erbium | 436d974724bad165f4c6972529740dc2ea0c112c4a5957d75a7220090ddd5ded

Resubmissions

31/12/2024, 09:49

241231-ltbs1axkfr 10

Analysis

max time kernel
46s
max time network
46s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
31/12/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

password ( gui2022 ) (1).zip
Size

642KB
MD5

f903dc6148d008fd3846b652c696326f
SHA1

68cc1bf8335e353d51b62b799405f3fee1d7a66c
SHA256

436d974724bad165f4c6972529740dc2ea0c112c4a5957d75a7220090ddd5ded
SHA512

f23c6292eefa45f456f15db6506a12c8c941e1daeb09c17709864a857e2e8a4a1a2c425a38ab507b23295328220a64dc524a5ccef107fcb8bc42da535fc614ff
SSDEEP

12288:n9OujvTwkuLx3KAlAN6mODQnclrbtR2c/rO0Ud:Iuo1Kk06Qmz2cTVY

Score

10^/10

erbium discovery stealer

Malware Config

Extracted

Family

erbium

77.73.133.53

Signatures

Erbium
Erbium is an infostealer written in C++ and first seen in July 2022.
stealer erbium
Erbium family
erbium

Executes dropped EXE 7 IoCs

pid	Process
888	Script GUI.exe
2640	Script GUI.exe
1052	Script GUI.exe
4856	Script GUI.exe
1452	Script GUI.exe
1068	Script GUI.exe
4772	Script GUI.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 888 set thread context of 4276	888	Script GUI.exe	82
PID 2640 set thread context of 3224	2640	Script GUI.exe	85
PID 1052 set thread context of 248	1052	Script GUI.exe	88
PID 4856 set thread context of 1528	4856	Script GUI.exe	91
PID 1452 set thread context of 2192	1452	Script GUI.exe	95
PID 1068 set thread context of 1212	1068	Script GUI.exe	98
PID 4772 set thread context of 1964	4772	Script GUI.exe	101

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Script GUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Script GUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Script GUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Script GUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Script GUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Script GUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Script GUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2284	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2284	7zFM.exe
Token: 35	2284	7zFM.exe
Token: SeSecurityPrivilege	2284	7zFM.exe
Token: SeSecurityPrivilege	2284	7zFM.exe
Token: SeSecurityPrivilege	2284	7zFM.exe
Token: SeSecurityPrivilege	2284	7zFM.exe
Token: SeSecurityPrivilege	2284	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe
2284	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1880	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 888	2284	7zFM.exe	78
PID 2284 wrote to memory of 888	2284	7zFM.exe	78
PID 2284 wrote to memory of 888	2284	7zFM.exe	78
PID 888 wrote to memory of 4276	888	Script GUI.exe	82
PID 888 wrote to memory of 4276	888	Script GUI.exe	82
PID 888 wrote to memory of 4276	888	Script GUI.exe	82
PID 888 wrote to memory of 4276	888	Script GUI.exe	82
PID 888 wrote to memory of 4276	888	Script GUI.exe	82
PID 2284 wrote to memory of 2640	2284	7zFM.exe	83
PID 2284 wrote to memory of 2640	2284	7zFM.exe	83
PID 2284 wrote to memory of 2640	2284	7zFM.exe	83
PID 2640 wrote to memory of 3224	2640	Script GUI.exe	85
PID 2640 wrote to memory of 3224	2640	Script GUI.exe	85
PID 2640 wrote to memory of 3224	2640	Script GUI.exe	85
PID 2640 wrote to memory of 3224	2640	Script GUI.exe	85
PID 2640 wrote to memory of 3224	2640	Script GUI.exe	85
PID 2284 wrote to memory of 1052	2284	7zFM.exe	86
PID 2284 wrote to memory of 1052	2284	7zFM.exe	86
PID 2284 wrote to memory of 1052	2284	7zFM.exe	86
PID 1052 wrote to memory of 248	1052	Script GUI.exe	88
PID 1052 wrote to memory of 248	1052	Script GUI.exe	88
PID 1052 wrote to memory of 248	1052	Script GUI.exe	88
PID 1052 wrote to memory of 248	1052	Script GUI.exe	88
PID 1052 wrote to memory of 248	1052	Script GUI.exe	88
PID 2284 wrote to memory of 4856	2284	7zFM.exe	89
PID 2284 wrote to memory of 4856	2284	7zFM.exe	89
PID 2284 wrote to memory of 4856	2284	7zFM.exe	89
PID 4856 wrote to memory of 1528	4856	Script GUI.exe	91
PID 4856 wrote to memory of 1528	4856	Script GUI.exe	91
PID 4856 wrote to memory of 1528	4856	Script GUI.exe	91
PID 4856 wrote to memory of 1528	4856	Script GUI.exe	91
PID 4856 wrote to memory of 1528	4856	Script GUI.exe	91
PID 1452 wrote to memory of 2192	1452	Script GUI.exe	95
PID 1452 wrote to memory of 2192	1452	Script GUI.exe	95
PID 1452 wrote to memory of 2192	1452	Script GUI.exe	95
PID 1452 wrote to memory of 2192	1452	Script GUI.exe	95
PID 1452 wrote to memory of 2192	1452	Script GUI.exe	95
PID 1068 wrote to memory of 1212	1068	Script GUI.exe	98
PID 1068 wrote to memory of 1212	1068	Script GUI.exe	98
PID 1068 wrote to memory of 1212	1068	Script GUI.exe	98
PID 1068 wrote to memory of 1212	1068	Script GUI.exe	98
PID 1068 wrote to memory of 1212	1068	Script GUI.exe	98
PID 4772 wrote to memory of 1964	4772	Script GUI.exe	101
PID 4772 wrote to memory of 1964	4772	Script GUI.exe	101
PID 4772 wrote to memory of 1964	4772	Script GUI.exe	101
PID 4772 wrote to memory of 1964	4772	Script GUI.exe	101
PID 4772 wrote to memory of 1964	4772	Script GUI.exe	101

