Analysis
-
max time kernel
134s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-07-2021 13:01
Static task
static1
Behavioral task
behavioral1
Sample
495edc6456f3c1d7dcdf839ec8a1fc70.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
495edc6456f3c1d7dcdf839ec8a1fc70.exe
Resource
win10v20210410
General
-
Target
495edc6456f3c1d7dcdf839ec8a1fc70.exe
-
Size
935KB
-
MD5
495edc6456f3c1d7dcdf839ec8a1fc70
-
SHA1
fe30c475e506a76be7ea15c4f529938062718276
-
SHA256
3504fe4b0e2d093c366cffa43ceb37026d7a5f8e35498aa7945556c77ecce731
-
SHA512
b2122cd4b6a1b1f46f8e3b970ccd786ca6a07a554772a7ddebab9d7dc42ea7a12288debdccc3ec5af63fd6d707b3e804e3e13cfd2d4fbe7e2aec11abea4e1b1a
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe family_stormkitty C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe family_stormkitty -
A310logger Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe a310logger -
Executes dropped EXE 2 IoCs
Processes:
PASSWORDSNET4.exeCREDITCARDNET4.exepid process 4092 PASSWORDSNET4.exe 4068 CREDITCARDNET4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
495edc6456f3c1d7dcdf839ec8a1fc70.exedescription pid process target process PID 3904 set thread context of 2628 3904 495edc6456f3c1d7dcdf839ec8a1fc70.exe 495edc6456f3c1d7dcdf839ec8a1fc70.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
PASSWORDSNET4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier PASSWORDSNET4.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 PASSWORDSNET4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
495edc6456f3c1d7dcdf839ec8a1fc70.exepid process 2628 495edc6456f3c1d7dcdf839ec8a1fc70.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
495edc6456f3c1d7dcdf839ec8a1fc70.exe495edc6456f3c1d7dcdf839ec8a1fc70.exedescription pid process target process PID 3904 wrote to memory of 2628 3904 495edc6456f3c1d7dcdf839ec8a1fc70.exe 495edc6456f3c1d7dcdf839ec8a1fc70.exe PID 3904 wrote to memory of 2628 3904 495edc6456f3c1d7dcdf839ec8a1fc70.exe 495edc6456f3c1d7dcdf839ec8a1fc70.exe PID 3904 wrote to memory of 2628 3904 495edc6456f3c1d7dcdf839ec8a1fc70.exe 495edc6456f3c1d7dcdf839ec8a1fc70.exe PID 3904 wrote to memory of 2628 3904 495edc6456f3c1d7dcdf839ec8a1fc70.exe 495edc6456f3c1d7dcdf839ec8a1fc70.exe PID 3904 wrote to memory of 2628 3904 495edc6456f3c1d7dcdf839ec8a1fc70.exe 495edc6456f3c1d7dcdf839ec8a1fc70.exe PID 3904 wrote to memory of 2628 3904 495edc6456f3c1d7dcdf839ec8a1fc70.exe 495edc6456f3c1d7dcdf839ec8a1fc70.exe PID 3904 wrote to memory of 2628 3904 495edc6456f3c1d7dcdf839ec8a1fc70.exe 495edc6456f3c1d7dcdf839ec8a1fc70.exe PID 3904 wrote to memory of 2628 3904 495edc6456f3c1d7dcdf839ec8a1fc70.exe 495edc6456f3c1d7dcdf839ec8a1fc70.exe PID 2628 wrote to memory of 4092 2628 495edc6456f3c1d7dcdf839ec8a1fc70.exe PASSWORDSNET4.exe PID 2628 wrote to memory of 4092 2628 495edc6456f3c1d7dcdf839ec8a1fc70.exe PASSWORDSNET4.exe PID 2628 wrote to memory of 4068 2628 495edc6456f3c1d7dcdf839ec8a1fc70.exe CREDITCARDNET4.exe PID 2628 wrote to memory of 4068 2628 495edc6456f3c1d7dcdf839ec8a1fc70.exe CREDITCARDNET4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\495edc6456f3c1d7dcdf839ec8a1fc70.exe"C:\Users\Admin\AppData\Local\Temp\495edc6456f3c1d7dcdf839ec8a1fc70.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\495edc6456f3c1d7dcdf839ec8a1fc70.exe"C:\Users\Admin\AppData\Local\Temp\495edc6456f3c1d7dcdf839ec8a1fc70.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4092 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe3⤵
- Executes dropped EXE
PID:4068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exeMD5
a451ff83e1e0b66af6a3f26ee38bf4ff
SHA15dc4535a7a059c3aaedf925093e9fbe5f27aae80
SHA256e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da
SHA5123d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exeMD5
a451ff83e1e0b66af6a3f26ee38bf4ff
SHA15dc4535a7a059c3aaedf925093e9fbe5f27aae80
SHA256e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da
SHA5123d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exeMD5
1e80e2c7dc321a0f48da92fdbdbd44eb
SHA14bcf3e9b2e0332e1428779254aaf0b7a1b07b08e
SHA2566dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291
SHA512dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exeMD5
1e80e2c7dc321a0f48da92fdbdbd44eb
SHA14bcf3e9b2e0332e1428779254aaf0b7a1b07b08e
SHA2566dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291
SHA512dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txtMD5
968147e5e7121ca034e2978f561456d7
SHA18eaff1f069e721a49ecf4ea3c260c06b8d2cebe5
SHA256547e5216c25b541e350a618507e5c5d583d19a5bd9883a1b539de107fe468880
SHA512b69a57ba2e900e6f1dc5ab608cf0d16c5561002de210b3e0ab83ecbc2ccdab377084b8fd08270c00fb53b98c9e679a11ca8c7995b45c85bc66257eb646fdafa2
-
memory/2628-124-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2628-134-0x0000000002E00000-0x0000000002E02000-memory.dmpFilesize
8KB
-
memory/2628-128-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2628-125-0x0000000000402D98-mapping.dmp
-
memory/3904-120-0x0000000005760000-0x0000000005C5E000-memory.dmpFilesize
5.0MB
-
memory/3904-123-0x0000000007720000-0x0000000007790000-memory.dmpFilesize
448KB
-
memory/3904-122-0x0000000007670000-0x000000000771A000-memory.dmpFilesize
680KB
-
memory/3904-121-0x0000000003050000-0x0000000003060000-memory.dmpFilesize
64KB
-
memory/3904-114-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/3904-118-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/3904-119-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/3904-117-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/3904-116-0x0000000005C60000-0x0000000005C61000-memory.dmpFilesize
4KB
-
memory/4068-135-0x0000000000000000-mapping.dmp
-
memory/4068-138-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/4092-129-0x0000000000000000-mapping.dmp
-
memory/4092-132-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB