stealerium | 4813139020fdd02e57bca3552018108ae922248998e7274bb0eb989393d4c7f8

Analysis

max time kernel
18s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

working ahhh.exe
Size

1.6MB
MD5

02f0c3da33d2a46daf36bc2b75eb0191
SHA1

c4922a7d3ec96de43e18547e765c9c0f903def84
SHA256

4813139020fdd02e57bca3552018108ae922248998e7274bb0eb989393d4c7f8
SHA512

e1d9176eb21b9c51f04bb627e6475bd68e92e217eb7ab727677c28b76ccf8d5535ad7a3a630163228e1b31adb87f3a2c9d29e9cbf8c527cf3f3a75e6ffe7e4cd
SSDEEP

24576:jyi2Q9NXw2/wPOjdGxY2rJxkqjVnlqud+/2P+A+ZecdyFoBkkAqmZywxh:ZTq24GjdGSiJxkqXfd+/9AqYanCLx

Score

10^/10

stealerium discovery stealer

Malware Config

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	working ahhh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	working ahhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1792	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
952	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4516	working ahhh.exe
Token: SeDebugPrivilege	952	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4376	4516	working ahhh.exe	88
PID 4516 wrote to memory of 4376	4516	working ahhh.exe	88
PID 4516 wrote to memory of 4376	4516	working ahhh.exe	88
PID 4376 wrote to memory of 2028	4376	cmd.exe	90
PID 4376 wrote to memory of 2028	4376	cmd.exe	90
PID 4376 wrote to memory of 2028	4376	cmd.exe	90
PID 4376 wrote to memory of 952	4376	cmd.exe	91
PID 4376 wrote to memory of 952	4376	cmd.exe	91
PID 4376 wrote to memory of 952	4376	cmd.exe	91
PID 4376 wrote to memory of 1792	4376	cmd.exe	92
PID 4376 wrote to memory of 1792	4376	cmd.exe	92
PID 4376 wrote to memory of 1792	4376	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\working ahhh.exe
"C:\Users\Admin\AppData\Local\Temp\working ahhh.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8D6B.tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Windows\SysWOW64\taskkill.exe
    TaskKill /F /IM 4516
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8D6B.tmp.bat

Filesize
57B

MD5
91e6016cd70cc1af1fe56313ea19a03a

SHA1
2f08d7d35d59bf0c533ca07da2d492842194e540

SHA256
39fe8b68d56b6ac8af41e65f01aa2b2fd7ce922dc2d5fbdebcced23931bfe578

SHA512
77b2bc2f4027e116271684ec1f5210bd2477cf7c8aa4ab9f38014e2a8f6ab8ba75ec5e56a57eff62373a26dbf70838582bc280d919ccfeebdb594f59ed41785d

Download Submit
memory/4516-0-0x000000007530E000-0x000000007530F000-memory.dmp

Filesize
4KB

Download
memory/4516-1-0x00000000007E0000-0x0000000000976000-memory.dmp

Filesize
1.6MB

Download
memory/4516-2-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/4516-3-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4516-6-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download