stealerium | 4813139020fdd02e57bca3552018108ae922248998e7274bb0eb989393d4c7f8

Analysis

max time kernel
361s
max time network
362s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

working ahhh.exe
Size

1.6MB
MD5

02f0c3da33d2a46daf36bc2b75eb0191
SHA1

c4922a7d3ec96de43e18547e765c9c0f903def84
SHA256

4813139020fdd02e57bca3552018108ae922248998e7274bb0eb989393d4c7f8
SHA512

e1d9176eb21b9c51f04bb627e6475bd68e92e217eb7ab727677c28b76ccf8d5535ad7a3a630163228e1b31adb87f3a2c9d29e9cbf8c527cf3f3a75e6ffe7e4cd
SSDEEP

24576:jyi2Q9NXw2/wPOjdGxY2rJxkqjVnlqud+/2P+A+ZecdyFoBkkAqmZywxh:ZTq24GjdGSiJxkqXfd+/9AqYanCLx

Score

10^/10

stealerium discovery stealer

Malware Config

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	working ahhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2740	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2784	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	working ahhh.exe
Token: SeDebugPrivilege	2784	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 332	2160	working ahhh.exe	32
PID 2160 wrote to memory of 332	2160	working ahhh.exe	32
PID 2160 wrote to memory of 332	2160	working ahhh.exe	32
PID 2160 wrote to memory of 332	2160	working ahhh.exe	32
PID 332 wrote to memory of 2712	332	cmd.exe	34
PID 332 wrote to memory of 2712	332	cmd.exe	34
PID 332 wrote to memory of 2712	332	cmd.exe	34
PID 332 wrote to memory of 2712	332	cmd.exe	34
PID 332 wrote to memory of 2784	332	cmd.exe	35
PID 332 wrote to memory of 2784	332	cmd.exe	35
PID 332 wrote to memory of 2784	332	cmd.exe	35
PID 332 wrote to memory of 2784	332	cmd.exe	35
PID 332 wrote to memory of 2740	332	cmd.exe	36
PID 332 wrote to memory of 2740	332	cmd.exe	36
PID 332 wrote to memory of 2740	332	cmd.exe	36
PID 332 wrote to memory of 2740	332	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\working ahhh.exe
"C:\Users\Admin\AppData\Local\Temp\working ahhh.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD421.tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\taskkill.exe
    TaskKill /F /IM 2160
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD421.tmp.bat

Filesize
57B

MD5
47b49a92a9f030eb6aa158b8fd77ad06

SHA1
8619dd2517ded451d50f042979bf96ca0d6b0274

SHA256
777b8fca43eacb65e70ec3d8b13a19e6af8ce2852bcf4c5812845c620427379f

SHA512
065b610d2c6aaf240767e6abde01b523e2db6aaf9e2d87885368a24f36773cfdee5cd4f0e8456822270a00bd8db9d209dc985b2b3b516c1855590f2ec37d7d86

Download Submit
memory/2160-0-0x000000007403E000-0x000000007403F000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x0000000000A50000-0x0000000000BE6000-memory.dmp

Filesize
1.6MB

Download
memory/2160-2-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-5-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download