Overview

overview

10

Static

static

d744acfd98...in.exe

windows7_x64

10

d744acfd98...in.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-12-2021 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe

  • Size

    2.9MB

  • MD5

    bec34a052aa8082d10b8da33fe7883e4

  • SHA1

    e3f02cd8ca16879049e2e1e851432c200243dff0

  • SHA256

    d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315

  • SHA512

    2c0718e139b214cdfe50030a49f557e4696131fcdf4c524fc8a08681f480862b6d5c3f4188130491d84eb58cf9276f371ab05fd2b2e063799aa6a4bd0a12bd3a

Score
10/10
njratstormkittystealertrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty Payload 4 IoCs
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3132
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3500
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Windows\ZeusDDoS.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Windows\ZeusDDoS.exe
        C:\Windows\ZeusDDoS.exe
        3⤵
        • Executes dropped EXE
        PID:3852
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Windows\CloudFlare.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\CloudFlare.exe
        C:\Windows\CloudFlare.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2400
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2400 -s 1364
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:348
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Windows\MsMpWindowsHeandler.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\MsMpWindowsHeandler.exe
        C:\Windows\MsMpWindowsHeandler.exe
        3⤵
        • Executes dropped EXE
        PID:1472
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Windows\MsMpWindowsHeandler.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Windows\MsMpWindowsHeandler.exe
        C:\Windows\MsMpWindowsHeandler.exe
        3⤵
        • Executes dropped EXE
        PID:956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    108ba8976a36348372e4471a17e54fd4

    SHA1

    a62f81e39129c260b013911fb571379887a9ec36

    SHA256

    0699c8e31e3b0b899049bef7ca8d074f91bb3c1ab0dd3176c61b6c22f116188b

    SHA512

    e5564d81a16ae14d94e8be45d1a8f78dd596bcacd8124644b3b5da5d5e8c3384d1dc7882b8276ad6a5ad24b5cc7814a6dc1bb890a32c841c0c052276a7bf943c

    Download Submit

  • C:\Windows\CloudFlare.exe
    MD5

    d421d8dd515105167c2926aa42124568

    SHA1

    084d4c88b4c4f694e8da3225ceea7742c5fae432

    SHA256

    8f72b2bbf97a75afcdfdd21c91fd76cb0b115c475799bcd17c7659b7ec302220

    SHA512

    c40806175298fbc32af23f18bff4ed8d170769ea391d37195a7e6b31e568714ac700ce8333b20a10cee6d2e01ad45b468960ad003a528e73d9f6d57097e2cc87

    Download Submit

  • C:\Windows\CloudFlare.exe
    MD5

    d421d8dd515105167c2926aa42124568

    SHA1

    084d4c88b4c4f694e8da3225ceea7742c5fae432

    SHA256

    8f72b2bbf97a75afcdfdd21c91fd76cb0b115c475799bcd17c7659b7ec302220

    SHA512

    c40806175298fbc32af23f18bff4ed8d170769ea391d37195a7e6b31e568714ac700ce8333b20a10cee6d2e01ad45b468960ad003a528e73d9f6d57097e2cc87

    Download Submit

  • C:\Windows\MsMpWindowsHeandler.exe
    MD5

    588801cb97eff4329e719e8f59b41a40

    SHA1

    ca54598ec9d632489d05c705ce26314aa494069a

    SHA256

    5a6a74294c6563b71a16f2c8877ae056d8403d7b7a745357365375396758b96f

    SHA512

    0d4ffb5afc76ada34e9279cedef15022310003b26b5f6218f89f62853154914c2725088fa49ad9face499114a75187352ee9647e547d3347b1e36a0fb962b24f

    Download Submit

  • C:\Windows\MsMpWindowsHeandler.exe
    MD5

    588801cb97eff4329e719e8f59b41a40

    SHA1

    ca54598ec9d632489d05c705ce26314aa494069a

    SHA256

    5a6a74294c6563b71a16f2c8877ae056d8403d7b7a745357365375396758b96f

    SHA512

    0d4ffb5afc76ada34e9279cedef15022310003b26b5f6218f89f62853154914c2725088fa49ad9face499114a75187352ee9647e547d3347b1e36a0fb962b24f

    Download Submit

  • C:\Windows\MsMpWindowsHeandler.exe
    MD5

    588801cb97eff4329e719e8f59b41a40

    SHA1

    ca54598ec9d632489d05c705ce26314aa494069a

    SHA256

    5a6a74294c6563b71a16f2c8877ae056d8403d7b7a745357365375396758b96f

    SHA512

    0d4ffb5afc76ada34e9279cedef15022310003b26b5f6218f89f62853154914c2725088fa49ad9face499114a75187352ee9647e547d3347b1e36a0fb962b24f

    Download Submit

  • C:\Windows\ZeusDDoS.exe
    MD5

    7baebb48d7fb4be4449089d37af39b7a

    SHA1

    1d9670a90c9f821418f38fa3b16e49a04ab7018a

    SHA256

    00839950ef5fca43bdc79dbc1e8af106063ac556dea2d58e8f65ac230d7d0e3e

    SHA512

    f91f6ca68218a6af9f303a19d974df17fc14af6a83272e9425f444f6488fc7f25b61bbae0ad0e47980d623b28f8aa8ce09ec76b5d504aeee736bb9838a83d8a9

