Analysis Overview
SHA256
e9733be57a59269bdcb821ce21eff80282766a594e59988be7e5ff82e74d9854
Threat Level: Known bad
The file Output.exe was found to be: Known bad.
Malicious Activity Summary
Stealerium family
Stealerium
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-17 13:24
Signatures
Stealerium family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 13:24
Reported
2024-06-17 13:24
Platform
win10v2004-20240508-en
Max time kernel
30s
Max time network
30s
Command Line
Signatures
Stealerium
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Output.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Output.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp856C.tmp.bat
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 3016
C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3016-0-0x000000007464E000-0x000000007464F000-memory.dmp
memory/3016-1-0x0000000000390000-0x0000000000522000-memory.dmp
memory/3016-2-0x0000000004DD0000-0x0000000004E36000-memory.dmp
memory/3016-3-0x0000000074640000-0x0000000074DF0000-memory.dmp
memory/3016-4-0x0000000005230000-0x00000000052C2000-memory.dmp
memory/3016-5-0x0000000004D90000-0x0000000004DB6000-memory.dmp
memory/3016-6-0x0000000001020000-0x0000000001028000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp856C.tmp.bat
| MD5 | 6d6ae85b6f710541910bd1e1aa0ada65 |
| SHA1 | b776cc97c2943ca8603487c168432dae4c52a268 |
| SHA256 | d1fcb47c86e1dfcf25fc911cc17d9fba8e2f9fcd9268cecf78f81fe31d94f20c |
| SHA512 | 71fae9876b080949b6e309b4dbf7435dead599a8622f26a901bcde49e5a90a33e01e6e35fae6d2b8121c57fdb53df9e6eb491ea954f6a3f3542cfa4a5cd595de |
memory/3016-9-0x0000000074640000-0x0000000074DF0000-memory.dmp