Malware Analysis Report

2024-08-06 12:40

Sample ID 240602-khw45agh84
Target stub.exe
SHA256 6c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f
Tags
stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f

Threat Level: Known bad

The file stub.exe was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium family

Stealerium

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-02 08:36

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 08:36

Reported

2024-06-02 08:39

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\stub.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1972 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1972 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1972 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1972 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1972 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1972 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1972 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1972 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp15B6.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 3352

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/3352-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

memory/3352-1-0x0000000000F20000-0x00000000010B2000-memory.dmp

memory/3352-2-0x0000000005AD0000-0x0000000005B36000-memory.dmp

memory/3352-3-0x0000000074E40000-0x00000000755F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp15B6.tmp.bat

MD5 6a487d2d6bc3e05cc0336b25d92c9d13
SHA1 d8e50f852d09c80611dc9ce121102d44f9a131b3
SHA256 f95666fdea3a60658fe16de0c5cdb7bf3b4ddecaa2ec35db9b4739ab16da1ba5
SHA512 cebf2c67f480cb7856e2323faa1a44d0a4c8b1ca70d3a3690586f0f220369be53c617a584c16e14c35c89f3dddf9067dffdc520d8ec094a57650a32230362bfb

memory/3352-6-0x0000000074E40000-0x00000000755F0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 08:36

Reported

2024-06-02 08:39

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

Stealerium

stealer stealerium

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2664 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2664 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2664 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2664 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2664 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2664 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2664 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2664 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2664 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2664 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2664 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 2772

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

N/A

Files

memory/2772-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

memory/2772-1-0x0000000001180000-0x0000000001312000-memory.dmp

memory/2772-2-0x0000000074A30000-0x000000007511E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.bat

MD5 3e8058bc4ef5d56509802a3011fb6b03
SHA1 b14cd46cbd1f4c04ffc0b86afdae7c73acbacb07
SHA256 72484263b9d69f5beb124db722e2b2fecf62b913645fd395ed1cd34544e2631a
SHA512 e4a732777b5bdd3a9bdd121343a0af6c85c90c5cfe850600ff05fdbfdc1a3f1eafda985e3b816f9f7cbd29b0c7af121fcf571a0f952c0ebcbd7a478564351413

memory/2772-5-0x0000000074A30000-0x000000007511E000-memory.dmp