Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 08:01

General

  • Target

    build.exe

  • Size

    1.6MB

  • MD5

    a5b27249ecbe247acfc5cf83273d8665

  • SHA1

    95750f6e9ad5575a8ecdfa166360803bae106dea

  • SHA256

    16cfc79d7df881059cd59a5bc0fe4211e55a49105eca41810c0fb2a81f1b5fac

  • SHA512

    0d09d902ea81803b215fd48851fab45e73742468a445699bcb3f167b5a5f624aa15e16e06f30fcbb982f097f234a03794ad90a997895a7ad2204eead2ce93ea0

  • SSDEEP

    24576:Ci2Q9NXw2/wPOjdGxY2rJxkqjVnlqud+/2P+A+ZecdyFoBkkAqmZywW0n:1Tq24GjdGSiJxkqXfd+/9AqYanCLW

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1286214415032647690/r-yxbuBi8jgUxjR-tve-DhICa88aywPqPL-phwwQiPH4eUFD5sQGev1sHX8VCx21j5r_

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2504
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1488
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show profile
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:396
      • C:\Windows\SysWOW64\findstr.exe
        findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1740
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2664
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show networks mode=bssid
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2176
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1892
      2⤵
      • Program crash
      PID:1524
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\c90794045f73dd693d04cf27e1744555\Admin@MXQFNXLT_en-US\Browsers\Firefox\Bookmarks.txt

    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\Users\Admin\AppData\Local\c90794045f73dd693d04cf27e1744555\Admin@MXQFNXLT_en-US\Directories\Startup.txt

    Filesize

    24B

    MD5

    68c93da4981d591704cea7b71cebfb97

    SHA1

    fd0f8d97463cd33892cc828b4ad04e03fc014fa6

    SHA256

    889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

    SHA512

    63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

  • C:\Users\Admin\AppData\Local\c90794045f73dd693d04cf27e1744555\Admin@MXQFNXLT_en-US\Directories\Videos.txt

    Filesize

    23B

    MD5

    1fddbf1169b6c75898b86e7e24bc7c1f

    SHA1

    d2091060cb5191ff70eb99c0088c182e80c20f8c

    SHA256

    a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

    SHA512

    20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

  • C:\Users\Admin\AppData\Local\c90794045f73dd693d04cf27e1744555\Admin@MXQFNXLT_en-US\System\Apps.txt

    Filesize

    4KB

    MD5

    cc72af93ff0032af559eddf65ac44e34

    SHA1

    be3788fb5fb3cecb8a5e8111405d7dfb935bd10a

    SHA256

    63ada6c55f446ec65a413cc79d792546c4342be990a3ce1c30bdcf817daea0ab

    SHA512

    ff0a34c62925d88d02e1abfe8b0bdd520a936fa63b649ca245498298605b5d2db171663d8a21b27bb2be13495c3e753e5c9d2d796532cca88a239c6620d30eaf

  • C:\Users\Admin\AppData\Local\c90794045f73dd693d04cf27e1744555\Admin@MXQFNXLT_en-US\System\Debug.txt

    Filesize

    1KB

    MD5

    6d49b5fb12a952d44ef68b21be4926b6

    SHA1

    fd9e089c0a93bec84e0f94886f731fd31875cda5

    SHA256

    2bda8f7412a7ecabd70df00566a625b7cf0fee8c893c725f21e5ff9987f58a75

    SHA512

    2a59b25200941cf6a0361509b869244e036f3a5ad70e51a4d94827e2783816751c42b8be60f08c623c1a96a8ab7c1b3bb328f88b8034b6d0f43fc53c27779c51

  • C:\Users\Admin\AppData\Local\c90794045f73dd693d04cf27e1744555\Admin@MXQFNXLT_en-US\System\ProductKey.txt

    Filesize

    29B

    MD5

    cad6c6bee6c11c88f5e2f69f0be6deb7

    SHA1

    289d74c3bebe6cca4e1d2e084482ad6d21316c84

    SHA256

    dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

    SHA512

    e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

  • memory/2504-6-0x0000000000690000-0x00000000006B6000-memory.dmp

    Filesize

    152KB

  • memory/2504-9-0x00000000022E0000-0x00000000022FE000-memory.dmp

    Filesize

    120KB

  • memory/2504-8-0x00000000008D0000-0x00000000008D8000-memory.dmp

    Filesize

    32KB

  • memory/2504-85-0x000000007411E000-0x000000007411F000-memory.dmp

    Filesize

    4KB

  • memory/2504-7-0x00000000007B0000-0x00000000007BA000-memory.dmp

    Filesize

    40KB

  • memory/2504-130-0x0000000006120000-0x000000000619A000-memory.dmp

    Filesize

    488KB

  • memory/2504-131-0x0000000074110000-0x00000000747FE000-memory.dmp

    Filesize

    6.9MB

  • memory/2504-0-0x000000007411E000-0x000000007411F000-memory.dmp

    Filesize

    4KB

  • memory/2504-5-0x0000000005380000-0x0000000005420000-memory.dmp

    Filesize

    640KB

  • memory/2504-2-0x0000000074110000-0x00000000747FE000-memory.dmp

    Filesize

    6.9MB

  • memory/2504-1-0x0000000000920000-0x0000000000AB6000-memory.dmp

    Filesize

    1.6MB

  • memory/2504-195-0x0000000006B60000-0x0000000006C12000-memory.dmp

    Filesize

    712KB

  • memory/2504-197-0x0000000074110000-0x00000000747FE000-memory.dmp

    Filesize

    6.9MB