Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-05-2021 07:41
Static task
static1
Behavioral task
behavioral1
Sample
TT09099.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
TT09099.exe
Resource
win10v20210410
General
-
Target
TT09099.exe
-
Size
252KB
-
MD5
3b376a64c278d40ce6e50a4fdc9b2022
-
SHA1
0592e33cdedf18068de9d8350a2181ef711a0ba3
-
SHA256
51d10bac8aff735f5f365f2ca016a039f9b2c8cabb4e42dca90ab06c13180746
-
SHA512
0bbfd6cc70ec6cfc4218e5d853171578bcf0e36b7b08ba7598b5d52346437dd0c95df09f077099da4fac859f2986dc6caea6242dfaf44acfc6bd87537e0129d0
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3688-119-0x0000000000400000-0x0000000000418000-memory.dmp family_stormkitty behavioral2/memory/3688-120-0x0000000000412452-mapping.dmp family_stormkitty behavioral2/memory/1036-129-0x0000000000412452-mapping.dmp family_stormkitty behavioral2/memory/1020-138-0x0000000000412452-mapping.dmp family_stormkitty -
A310logger Executable 10 IoCs
Processes:
resource yara_rule behavioral2/memory/3688-119-0x0000000000400000-0x0000000000418000-memory.dmp a310logger behavioral2/memory/3688-120-0x0000000000412452-mapping.dmp a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe a310logger behavioral2/memory/1036-129-0x0000000000412452-mapping.dmp a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe a310logger behavioral2/memory/1020-138-0x0000000000412452-mapping.dmp a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe a310logger -
Executes dropped EXE 3 IoCs
Processes:
MZ.exeMZ.exeMZ.exepid process 3924 MZ.exe 2736 MZ.exe 2892 MZ.exe -
Loads dropped DLL 2 IoCs
Processes:
TT09099.exepid process 3892 TT09099.exe 3892 TT09099.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TT09099.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\bxsx = "C:\\Users\\Admin\\AppData\\Roaming\\eyikq\\dynqv.exe" TT09099.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
TT09099.exeTT09099.exedescription pid process target process PID 3892 set thread context of 2504 3892 TT09099.exe TT09099.exe PID 2504 set thread context of 3688 2504 TT09099.exe InstallUtil.exe PID 2504 set thread context of 1036 2504 TT09099.exe InstallUtil.exe PID 2504 set thread context of 1020 2504 TT09099.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
InstallUtil.exeInstallUtil.exeInstallUtil.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier InstallUtil.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 InstallUtil.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier InstallUtil.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 InstallUtil.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier InstallUtil.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
MZ.exeMZ.exeMZ.exepid process 3924 MZ.exe 3924 MZ.exe 2736 MZ.exe 2736 MZ.exe 2892 MZ.exe 2892 MZ.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
TT09099.exepid process 2504 TT09099.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
TT09099.exepid process 3892 TT09099.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
InstallUtil.exeMZ.exeInstallUtil.exeMZ.exeInstallUtil.exeMZ.exedescription pid process Token: SeDebugPrivilege 3688 InstallUtil.exe Token: SeDebugPrivilege 3924 MZ.exe Token: SeDebugPrivilege 1036 InstallUtil.exe Token: SeDebugPrivilege 2736 MZ.exe Token: SeDebugPrivilege 1020 InstallUtil.exe Token: SeDebugPrivilege 2892 MZ.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
TT09099.exepid process 2504 TT09099.exe 2504 TT09099.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
TT09099.exeTT09099.exeInstallUtil.exeInstallUtil.exeInstallUtil.exedescription pid process target process PID 3892 wrote to memory of 2504 3892 TT09099.exe TT09099.exe PID 3892 wrote to memory of 2504 3892 TT09099.exe TT09099.exe PID 3892 wrote to memory of 2504 3892 TT09099.exe TT09099.exe PID 3892 wrote to memory of 2504 3892 TT09099.exe TT09099.exe PID 2504 wrote to memory of 3688 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 3688 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 3688 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 3688 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 3688 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 3688 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 3688 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 3688 2504 TT09099.exe InstallUtil.exe PID 3688 wrote to memory of 3924 3688 InstallUtil.exe MZ.exe PID 3688 wrote to memory of 3924 3688 InstallUtil.exe MZ.exe PID 2504 wrote to memory of 1036 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1036 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1036 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1036 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1036 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1036 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1036 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1036 2504 TT09099.exe InstallUtil.exe PID 1036 wrote to memory of 2736 1036 InstallUtil.exe MZ.exe PID 1036 wrote to memory of 2736 1036 InstallUtil.exe MZ.exe PID 2504 wrote to memory of 1020 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1020 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1020 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1020 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1020 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1020 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1020 2504 TT09099.exe InstallUtil.exe PID 2504 wrote to memory of 1020 2504 TT09099.exe InstallUtil.exe PID 1020 wrote to memory of 2892 1020 InstallUtil.exe MZ.exe PID 1020 wrote to memory of 2892 1020 InstallUtil.exe MZ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT09099.exe"C:\Users\Admin\AppData\Local\Temp\TT09099.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\TT09099.exe"C:\Users\Admin\AppData\Local\Temp\TT09099.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0d96352b982082afe2903d10c1b819a2
SHA137067f1193b4a3deaf27f35a09ddba8e2adee680
SHA256825a471d43d2b81bed778b2bd7a3bf1a2b22a81c3b0de3c68bc2aa9c5bebcec2
SHA512e55862d182b1f1bc1b296cb213e2c576f545120678e2be930dbcf764069ecb9eb3737cfa010c0a4861a5a20605bfae42a49b955d80006c52bd1486b7134bc2af
-
MD5
a62535934fa7300b21d015be8236a2e5
SHA1d94f020f9f0f299c46c0ce9b141a3b9da0f32814
SHA2563efaf87f4602570f0be76f4bd246425060a2731f83aec474d7f354f8e6f62c70
SHA51269761425416d2de37dc8934232160e2b8912b433cf8cbfc5505bc00d0c227624808c6414297addb91c966ff27045e9c4679af916efb563576c6fa23fdff1c5a5
-
MD5
1bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
MD5
1bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
MD5
1bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
MD5
1bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
MD5
1bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
MD5
1bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
MD5
c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
MD5
c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f