Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 23:19
Static task
static1
Behavioral task
behavioral1
Sample
806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe
Resource
win10v2004-20240802-en
General
-
Target
806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe
-
Size
3.8MB
-
MD5
1c25367e4c2492ebf34728546f96789e
-
SHA1
7ee66552ce8fab8f137e1e67dcd6f79355d78b1e
-
SHA256
806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551
-
SHA512
7f20b8df12f0bee55eda4d1a8ba00a234ebfb37aff83e7b4ab38186c3947f696f5ccf643d03d9e8103b2880b5f190fb465df4b099d37d6385d66dae81baec945
-
SSDEEP
98304:3PbP5nCK3zBS0g4BchdDh9QWAomJbbbayyxFRPAB:3PbdvB+KkhMxJe/FlAB
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1287529665392807997/bGooHy1iKKCIBP7y-Dpt2JaN2ByNuNEr1f3jVU-J6FjhvK_4shc2bdf_Yp-aH-WmAzbF
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Executes dropped EXE 2 IoCs
pid Process 2844 stub.exe 2984 build.exe -
Loads dropped DLL 2 IoCs
pid Process 2700 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe 2700 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 discord.com 5 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 944 timeout.exe 1764 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 1740 taskkill.exe 2028 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2700 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2984 build.exe Token: SeDebugPrivilege 2844 stub.exe Token: SeDebugPrivilege 1740 taskkill.exe Token: SeDebugPrivilege 2028 taskkill.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2844 2700 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe 30 PID 2700 wrote to memory of 2844 2700 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe 30 PID 2700 wrote to memory of 2844 2700 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe 30 PID 2700 wrote to memory of 2844 2700 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe 30 PID 2700 wrote to memory of 2984 2700 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe 31 PID 2700 wrote to memory of 2984 2700 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe 31 PID 2700 wrote to memory of 2984 2700 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe 31 PID 2700 wrote to memory of 2984 2700 806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe 31 PID 2844 wrote to memory of 2472 2844 stub.exe 33 PID 2844 wrote to memory of 2472 2844 stub.exe 33 PID 2844 wrote to memory of 2472 2844 stub.exe 33 PID 2844 wrote to memory of 2472 2844 stub.exe 33 PID 2472 wrote to memory of 2516 2472 cmd.exe 35 PID 2472 wrote to memory of 2516 2472 cmd.exe 35 PID 2472 wrote to memory of 2516 2472 cmd.exe 35 PID 2472 wrote to memory of 2516 2472 cmd.exe 35 PID 2472 wrote to memory of 1740 2472 cmd.exe 36 PID 2472 wrote to memory of 1740 2472 cmd.exe 36 PID 2472 wrote to memory of 1740 2472 cmd.exe 36 PID 2472 wrote to memory of 1740 2472 cmd.exe 36 PID 2472 wrote to memory of 944 2472 cmd.exe 37 PID 2472 wrote to memory of 944 2472 cmd.exe 37 PID 2472 wrote to memory of 944 2472 cmd.exe 37 PID 2472 wrote to memory of 944 2472 cmd.exe 37 PID 2984 wrote to memory of 592 2984 build.exe 39 PID 2984 wrote to memory of 592 2984 build.exe 39 PID 2984 wrote to memory of 592 2984 build.exe 39 PID 2984 wrote to memory of 592 2984 build.exe 39 PID 592 wrote to memory of 2052 592 cmd.exe 41 PID 592 wrote to memory of 2052 592 cmd.exe 41 PID 592 wrote to memory of 2052 592 cmd.exe 41 PID 592 wrote to memory of 2052 592 cmd.exe 41 PID 592 wrote to memory of 2028 592 cmd.exe 42 PID 592 wrote to memory of 2028 592 cmd.exe 42 PID 592 wrote to memory of 2028 592 cmd.exe 42 PID 592 wrote to memory of 2028 592 cmd.exe 42 PID 592 wrote to memory of 1764 592 cmd.exe 43 PID 592 wrote to memory of 1764 592 cmd.exe 43 PID 592 wrote to memory of 1764 592 cmd.exe 43 PID 592 wrote to memory of 1764 592 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe"C:\Users\Admin\AppData\Local\Temp\806b5f2d3b422d192f787a6eb96d0614c943fafb2c2ea53d4917ad123ddf2551.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB4ED.tmp.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 28444⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:944
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 29844⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1764
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5b6fd03abe0ca99462df8a8dbba293c39
SHA158b0fafd5ba58ca4bf0a5666f381bbf4b603120a
SHA256be3744f29ccf98ec1118ce7492a63178abeeb3e52d0fa28f59e6b3217fdfcc6d
SHA512f0bce4aa6efbf3be57fad71275824ed339bdcf7e8e0b928f114c92aad0d735c490730f4fc2f54ab088afc25feee203929524445f836f156ff3075134f51a43c7
-
Filesize
57B
MD5e71efbbd013d0dd34dda96fed216a81e
SHA159ace10116dbfcb00ad606245024d59bd25ffa5c
SHA256a5f247693e4431727f38a4a2c901fca040e343d5398cc1804473d31ccdcc15af
SHA512233fe6c1dc535f39eff22eb6e4518bcde169ad203a5980c5b3df93b8b85d9b34b211de4e61bf1262a43edf449de3ed35304bf074a46c8fb8544d6461c19f65eb
-
Filesize
57B
MD5aa35232f5e24f97825e2edbadb7bab34
SHA1fa086b4ee326f6beca08c37101b4bca590fac3d4
SHA256e85e8a9e44a4c8d41749c2073e712e55c5cdf232549f40b021dc9f34daa4b4aa
SHA5125ce9273c8249adf25e4bba56b18e3a2957cb9438ed6053338599a2357d6f12c8bfaf07f81b6ed5537da8f46390b50d57b3df0ac883dd4533efa17a0f5b9609d3
-
Filesize
1.6MB
MD502c88fe38285c217f895ff539c631fc5
SHA1b0d560a11ce564c5272e879f321688b97561f55c
SHA2567b7fb709fbfa417617beda6fdceb611b51f7d4d76881a106c0edf683fd170e36
SHA51245498d421c5f13af6382a2ee54c7e2a044a25334c4186450426e52b96c21b9fb97b17d6ddb515f47c9fb19ab5dab37e7bef0cfe0f544f9bb5896ea5ea18c667e