Analysis Overview
SHA256
d909f5519de499c7329a54e007ec94cf45d304e9fb17daaf7ee3cdf43675691c
Threat Level: Known bad
The file stub.exe was found to be: Known bad.
Malicious Activity Summary
Stealerium
Stealerium family
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-29 15:09
Signatures
Stealerium family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 15:09
Reported
2024-06-29 15:12
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
Stealerium
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\stub.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\stub.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\stub.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\stub.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1D37.tmp.bat
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 2616
C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/2616-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp
memory/2616-1-0x0000000000760000-0x00000000008F6000-memory.dmp
memory/2616-2-0x0000000005270000-0x00000000052D6000-memory.dmp
memory/2616-3-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/2616-7-0x00000000058F0000-0x0000000005982000-memory.dmp
memory/2616-8-0x0000000005980000-0x00000000059A6000-memory.dmp
memory/2616-9-0x00000000059D0000-0x00000000059D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1D37.tmp.bat
| MD5 | 083c6fdce55536ba4f3165735e306729 |
| SHA1 | c428d7903394f51523d31e0cd453e2373e7a8caf |
| SHA256 | c4453f0f4828ef4ff94cca8a2c50f6453db50e7c3b6477d13db03cc689aa2ef8 |
| SHA512 | 3fb8f1b3181448c34b16cca85f70b56cd91a0592d7e92e373597872d47ec3226adef0841df8cc4342c67d74d00dc6737294769899f8f91e5827db8009d0d869f |
memory/2616-14-0x0000000074A10000-0x00000000751C0000-memory.dmp