Analysis
-
max time kernel
149s -
max time network
100s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
25-10-2021 14:47
Static task
static1
Behavioral task
behavioral1
Sample
stub.bin.exe
Resource
win7-en-20210920
General
-
Target
stub.bin.exe
-
Size
561KB
-
MD5
68260e77a8d3f9f51e06d351f9ec4a9a
-
SHA1
11dad0b9986ed9f8da5b8021bf1fdcef7aeba159
-
SHA256
fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e
-
SHA512
7801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\stub.bin.exe family_stormkitty \Users\Admin\AppData\Local\Temp\stub.bin.exe family_stormkitty \Users\Admin\AppData\Local\Temp\stub.bin.exe family_stormkitty \Users\Admin\AppData\Local\Temp\stub.bin.exe family_stormkitty \Users\Admin\AppData\Local\Temp\stub.bin.exe family_stormkitty -
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Loads dropped DLL 7 IoCs
Processes:
stub.bin.exeWerFault.exepid process 572 stub.bin.exe 572 stub.bin.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
stub.bin.exedescription ioc process File created C:\Users\Admin\AppData\Local\5ad9a1338abe030f1491e7e2daf0ae64\Admin@JZCKHXIN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini stub.bin.exe File opened for modification C:\Users\Admin\AppData\Local\5ad9a1338abe030f1491e7e2daf0ae64\Admin@JZCKHXIN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini stub.bin.exe File created C:\Users\Admin\AppData\Local\5ad9a1338abe030f1491e7e2daf0ae64\Admin@JZCKHXIN_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini stub.bin.exe File created C:\Users\Admin\AppData\Local\5ad9a1338abe030f1491e7e2daf0ae64\Admin@JZCKHXIN_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini stub.bin.exe File created C:\Users\Admin\AppData\Local\5ad9a1338abe030f1491e7e2daf0ae64\Admin@JZCKHXIN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini stub.bin.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 752 572 WerFault.exe stub.bin.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
stub.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier stub.bin.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 stub.bin.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
stub.bin.exeWerFault.exepid process 572 stub.bin.exe 572 stub.bin.exe 572 stub.bin.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 752 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
stub.bin.exeWerFault.exedescription pid process Token: SeDebugPrivilege 572 stub.bin.exe Token: SeDebugPrivilege 752 WerFault.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
stub.bin.execmd.execmd.exedescription pid process target process PID 572 wrote to memory of 1912 572 stub.bin.exe cmd.exe PID 572 wrote to memory of 1912 572 stub.bin.exe cmd.exe PID 572 wrote to memory of 1912 572 stub.bin.exe cmd.exe PID 572 wrote to memory of 1912 572 stub.bin.exe cmd.exe PID 1912 wrote to memory of 680 1912 cmd.exe chcp.com PID 1912 wrote to memory of 680 1912 cmd.exe chcp.com PID 1912 wrote to memory of 680 1912 cmd.exe chcp.com PID 1912 wrote to memory of 680 1912 cmd.exe chcp.com PID 1912 wrote to memory of 1916 1912 cmd.exe netsh.exe PID 1912 wrote to memory of 1916 1912 cmd.exe netsh.exe PID 1912 wrote to memory of 1916 1912 cmd.exe netsh.exe PID 1912 wrote to memory of 1916 1912 cmd.exe netsh.exe PID 1912 wrote to memory of 1736 1912 cmd.exe findstr.exe PID 1912 wrote to memory of 1736 1912 cmd.exe findstr.exe PID 1912 wrote to memory of 1736 1912 cmd.exe findstr.exe PID 1912 wrote to memory of 1736 1912 cmd.exe findstr.exe PID 572 wrote to memory of 1992 572 stub.bin.exe cmd.exe PID 572 wrote to memory of 1992 572 stub.bin.exe cmd.exe PID 572 wrote to memory of 1992 572 stub.bin.exe cmd.exe PID 572 wrote to memory of 1992 572 stub.bin.exe cmd.exe PID 1992 wrote to memory of 1604 1992 cmd.exe chcp.com PID 1992 wrote to memory of 1604 1992 cmd.exe chcp.com PID 1992 wrote to memory of 1604 1992 cmd.exe chcp.com PID 1992 wrote to memory of 1604 1992 cmd.exe chcp.com PID 1992 wrote to memory of 1600 1992 cmd.exe netsh.exe PID 1992 wrote to memory of 1600 1992 cmd.exe netsh.exe PID 1992 wrote to memory of 1600 1992 cmd.exe netsh.exe PID 1992 wrote to memory of 1600 1992 cmd.exe netsh.exe PID 572 wrote to memory of 752 572 stub.bin.exe WerFault.exe PID 572 wrote to memory of 752 572 stub.bin.exe WerFault.exe PID 572 wrote to memory of 752 572 stub.bin.exe WerFault.exe PID 572 wrote to memory of 752 572 stub.bin.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\stub.bin.exe"C:\Users\Admin\AppData\Local\Temp\stub.bin.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 24482⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\DotNetZip.dllMD5
6d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
\Users\Admin\AppData\Local\Temp\DotNetZip.dllMD5
6d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
\Users\Admin\AppData\Local\Temp\stub.bin.exeMD5
68260e77a8d3f9f51e06d351f9ec4a9a
SHA111dad0b9986ed9f8da5b8021bf1fdcef7aeba159
SHA256fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e
SHA5127801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1
-
\Users\Admin\AppData\Local\Temp\stub.bin.exeMD5
68260e77a8d3f9f51e06d351f9ec4a9a
SHA111dad0b9986ed9f8da5b8021bf1fdcef7aeba159
SHA256fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e
SHA5127801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1
-
\Users\Admin\AppData\Local\Temp\stub.bin.exeMD5
68260e77a8d3f9f51e06d351f9ec4a9a
SHA111dad0b9986ed9f8da5b8021bf1fdcef7aeba159
SHA256fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e
SHA5127801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1
-
\Users\Admin\AppData\Local\Temp\stub.bin.exeMD5
68260e77a8d3f9f51e06d351f9ec4a9a
SHA111dad0b9986ed9f8da5b8021bf1fdcef7aeba159
SHA256fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e
SHA5127801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1
-
\Users\Admin\AppData\Local\Temp\stub.bin.exeMD5
68260e77a8d3f9f51e06d351f9ec4a9a
SHA111dad0b9986ed9f8da5b8021bf1fdcef7aeba159
SHA256fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e
SHA5127801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1
-
memory/572-62-0x0000000005655000-0x0000000005666000-memory.dmpFilesize
68KB
-
memory/572-54-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/572-56-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/572-69-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/680-58-0x0000000000000000-mapping.dmp
-
memory/752-70-0x0000000000000000-mapping.dmp
-
memory/752-76-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1600-65-0x0000000000000000-mapping.dmp
-
memory/1604-64-0x0000000000000000-mapping.dmp
-
memory/1736-60-0x0000000000000000-mapping.dmp
-
memory/1912-57-0x0000000000000000-mapping.dmp
-
memory/1916-61-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1916-59-0x0000000000000000-mapping.dmp
-
memory/1992-63-0x0000000000000000-mapping.dmp