Analysis
-
max time kernel
151s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-04-2021 06:42
Static task
static1
Behavioral task
behavioral1
Sample
00909000870.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
00909000870.exe
Resource
win10v20210408
General
-
Target
00909000870.exe
-
Size
1.1MB
-
MD5
b6d292139cbd769bfa7c005cbc3a8202
-
SHA1
f12d48f3aa3a1910795a12fbc57b32d24145af73
-
SHA256
6e3816fe96ae72f3c7695e1a64225ed36ff8a7e61f0fb192447cb14d5736dcea
-
SHA512
3cde67951d45796bf76c7724db52cc2bf64d40cf55e5bb751c98a0028ea309549f0344f1c0e1adf32c384441a02507cbfbaf0476761bebc37f5816079472dc6a
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3164-120-0x0000000000400000-0x00000000004B2000-memory.dmp family_stormkitty behavioral2/memory/3164-121-0x00000000004A734E-mapping.dmp family_stormkitty -
Loads dropped DLL 1 IoCs
Processes:
00909000870.exepid process 568 00909000870.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
00909000870.exe00909000870.exedescription pid process target process PID 568 set thread context of 3208 568 00909000870.exe 00909000870.exe PID 3208 set thread context of 3164 3208 00909000870.exe AppLaunch.exe PID 3208 set thread context of 2956 3208 00909000870.exe InstallUtil.exe PID 3208 set thread context of 3032 3208 00909000870.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3968 3164 WerFault.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe 3968 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
00909000870.exepid process 3208 00909000870.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
00909000870.exepid process 568 00909000870.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exeInstallUtil.exedescription pid process Token: SeRestorePrivilege 3968 WerFault.exe Token: SeBackupPrivilege 3968 WerFault.exe Token: SeDebugPrivilege 3968 WerFault.exe Token: SeDebugPrivilege 3032 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
00909000870.exepid process 3208 00909000870.exe 3208 00909000870.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
00909000870.exeInstallUtil.exepid process 3208 00909000870.exe 3208 00909000870.exe 3032 InstallUtil.exe 3032 InstallUtil.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
00909000870.exe00909000870.exeWinMail.exedescription pid process target process PID 568 wrote to memory of 3208 568 00909000870.exe 00909000870.exe PID 568 wrote to memory of 3208 568 00909000870.exe 00909000870.exe PID 568 wrote to memory of 3208 568 00909000870.exe 00909000870.exe PID 568 wrote to memory of 3208 568 00909000870.exe 00909000870.exe PID 3208 wrote to memory of 3164 3208 00909000870.exe AppLaunch.exe PID 3208 wrote to memory of 3164 3208 00909000870.exe AppLaunch.exe PID 3208 wrote to memory of 3164 3208 00909000870.exe AppLaunch.exe PID 3208 wrote to memory of 3164 3208 00909000870.exe AppLaunch.exe PID 3208 wrote to memory of 3164 3208 00909000870.exe AppLaunch.exe PID 3208 wrote to memory of 3164 3208 00909000870.exe AppLaunch.exe PID 3208 wrote to memory of 3164 3208 00909000870.exe AppLaunch.exe PID 3208 wrote to memory of 3164 3208 00909000870.exe AppLaunch.exe PID 3208 wrote to memory of 2956 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 2956 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 2956 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 2956 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 2956 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 2956 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 2956 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 2956 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 3032 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 3032 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 3032 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 3032 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 3032 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 3032 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 3032 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 3032 3208 00909000870.exe InstallUtil.exe PID 3208 wrote to memory of 4000 3208 00909000870.exe WinMail.exe PID 3208 wrote to memory of 4000 3208 00909000870.exe WinMail.exe PID 3208 wrote to memory of 4000 3208 00909000870.exe WinMail.exe PID 4000 wrote to memory of 3856 4000 WinMail.exe WinMail.exe PID 4000 wrote to memory of 3856 4000 WinMail.exe WinMail.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00909000870.exe"C:\Users\Admin\AppData\Local\Temp\00909000870.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\00909000870.exe"C:\Users\Admin\AppData\Local\Temp\00909000870.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 9324⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.logMD5
957779c42144282d8cd83192b8fbc7cf
SHA1de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA2560d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd
-
C:\Users\Admin\BrowsersFiles.zipMD5
36cd3e0fcda0f27b0f46ca7fe7bc63d3
SHA1e076dcec1c5f9eed401f4c380a783eb1c4de047f
SHA2568f46c060e2fabd4516507a90c6ec4911a3b05ff1cd20e1ca5ce84144078d6a5b
SHA5126137a0de3315245729c093d78da90e7c599f84b4176870403cf46373b6f7c7a44a95bc4ef4b850be9de16e7fe3156b1d3e3f7eb3e0cb09e9a0ab81fe6955b120
-
C:\Users\Admin\BrowsersFiles\MozillaCookies.txtMD5
c0eba57ce108eb752f9d91b8e3529c9c
SHA1ed333454d80787cb146a5c50bfc96fbe0ef881c2
SHA2567afc1e9f51dd43ef4205cb543ebb57bbe6eba7ea23228a7973f397da556ace4b
SHA512b3345a6f9a92d1e04cb4289cecea29e55a4ea4e4843d2218ceac852769fd47cf5d347483792f6ec6495d858cb688aabd74ed7cdd52a81c9b486380edc04216d0
-
C:\Users\Admin\credentials.txtMD5
41e57e735c82db717113096f67be9781
SHA1a3a692b3020acd1ad6906cf3c2c9b111e66322f6
SHA256881f99f69fbcbe3439645fe12f6a899bbc22fc702e95d5957631943ffbc08bb2
SHA51274065c29d1f17bb513fb9acfba1f41b60879769430ec323d8022060245549bfa99d28a5c5e33d947eca55c7a66796878d4b2e86baf2efd8c745a67995df1884a
-
\Users\Admin\AppData\Local\Temp\nsk6D95.tmp\b7lqb2393a.dllMD5
93fbd7c82ab517898fb113578a37530a
SHA1966c0aedf19881ac23eb4b1058584e51366fb542
SHA25657d4bac2f5f89cf338ee2d7b4cf7781aa55a9497fccaba58b86682bf9f884ec1
SHA5123ca35c59b214f9a3fbd00d497113b94049e738352b499323564eb31712ad7cb2af4ae5fc8344d5c90ee21c862b779eaeeceaa618aee3bfe78b3f8f2f86839023
-
memory/568-116-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/568-117-0x0000000002601000-0x0000000002605000-memory.dmpFilesize
16KB
-
memory/2956-124-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2956-125-0x0000000000404212-mapping.dmp
-
memory/3032-191-0x0000000004C61000-0x0000000004C62000-memory.dmpFilesize
4KB
-
memory/3032-190-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/3032-187-0x0000000000404212-mapping.dmp
-
memory/3032-192-0x0000000004C62000-0x0000000004C63000-memory.dmpFilesize
4KB
-
memory/3164-121-0x00000000004A734E-mapping.dmp
-
memory/3164-186-0x0000000009610000-0x0000000009676000-memory.dmpFilesize
408KB
-
memory/3164-133-0x0000000009790000-0x0000000009791000-memory.dmpFilesize
4KB
-
memory/3164-132-0x0000000009680000-0x0000000009681000-memory.dmpFilesize
4KB
-
memory/3164-120-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3208-127-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/3208-115-0x00000000004025C4-mapping.dmp
-
memory/3856-195-0x0000000000000000-mapping.dmp
-
memory/4000-194-0x0000000000000000-mapping.dmp