Overview

overview

10

Static

static

0000990008T.exe

windows7_x64

10

0000990008T.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    20-07-2021 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0000990008T.exe

  • Size

    204KB

  • MD5

    00f5caf530f4b521d37e784cdbdd84fe

  • SHA1

    ba4342ea14cf43c94cfe9ae002dbb56ce575bb2b

  • SHA256

    379362027442526fd4d4be9a6fd95b5cc1e6af9387cd508be24c6d5a6bdcba15

  • SHA512

    d76fe9c38a66892d42fc6a5394020b25c9811cc522ae47da590fd7740c09149c00baec189f9fca776d6d7259585919b4b13b1687db9f3efaaab38d04a18aeb70

Score
10/10
a310loggerstormkittyspywarestealer

Malware Config

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarea310logger
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty Payload 2 IoCs
  • A310logger Executable 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0000990008T.exe
    "C:\Users\Admin\AppData\Local\Temp\0000990008T.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Local\Temp\0000990008T.exe
      "C:\Users\Admin\AppData\Local\Temp\0000990008T.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
        3⤵
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1608

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/844-66-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1368-67-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1368-70-0x0000000002020000-0x0000000002021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1608-75-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1920-60-0x0000000076691000-0x0000000076693000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1920-65-0x0000000000260000-0x0000000000262000-memory.dmp

    Filesize

    8KB

    Download