Overview

overview

10

Static

static

10

TdPrimiumCheat.exe

windows10-1703-x64

10

Resubmissions

30-08-2024 02:39

240830-c5nghatamg 10

30-08-2024 02:37

240830-c398gsshrg 10

30-08-2024 02:34

240830-c2k7zavbqp 10

Analysis

  • max time kernel
    137s
  • max time network
    137s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-08-2024 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TdPrimiumCheat.exe

  • Size

    1.6MB

  • MD5

    6627adf7167ee571e8fd6c8b1a0e8ae3

  • SHA1

    03b9112660ee73c59d84e219f15bf24ae9df48db

  • SHA256

    6c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f

  • SHA512

    e05896a6e0d09d4dafeb2467395ca06ae1e728a4aa079041dea82940caeb71646984604fdeea482748423b10257b8462db4f573682f9f719939143fdb5691c60

  • SSDEEP

    49152:19Tq24GjdGSiqkqXfd+/9AqYanieKd0U:1YEjdGSiqkqXf0FLYW

Score
10/10
stealeriumdiscoverystealer

Malware Config

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TdPrimiumCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\TdPrimiumCheat.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4384
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp690A.tmp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2512
      • C:\Windows\SysWOW64\taskkill.exe
        TaskKill /F /IM 4384
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:776
      • C:\Windows\SysWOW64\timeout.exe
        Timeout /T 2 /Nobreak
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:4748
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2596
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:424
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2584
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3856
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3372
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2776
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:1496
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4780
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:1704
  • C:\Windows\System32\DataExchangeHost.exe
    C:\Windows\System32\DataExchangeHost.exe -Embedding
    1⤵
      PID:5668
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4404

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V28C7N3J\edgecompatviewlist[1].xml
        Filesize

        74KB

        MD5

        d4fc49dc14f63895d997fa4940f24378

        SHA1

        3efb1437a7c5e46034147cbbc8db017c69d02c31

        SHA256

        853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

        SHA512

        cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0MLE795J\fRSNKQanUHk53F1a1Bi8UA71Qt4.br[1].js
        Filesize

        289B

        MD5

        9085e17b6172d9fc7b7373762c3d6e74

        SHA1

        dab3ca26ec7a8426f034113afa2123edfaa32a76

        SHA256

        586d8f94486a8116af00c80a255cba96c5d994c5864e47deac5a7f1ae1e24b0d

        SHA512

        b27b776cb4947eef6d9e2a33b46e87796a6d4c427f4759c08cf5aa0ee410a5f12e89ca6ab9cddd86c8471037e3c505f43c8b7fc6d8417f97f9fe3c5c47216bc4

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VRZ037KL\xvEz2IbMlyghPZ3oNAHr9N-xMOA.br[1].js
        Filesize

        6KB

        MD5

        dc221228e109f89b8b10c48f2678fb46

        SHA1

        1bfc85cba5c424136941ac1dfd779a563b5beed4

        SHA256

        f4fb7234959f48c2b2ca73fd6c35d36eaf65d8c431d982a1ba208f5cdc766419

        SHA512

        46f49e5ac18436251778d1f50c027729a2442ed6541c3162d878720703e37797b6028d96eb1568c23ec5006fb022c8e05855e250d6a1a590f41e890866529cd2

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\User\Default\DOMStore\GJ258CLU\www.bing[1].xml
        Filesize

        1KB

        MD5

        c3466c37b4fd354a292eaeeff6b8e014

        SHA1

        a59baf0118ac5d6adc1010fca4e62ed70b02c2d1

        SHA256

        21d3d758bb7fc7e2c988107364c3787e75d88d602d68dd30a6b4b851b2d23028

        SHA512

        afcd37a5b25a8eeea512f5447fe363ae5daae290eef790fdc4c41031fe6a26b4b1f81aaa98230cef89b40ca407fe281c2295703610cdc9d2b7ff91f66177432f

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\7XUCG1G1\favicon-trans-bg-blue-mg[1].ico
        Filesize

