Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-09-2024 04:56
Behavioral task
behavioral1
Sample
stub.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
stub.exe
Resource
win10v2004-20240802-en
General
-
Target
stub.exe
-
Size
1.6MB
-
MD5
6627adf7167ee571e8fd6c8b1a0e8ae3
-
SHA1
03b9112660ee73c59d84e219f15bf24ae9df48db
-
SHA256
6c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f
-
SHA512
e05896a6e0d09d4dafeb2467395ca06ae1e728a4aa079041dea82940caeb71646984604fdeea482748423b10257b8462db4f573682f9f719939143fdb5691c60
-
SSDEEP
49152:19Tq24GjdGSiqkqXfd+/9AqYanieKd0U:1YEjdGSiqkqXf0FLYW
Malware Config
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2800 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 2472 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1452 stub.exe Token: SeDebugPrivilege 2472 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1452 wrote to memory of 2780 1452 stub.exe 31 PID 1452 wrote to memory of 2780 1452 stub.exe 31 PID 1452 wrote to memory of 2780 1452 stub.exe 31 PID 1452 wrote to memory of 2780 1452 stub.exe 31 PID 2780 wrote to memory of 2196 2780 cmd.exe 33 PID 2780 wrote to memory of 2196 2780 cmd.exe 33 PID 2780 wrote to memory of 2196 2780 cmd.exe 33 PID 2780 wrote to memory of 2196 2780 cmd.exe 33 PID 2780 wrote to memory of 2472 2780 cmd.exe 34 PID 2780 wrote to memory of 2472 2780 cmd.exe 34 PID 2780 wrote to memory of 2472 2780 cmd.exe 34 PID 2780 wrote to memory of 2472 2780 cmd.exe 34 PID 2780 wrote to memory of 2800 2780 cmd.exe 35 PID 2780 wrote to memory of 2800 2780 cmd.exe 35 PID 2780 wrote to memory of 2800 2780 cmd.exe 35 PID 2780 wrote to memory of 2800 2780 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA61F.tmp.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 14523⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2800
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD50c5b13da24a8df2f4a8f4b479d152b73
SHA1fa32978d2bdc7c43cc05241d03984f7d86b20c0a
SHA2561aed2f6afab6f3fbea31c38aa5c781d976ec4a54dfd3d65cc3e05cc1bf3a280c
SHA5123bdbe899e80422799ae7a32ff2fd68b42ca0d1e2a62772fe3c851c05f299909ea28dac950758c6afd673029b70a4137c93a5af5d1ec17bdb0f48499215e5e369