    Download Submit

  • C:\Windows\ZeusDDoS.exe
    MD5

    7baebb48d7fb4be4449089d37af39b7a

    SHA1

    1d9670a90c9f821418f38fa3b16e49a04ab7018a

    SHA256

    00839950ef5fca43bdc79dbc1e8af106063ac556dea2d58e8f65ac230d7d0e3e

    SHA512

    f91f6ca68218a6af9f303a19d974df17fc14af6a83272e9425f444f6488fc7f25b61bbae0ad0e47980d623b28f8aa8ce09ec76b5d504aeee736bb9838a83d8a9

    Download Submit

  • memory/956-137-0x0000000002800000-0x0000000002801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/956-120-0x0000000000000000-mapping.dmp

    Download

  • memory/1472-121-0x0000000000000000-mapping.dmp

    Download

  • memory/1472-138-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2032-117-0x0000000000000000-mapping.dmp

    Download

  • memory/2292-119-0x0000000000000000-mapping.dmp

    Download

  • memory/2400-126-0x0000000000000000-mapping.dmp

    Download

  • memory/2400-132-0x0000000000050000-0x0000000000068000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2400-133-0x0000000000050000-0x0000000000068000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2400-134-0x000000001AA80000-0x000000001AA82000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3068-115-0x0000000000000000-mapping.dmp

    Download

  • memory/3132-157-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-179-0x0000000008B00000-0x0000000008BA5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/3132-135-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-131-0x0000000000000000-mapping.dmp

    Download

  • memory/3132-385-0x0000000008BD0000-0x0000000008BD8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3132-380-0x0000000008BD0000-0x0000000008BD8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3132-141-0x0000000001120000-0x0000000001156000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3132-379-0x0000000008F70000-0x0000000008F8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3132-143-0x0000000006D00000-0x0000000007328000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3132-374-0x0000000008F70000-0x0000000008F8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3132-145-0x00000000007E0000-0x00000000007E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-146-0x00000000007E2000-0x00000000007E3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-247-0x00000000007E3000-0x00000000007E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-148-0x0000000006B50000-0x0000000006B72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3132-149-0x0000000007430000-0x0000000007496000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3132-150-0x0000000006BF0000-0x0000000006C56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3132-180-0x0000000009010000-0x00000000090A4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3132-152-0x00000000074A0000-0x00000000077F0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3132-153-0x00000000078F0000-0x000000000790C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3132-154-0x0000000007920000-0x000000000796B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3132-136-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-156-0x0000000007C30000-0x0000000007CA6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3132-174-0x0000000008AE0000-0x0000000008AFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3132-165-0x0000000006D00000-0x0000000007328000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3132-166-0x000000007E720000-0x000000007E721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-167-0x0000000008AA0000-0x0000000008AD3000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3132-168-0x0000000008AA0000-0x0000000008AD3000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3132-169-0x0000000006B50000-0x0000000006B72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3132-170-0x0000000007430000-0x0000000007496000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3132-171-0x0000000006BF0000-0x0000000006C56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3132-172-0x0000000007920000-0x000000000796B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3132-173-0x0000000007C30000-0x0000000007CA6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3500-421-0x0000000009310000-0x0000000009343000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3500-402-0x00000000079F0000-0x0000000007A56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3500-503-0x0000000006C63000-0x0000000006C64000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3500-406-0x0000000008110000-0x000000000812C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3500-433-0x000000007F370000-0x000000007F371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3500-407-0x0000000008670000-0x00000000086BB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3500-432-0x00000000096F0000-0x0000000009795000-memory.dmp

    Filesize

    660KB

    Download

  • memory/3500-427-0x0000000006F10000-0x0000000006F2E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3500-395-0x0000000000000000-mapping.dmp

    Download

  • memory/3500-426-0x0000000008420000-0x0000000008496000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3500-399-0x0000000006BF0000-0x0000000006C26000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3500-400-0x00000000072A0000-0x00000000078C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3500-401-0x0000000007920000-0x0000000007942000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3500-422-0x0000000007920000-0x0000000007942000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3500-403-0x0000000007BB0000-0x0000000007C16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3500-404-0x0000000007C20000-0x0000000007F70000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3500-434-0x0000000009840000-0x00000000098D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3500-425-0x0000000008670000-0x00000000086BB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3500-424-0x0000000007BB0000-0x0000000007C16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3500-408-0x0000000006C60000-0x0000000006C61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3500-409-0x0000000006C62000-0x0000000006C63000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3500-410-0x0000000008420000-0x0000000008496000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3500-419-0x00000000072A0000-0x00000000078C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3500-420-0x0000000009310000-0x0000000009343000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3500-423-0x00000000079F0000-0x0000000007A56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3588-118-0x0000000000000000-mapping.dmp

    Download

  • memory/3704-116-0x0000000000000000-mapping.dmp

    Download

  • memory/3852-122-0x0000000000000000-mapping.dmp

    Download

  • memory/3852-142-0x0000000005520000-0x0000000005A1E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3852-147-0x0000000005020000-0x000000000551E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3852-155-0x0000000005020000-0x000000000551E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3852-139-0x0000000000710000-0x000000000071A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3852-140-0x0000000000710000-0x000000000071A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3852-144-0x0000000004F60000-0x0000000004FF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3852-151-0x0000000004F40000-0x0000000004F4A000-memory.dmp

    Filesize

    40KB

    Download