        4KB

        MD5

        30967b1b52cb6df18a8af8fcc04f83c9

        SHA1

        aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

        SHA256

        439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

        SHA512

        7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\U2SCY212\favicon[1].ico
        Filesize

        758B

        MD5

        84cc977d0eb148166481b01d8418e375

        SHA1

        00e2461bcd67d7ba511db230415000aefbd30d2d

        SHA256

        bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c

        SHA512

        f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
        Filesize

        4KB

        MD5

        1bfe591a4fe3d91b03cdf26eaacd8f89

        SHA1

        719c37c320f518ac168c86723724891950911cea

        SHA256

        9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

        SHA512

        02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFC2C208790521C607.TMP
        Filesize

        24KB

        MD5

        d3cdb7663712ddb6ef5056c72fe69e86

        SHA1

        f08bf69934fb2b9ca0aba287c96abe145a69366c

        SHA256

        3e8c2095986b262ac8fccfabda2d021fc0d3504275e83cffe1f0a333f9efbe15

        SHA512

        c0acd65db7098a55dae0730eb1dcd8aa94e95a71f39dd40b087be0b06afc5d1bb310f555781853b5a78a8803dba0fb44df44bd2bb14baeca29c7c7410dffc812

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp690A.tmp.bat
        Filesize

        57B

        MD5

        6991314dda23a952ecf40cbb288cb65a

        SHA1

        1555f6764cddba03c26c4bbf5de5e4a0b8d9625f

        SHA256

        9fc396bc34411ed5509906e6a431d0176cbcee0d0097397507a50447681ba45b

        SHA512

        263db733dc1fdabb60a25539b3a05e87eaef0200a5fbf9b737a9f9b82fe0cce9a69bcd717b0e5fbe25cf7516e50de1029555857ee76b6872972f987e0cb3c668

        Download Submit

      • memory/2596-23-0x0000028B4E020000-0x0000028B4E030000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2596-7-0x0000028B4DF20000-0x0000028B4DF30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2596-42-0x0000028B4D120000-0x0000028B4D122000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2596-240-0x0000028B56BB0000-0x0000028B56BB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2596-241-0x0000028B56BC0000-0x0000028B56BC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2776-213-0x00000213C2E70000-0x00000213C2E90000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2776-66-0x000002139FFC0000-0x00000213A00C0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2776-106-0x00000213B1390000-0x00000213B13B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2776-67-0x000002139FFC0000-0x00000213A00C0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2776-82-0x00000213B0880000-0x00000213B08A0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2776-205-0x00000213C2AA0000-0x00000213C2AC0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2776-86-0x00000213B0A00000-0x00000213B0B00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3372-97-0x000002C220E00000-0x000002C220F00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3372-114-0x000002C220FF0000-0x000002C220FF2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3372-116-0x000002C231B90000-0x000002C231B92000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3856-51-0x00000207B9700000-0x00000207B9800000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4384-0-0x0000000073E0E000-0x0000000073E0F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4384-1-0x0000000000380000-0x0000000000512000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4384-2-0x0000000004D40000-0x0000000004DA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4384-3-0x0000000073E00000-0x00000000744EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/4384-6-0x0000000073E00000-0x00000000744EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/4780-269-0x0000023B47D30000-0x0000023B47D32000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4780-277-0x0000023B47DB0000-0x0000023B47DB2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4780-319-0x0000023B47DF0000-0x0000023B47DF2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4780-357-0x0000023B489D0000-0x0000023B48AD0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4780-363-0x0000023B36B40000-0x0000023B36B42000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4780-361-0x0000023B36B20000-0x0000023B36B22000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4780-279-0x0000023B47DD0000-0x0000023B47DD2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4780-275-0x0000023B47D90000-0x0000023B47D92000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4780-273-0x0000023B47D70000-0x0000023B47D72000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4780-265-0x0000023B47100000-0x0000023B47200000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4780-264-0x00000233348E0000-0x00000233349E0000-memory.dmp

        Filesize

        1024KB

        Download