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\password ( gui2022 ) (1).zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\7zOCE83CAD7\Script GUI.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE83CAD7\Script GUI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4276
- C:\Users\Admin\AppData\Local\Temp\7zOCE836718\Script GUI.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE836718\Script GUI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3224
- C:\Users\Admin\AppData\Local\Temp\7zOCE83D428\Script GUI.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE83D428\Script GUI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:248
- C:\Users\Admin\AppData\Local\Temp\7zOCE873328\Script GUI.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE873328\Script GUI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528

C:\Users\Admin\Desktop\Script GUI.exe
"C:\Users\Admin\Desktop\Script GUI.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2192

C:\Users\Admin\Desktop\Script GUI.exe
"C:\Users\Admin\Desktop\Script GUI.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1212

C:\Users\Admin\Desktop\Script GUI.exe
"C:\Users\Admin\Desktop\Script GUI.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1964

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
77a8b2c86dd26c214bc11c989789b62d

SHA1
8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499

SHA256
e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8

SHA512
c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCE83CAD7\Script GUI.exe

Filesize
2.3MB

MD5
1370a4a70d3376069a381f475cdd0e8c

SHA1
d1091bf32d5dcb2d1519242299cd541a2ff67678

SHA256
c517f549366368845861e35cb189937186e60c55c921be58a4ec8ae9798e3fa7

SHA512
c5c3fd5f8237a5f83221b3da65717b59cf9ffc82f3417c12643751508bed3d6fe6ec2660dd774ad16162d54749f3b8457facd09ab349c9ea27af1abd8f1e5a2e

Download Submit
memory/888-9-0x00000000004AA000-0x00000000004AB000-memory.dmp

Filesize
4KB

Download
memory/888-16-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1052-52-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1068-86-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1452-78-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2192-73-0x00000000001C0000-0x00000000001C5000-memory.dmp

Filesize
20KB

Download
memory/2192-79-0x00000000001C0000-0x00000000001C5000-memory.dmp

Filesize
20KB

Download
memory/2640-36-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2640-27-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3224-34-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4276-17-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4276-10-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4772-94-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4856-68-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download