Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-07-2021 08:49
General
-
Target
0000990008T.exe
-
Size
204KB
-
MD5
00f5caf530f4b521d37e784cdbdd84fe
-
SHA1
ba4342ea14cf43c94cfe9ae002dbb56ce575bb2b
-
SHA256
379362027442526fd4d4be9a6fd95b5cc1e6af9387cd508be24c6d5a6bdcba15
-
SHA512
d76fe9c38a66892d42fc6a5394020b25c9811cc522ae47da590fd7740c09149c00baec189f9fca776d6d7259585919b4b13b1687db9f3efaaab38d04a18aeb70
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 2 IoCs
-
A310logger Executable 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0000990008T.exe"C:\Users\Admin\AppData\Local\Temp\0000990008T.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0000990008T.exe"C:\Users\Admin\AppData\Local\Temp\0000990008T.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
192KB
-
Filesize
8KB
-
Filesize
96KB
-
Filesize
4KB