddd40a591b29a2fe1b876c8d43

  • SSDEEP

    49152:skTq24GjdGSiqkqXfd+/9AqYanieKds1:s1EjdGSiqkqXf0FLYW

Score
10/10
stealeriumstealer

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1246735852525326437/GcTg3JPGVTvvvYi6IMfM_bflcLd6mmUk7zrqDc3jqVTKiN4-XEedjVbl6jUHpWD6Vdzi

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccf5a47144d4d2e99d2cb7fa4d620c18422e1a85da05ed46f2f574cd671cc335.exe
    "C:\Users\Admin\AppData\Local\Temp\ccf5a47144d4d2e99d2cb7fa4d620c18422e1a85da05ed46f2f574cd671cc335.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4F54.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:4748
        • C:\Windows\SysWOW64\taskkill.exe
          TaskKill /F /IM 2380
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4468
        • C:\Windows\SysWOW64\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:1688
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:5068

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp4F54.tmp.bat
        Filesize

        57B

        MD5

        fdf252f6b55aefd68e5deac55baa4cb2

        SHA1

        ee94e8696ea7c6516ce7503a73f63b7063bfdde0

        SHA256

        b05fa4c1269970c64684264cbe2d6cc1be7d35981da47ae6d2204996374bbe33

        SHA512

        fcee7f26a04074b95fc9148bcafbd247173743f38b01101ec6cb0705cafb1382986ac1f643d3c885f1738b5c498f858d6821b9691adbe07350e0bf226eea1cb8

        Download Submit
      • memory/2380-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2380-1-0x00000000007A0000-0x0000000000932000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2380-2-0x0000000005320000-0x0000000005386000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2380-3-0x0000000074CB0000-0x0000000075460000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2380-7-0x0000000005B50000-0x0000000005BE2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2380-8-0x0000000005BE0000-0x0000000005C06000-memory.dmp
        Filesize

        152KB

        Download
      • memory/2380-9-0x0000000005C10000-0x0000000005C18000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2380-14-0x0000000074CB0000-0x0000000075460000-memory.dmp
        Filesize

        7.7MB

        Download