Analysis

  • max time kernel
    21s
  • max time network
    23s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 11:23

General

  • Target

    WaveWindowsCracked.exe

  • Size

    1.6MB

  • MD5

    1558c711774126500c3e278933d0a2bb

  • SHA1

    168421e0fb742b2ae1e70130deeb65d18f88d02b

  • SHA256

    965fd8dd7b3be89609936161d673541efcad2eb709ad37016ce37efbd72b054d

  • SHA512

    6648801c431900e7deecc18ae997abdac293588248b9e64c5d8d50bfcfded0f5e4568e2592371d7b4ce7da7cf8399d761514e921a3bf7a35a812c429957976f7

  • SSDEEP

    49152:bkTq24GjdGSiqkqXfd+/9AqYanieKds+:b1EjdGSiqkqXf0FLYW

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1271851698473930752/0-NTtGyFGq1KkS0Bx3EmIVoBssXyqkg8GNp3zAN60XhQPY1LrLFrHs-zkIKSmQ0DtmDS

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WaveWindowsCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\WaveWindowsCracked.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAA98.tmp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2376
      • C:\Windows\SysWOW64\taskkill.exe
        TaskKill /F /IM 4724
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3328
      • C:\Windows\SysWOW64\timeout.exe
        Timeout /T 2 /Nobreak
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:3752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpAA98.tmp.bat

    Filesize

    57B

    MD5

    3475dbd87bd167228e02661aee5883b8

    SHA1

    b9f67344f433333e6b73d8286867b6e7a29e7d54

    SHA256

    f58ef1f9635a4439f33eb536060112d2e77df637f9951059a3e661201ffcf4f7

    SHA512

    f93c9e3ebff2d2bbe8a76e86a780a27808c59b7742b1ea5fbc61321b62c3f76a48f6b861f1053d52ac222c21a3fd5aaa3dd155a264f1bda7e8c325cb3ed50551

  • memory/4724-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

    Filesize

    4KB

  • memory/4724-1-0x00000000002F0000-0x0000000000482000-memory.dmp

    Filesize

    1.6MB

  • memory/4724-2-0x0000000004DD0000-0x0000000004E36000-memory.dmp

    Filesize

    408KB

  • memory/4724-3-0x0000000074A80000-0x0000000075230000-memory.dmp

    Filesize

    7.7MB

  • memory/4724-4-0x0000000005460000-0x00000000054F2000-memory.dmp

    Filesize

    584KB

  • memory/4724-5-0x00000000054F0000-0x0000000005516000-memory.dmp

    Filesize

    152KB

  • memory/4724-6-0x0000000005520000-0x0000000005528000-memory.dmp

    Filesize

    32KB

  • memory/4724-9-0x0000000074A80000-0x0000000075230000-memory.dmp

    Filesize

    7.7MB