Analysis

  • max time kernel
    152s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    20-07-2021 09:03

General

  • Target

    0000990008T.exe

  • Size

    204KB

  • MD5

    00f5caf530f4b521d37e784cdbdd84fe

  • SHA1

    ba4342ea14cf43c94cfe9ae002dbb56ce575bb2b

  • SHA256

    379362027442526fd4d4be9a6fd95b5cc1e6af9387cd508be24c6d5a6bdcba15

  • SHA512

    d76fe9c38a66892d42fc6a5394020b25c9811cc522ae47da590fd7740c09149c00baec189f9fca776d6d7259585919b4b13b1687db9f3efaaab38d04a18aeb70

Malware Config

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty Payload 2 IoCs
  • A310logger Executable 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0000990008T.exe
    "C:\Users\Admin\AppData\Local\Temp\0000990008T.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Local\Temp\0000990008T.exe
      "C:\Users\Admin\AppData\Local\Temp\0000990008T.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
        3⤵
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1608

Network

  • flag-unknown
    DNS
    icanhazip.com
    InstallUtil.exe
    Remote address:
    8.8.8.8:53
    Request
    icanhazip.com
    IN A
    Response
    icanhazip.com
    IN A
    104.18.7.156
    icanhazip.com
    IN A
    104.18.6.156
  • flag-unknown
    GET
    http://icanhazip.com/
    InstallUtil.exe
    Remote address:
    104.18.7.156:80
    Request
    GET / HTTP/1.1
    Host: icanhazip.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 20 Jul 2021 09:03:42 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET
    Set-Cookie: __cf_bm=59616a7e6f185a33b2a7fea0a797f3d301487540-1626771822-1800-AVoUMqZJJLhTOjpSOcC6cYbjO6QP+Abwk7LI0PqcNtW7H3yJjzDDefEO5MHbEZ1uhvjEeUTjsMvkQp3St1oidCA=; path=/; expires=Tue, 20-Jul-21 09:33:42 GMT; domain=.icanhazip.com; HttpOnly
    Server: cloudflare
    CF-RAY: 671b0492bcd6fa9c-AMS
    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
  • flag-unknown
    DNS
    api.mylnikov.org
    InstallUtil.exe
    Remote address:
    8.8.8.8:53
    Request
    api.mylnikov.org
    IN A
    Response
    api.mylnikov.org
    IN A
    172.67.160.130
    api.mylnikov.org
    IN A
    104.21.9.139
  • flag-unknown
    GET
    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=Failed
    InstallUtil.exe
    Remote address:
    172.67.160.130:443
    Request
    GET /geolocation/wifi?v=1.1&bssid=Failed HTTP/1.1
    Host: api.mylnikov.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 20 Jul 2021 09:03:43 GMT
    Content-Type: application/json; charset=utf8
    Content-Length: 93
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: max-age=2678400
    CF-Cache-Status: HIT
    Age: 75682
    Accept-Ranges: bytes
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aYKEkOA3LSFzKLX2Nlpg4nT1klYlDy6MGgfXG7rnFHlom1r7nVdiFQVr9%2BZsrKUAasgH5Oq18Pl5buzLa%2BfDGW08nVW%2BAxm1uL%2FK%2FjicXdBvKFNj5cpPeoCszHmY2hWo6%2BlX"}],"group":"cf-nel","max_age":604800}
    NEL: {"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=0; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 671b049859cd0b63-AMS
    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
  • 104.18.7.156:80
    http://icanhazip.com/
    http
    InstallUtil.exe
    299 B
    1.4kB
    5
    4

    HTTP Request

    GET http://icanhazip.com/

    HTTP Response

    200
  • 172.67.160.130:443
    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=Failed
    tls, http
    InstallUtil.exe
    955 B
    5.1kB
    10
    9

    HTTP Request

    GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=Failed

    HTTP Response

    200
  • 8.8.8.8:53
    icanhazip.com
    dns
    InstallUtil.exe
    59 B
    91 B
    1
    1

    DNS Request

    icanhazip.com

    DNS Response

    104.18.7.156
    104.18.6.156

  • 8.8.8.8:53
    api.mylnikov.org
    dns
    InstallUtil.exe
    62 B
    94 B
    1
    1

    DNS Request

    api.mylnikov.org

    DNS Response

    172.67.160.130
    104.21.9.139

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/844-66-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/1368-67-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/1368-70-0x0000000002020000-0x0000000002021000-memory.dmp

    Filesize

    4KB

  • memory/1608-75-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

    Filesize

    8KB

  • memory/1920-60-0x0000000076691000-0x0000000076693000-memory.dmp

    Filesize

    8KB

  • memory/1920-65-0x0000000000260000-0x0000000000262000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.