Analysis Overview
SHA256
8b402bb02ec8211eb98b09beb60ea62db552c98ecc5919337dbace8af8bc0f57
Threat Level: Known bad
The file 8b402bb02ec8211eb98b09beb60ea62db552c98ecc5919337dbace8af8bc0f57 was found to be: Known bad.
Malicious Activity Summary
Stealerium
Stealerium family
Suspicious use of NtCreateUserProcessOtherParentProcess
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-21 10:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-21 10:54
Reported
2025-03-21 10:56
Platform
win7-20240729-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3064 wrote to memory of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | C:\Windows\system32\WerFault.exe |
| PID 3064 wrote to memory of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | C:\Windows\system32\WerFault.exe |
| PID 3064 wrote to memory of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe
"C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3064 -s 608
Network
Files
memory/3064-0-0x000007FEF4EE3000-0x000007FEF4EE4000-memory.dmp
memory/3064-1-0x00000000009A0000-0x000000000118A000-memory.dmp
memory/3064-2-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp
memory/3064-3-0x000000001CB00000-0x000000001D2D4000-memory.dmp
memory/3064-4-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-7-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-5-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-9-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-11-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-13-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-15-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-17-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-19-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-21-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-67-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-65-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-63-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-61-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-59-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-1340-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp
memory/3064-57-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-55-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-53-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-1341-0x000000001D2D0000-0x000000001D9FC000-memory.dmp
memory/3064-1342-0x000000001DA00000-0x000000001E128000-memory.dmp
memory/3064-1343-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp
memory/3064-51-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-1344-0x0000000000940000-0x000000000098C000-memory.dmp
memory/3064-49-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-47-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-45-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-43-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-1345-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp
memory/3064-41-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-39-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-37-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-35-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-33-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-31-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-29-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-27-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-25-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-23-0x000000001CB00000-0x000000001D2CD000-memory.dmp
memory/3064-1346-0x000007FEF4EE3000-0x000007FEF4EE4000-memory.dmp
memory/3064-1347-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp
memory/3064-1348-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp
memory/3064-1349-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp
memory/3064-1350-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp
memory/3064-1351-0x0000000000780000-0x00000000007D4000-memory.dmp
memory/3064-1352-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp
memory/3064-1353-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-21 10:54
Reported
2025-03-21 10:56
Platform
win10v2004-20250314-en
Max time kernel
115s
Max time network
133s
Command Line
Signatures
Stealerium
Stealerium family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1464 created 3428 | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1464 set thread context of 5100 | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe
"C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe"
C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe
"C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e69929f7-13ce-4e62-8ad0-831b468ace24.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\taskkill.exe
taskkill /F /PID 5100
C:\Windows\system32\timeout.exe
timeout /T 2 /NOBREAK
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/1464-0-0x00007FF982133000-0x00007FF982135000-memory.dmp
memory/1464-1-0x000001A915020000-0x000001A91580A000-memory.dmp
memory/1464-2-0x000001A92FCA0000-0x000001A930474000-memory.dmp
memory/1464-3-0x00007FF982130000-0x00007FF982BF1000-memory.dmp
memory/1464-4-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-5-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-8-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-9-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-15-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-17-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-21-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-27-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-31-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-47-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-53-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-55-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-67-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-65-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-63-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-61-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-59-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-57-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-51-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-49-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-45-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-43-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-41-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-39-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-37-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-35-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-29-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-25-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-23-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-33-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-19-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-13-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-11-0x000001A92FCA0000-0x000001A93046D000-memory.dmp
memory/1464-775-0x00007FF982133000-0x00007FF982135000-memory.dmp
memory/1464-854-0x00007FF982130000-0x00007FF982BF1000-memory.dmp
memory/1464-1342-0x00007FF982130000-0x00007FF982BF1000-memory.dmp
memory/1464-1343-0x000001A930570000-0x000001A930C9C000-memory.dmp
memory/1464-1344-0x000001A930CA0000-0x000001A9313C8000-memory.dmp
memory/1464-1345-0x000001A92FBF0000-0x000001A92FC3C000-memory.dmp
memory/1464-1346-0x00007FF982130000-0x00007FF982BF1000-memory.dmp
memory/1464-1347-0x00007FF982130000-0x00007FF982BF1000-memory.dmp
memory/1464-1348-0x00007FF982130000-0x00007FF982BF1000-memory.dmp
memory/1464-1349-0x000001A932480000-0x000001A9324D4000-memory.dmp
memory/1464-1356-0x00007FF982130000-0x00007FF982BF1000-memory.dmp
memory/1464-1353-0x00007FF982130000-0x00007FF982BF1000-memory.dmp
memory/1464-1358-0x00007FF982130000-0x00007FF982BF1000-memory.dmp
memory/5100-1357-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/5100-1359-0x00007FF982130000-0x00007FF982BF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e69929f7-13ce-4e62-8ad0-831b468ace24.bat
| MD5 | 28e669b5b9a864bc2040223e9dccb74b |
| SHA1 | 546b5939be3e06edb023cb384ea96e7bcafbe90c |
| SHA256 | 75b3224955d8eef1fb1c1b6fbfd7f3b8345933e92a10444614d0953dfdd5b330 |
| SHA512 | a2360dd4c459a73900987f5f37c72203ff651a10307bdaff5bf652cc8718b450a46ee4b2e135135b525683aae28e20ed3650681bdcf7868bdd9c504d85239653 |
memory/5100-1362-0x00007FF982130000-0x00007FF982BF1000-memory.dmp