Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\MuiCache	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\stub.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\stub.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\taskkill.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2948 wrote to memory of 4996	N/A	C:\Users\Admin\AppData\Local\Temp\stub.exe	C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4996	N/A	C:\Users\Admin\AppData\Local\Temp\stub.exe	C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4996	N/A	C:\Users\Admin\AppData\Local\Temp\stub.exe	C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 2052	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4996 wrote to memory of 2052	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4996 wrote to memory of 2052	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4996 wrote to memory of 4800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\taskkill.exe
PID 4996 wrote to memory of 4800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\taskkill.exe
PID 4996 wrote to memory of 4800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\taskkill.exe
PID 4996 wrote to memory of 3328	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 4996 wrote to memory of 3328	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 4996 wrote to memory of 3328	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB805.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 2948

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	discord.com	udp
US	162.159.137.232:443	discord.com	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp

Files

memory/2948-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

memory/2948-1-0x0000000000840000-0x00000000009D6000-memory.dmp

memory/2948-2-0x0000000005440000-0x00000000054A6000-memory.dmp

memory/2948-3-0x0000000074C00000-0x00000000753B1000-memory.dmp

memory/2948-7-0x0000000005A90000-0x0000000005B22000-memory.dmp

memory/2948-9-0x0000000005B70000-0x0000000005B78000-memory.dmp

memory/2948-8-0x0000000005B20000-0x0000000005B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB805.tmp.bat

MD5	69a8726e7291fc5ee256d91699037655
SHA1	bfe3e11c0875cf718c2589f68eb72316bfa2f86b
SHA256	d0bdd98b0078e2ccaaf60bfa60ac3f1eec12eeb5809befd70f148234a1140d73
SHA512	72621e9a3308ca8f04edc806dd7f8ac247ee060ad47f5d4a276f0e4f7ca35cb6e3846e94804450fbdc1f815703d43b8c5e40da6fd9658ea99850f5832288e49a

memory/2948-14-0x0000000074C00000-0x00000000753B1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5	9a7af7f1f08f7de9da3ba647286ee5a6
SHA1	d7a23961ba5f8c4242a03f20686ff516c2ae432c
SHA256	dddc3d322b46ec53927c26326a4f4d573dec131fbe668450f984c91c3104a08b
SHA512	64b0d94e68aa2d0ee9d02f170de6989f5255c5c57d05dffbf4dbbe012dae43a6f4dbd59c6a85fd2621fb84ae7f4cdf486a089b90e3e6c4fce1b152ba5aa6ba58

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5	35745802ec2865acb4c60e651e5a8620
SHA1	f10c746a71c2741790aa3f5160ea7d9be1a1920a
SHA256	ef386e977e9fcfc811f2710d0d630e23e2278cf9811770da0c2f10f3965b7a63
SHA512	0031f739cafa1089dc655a3509bc215fc900c20734507a1b0b69f1ad1567fb2fe4af725360cf952a4689e89973bbd59a53ea6ff8bd6c4c67b9e732f66f14a42f

Malware Analysis Report

2024-08-06 12:39

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Sample ID	240629-thw9katerp
Target	stub.exe
SHA256	d909f5519de499c7329a54e007ec94cf45d304e9fb17daaf7ee3cdf43675691c
Tags	stealerium stealer