Analysis
-
max time kernel
93s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2024 21:44
Behavioral task
behavioral1
Sample
stub.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
stub.exe
Resource
win10v2004-20240802-en
General
-
Target
stub.exe
-
Size
3.6MB
-
MD5
692985c7b0ff2fef9bdc934a6e07a368
-
SHA1
81aba4700e54284587048bb29a2f2810ff0ed68c
-
SHA256
738bff49a7d0bf56466323ca5738e97829123984ed5097edbcef7bea308fdcd8
-
SHA512
e96fda010c8df7434b0df93764ef41cffd8e922491719440e79fdcd3649530f48a6128bf06d4096ca0e744803726f9fe198aac0e9a992ba406d9aa3ff7adb660
-
SSDEEP
98304:AEjdGSi3kqXf0FLYWCLbi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13:S3kSILYWqZAkuujCPX9YG9he5GnQCAJS
Malware Config
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation stub.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com -
Delays execution with timeout.exe 1 IoCs
pid Process 3340 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 2208 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1276 stub.exe Token: SeDebugPrivilege 2208 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1276 wrote to memory of 3984 1276 stub.exe 83 PID 1276 wrote to memory of 3984 1276 stub.exe 83 PID 1276 wrote to memory of 3984 1276 stub.exe 83 PID 3984 wrote to memory of 5016 3984 cmd.exe 85 PID 3984 wrote to memory of 5016 3984 cmd.exe 85 PID 3984 wrote to memory of 5016 3984 cmd.exe 85 PID 3984 wrote to memory of 2208 3984 cmd.exe 86 PID 3984 wrote to memory of 2208 3984 cmd.exe 86 PID 3984 wrote to memory of 2208 3984 cmd.exe 86 PID 3984 wrote to memory of 3340 3984 cmd.exe 87 PID 3984 wrote to memory of 3340 3984 cmd.exe 87 PID 3984 wrote to memory of 3340 3984 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp952B.tmp.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:5016
-
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 12763⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3340
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD55cc97289bf87aa28c4312a78977701a1
SHA1db8baa7b28199b16a4c5a07c102998fa13251759
SHA2565017872a576a4e9feae0bbad4580892c1af8ac9a0b06c4bf23f70f0ccc247f1b
SHA5120fe0f9563b073524ecf7baf242bfa724a6f26f1b56b1c7d455b5a66cda14c76130818ca7c545cd38c5006669ff801a732fc0f4200be37afb19cb6661d6dc1986