Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-05-2022 21:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetectNet.01.23202.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.AIDetectNet.01.23202.exe
Resource
win10v2004-20220414-en
General
-
Target
SecuriteInfo.com.W32.AIDetectNet.01.23202.exe
-
Size
615KB
-
MD5
e07c276f913472c39c81c9caa5ae7c2e
-
SHA1
c086259f3bcb0166c5e8b12e2ae3f3c82fa6dc3b
-
SHA256
d410882344230e5f0e2f98fa62f97b091be51abc83cade58585c6e62bc35a1d7
-
SHA512
e5c699c7dbd5b33d93faff11773575946b6bc65c407989b24bdb3dda0025d59c0a68962c7cbe4ea6210212c64966f3ad42f7ed6692d6fe04373accab4e96b368
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4156-147-0x0000000000000000-mapping.dmp family_stormkitty behavioral2/memory/4156-148-0x0000000000400000-0x0000000000418000-memory.dmp family_stormkitty behavioral2/memory/1748-153-0x0000000000000000-mapping.dmp family_stormkitty -
A310logger Executable 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4156-147-0x0000000000000000-mapping.dmp a310logger behavioral2/memory/4156-148-0x0000000000400000-0x0000000000418000-memory.dmp a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe a310logger behavioral2/memory/1748-153-0x0000000000000000-mapping.dmp a310logger -
Executes dropped EXE 1 IoCs
Processes:
MZ.exepid process 528 MZ.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
InstallUtil.exeInstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.23202.exeSecuriteInfo.com.W32.AIDetectNet.01.23202.exedescription pid process target process PID 1820 set thread context of 1096 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1096 set thread context of 100 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 set thread context of 4156 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 set thread context of 1748 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3976 100 WerFault.exe InstallUtil.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
InstallUtil.exeInstallUtil.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 InstallUtil.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier InstallUtil.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 InstallUtil.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.23202.exeMZ.exepid process 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe 528 MZ.exe 528 MZ.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.23202.exepid process 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.23202.exeInstallUtil.exeMZ.exedescription pid process Token: SeDebugPrivilege 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe Token: SeDebugPrivilege 4156 InstallUtil.exe Token: SeDebugPrivilege 528 MZ.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.23202.exepid process 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
InstallUtil.exepid process 100 InstallUtil.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.23202.exeSecuriteInfo.com.W32.AIDetectNet.01.23202.exeInstallUtil.exedescription pid process target process PID 1820 wrote to memory of 404 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 404 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 404 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 4480 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 4480 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 4480 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 1096 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 1096 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 1096 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 1096 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 1096 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 1096 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 1096 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1820 wrote to memory of 1096 1820 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe SecuriteInfo.com.W32.AIDetectNet.01.23202.exe PID 1096 wrote to memory of 100 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 100 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 100 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 100 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 100 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 100 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 4156 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 4156 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 4156 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 4156 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 4156 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 4156 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 4156 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 4156 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 4156 wrote to memory of 528 4156 InstallUtil.exe MZ.exe PID 4156 wrote to memory of 528 4156 InstallUtil.exe MZ.exe PID 1096 wrote to memory of 1748 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 1748 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 1748 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 1748 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 1748 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 1748 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 1748 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe PID 1096 wrote to memory of 1748 1096 SecuriteInfo.com.W32.AIDetectNet.01.23202.exe InstallUtil.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 124⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 100 -ip 1001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.logFilesize
496B
MD55370d1dff94d27a9a6cfab002a5c444b
SHA1fecadd9e884c57822ebeae897a3989c0e678fd1a
SHA2560ddb4ec9a919c3566a4ab48ce605f24816e6fb2efdd6e4070a54a1f5912ec946
SHA51267a3787e49e7d8ea23b3e1766639b36e685cf404042bc270f5c43dc0b0f50623778cb98c013577b3a0a3b425b608ff4e944e29df3725425ce6383759fe7534eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exeFilesize
20KB
MD51bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exeFilesize
20KB
MD51bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
memory/100-144-0x0000000000000000-mapping.dmp
-
memory/404-136-0x0000000000000000-mapping.dmp
-
memory/528-150-0x0000000000000000-mapping.dmp
-
memory/1096-146-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1096-138-0x0000000000000000-mapping.dmp
-
memory/1096-139-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1096-141-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1748-156-0x00000000741B0000-0x0000000074761000-memory.dmpFilesize
5.7MB
-
memory/1748-153-0x0000000000000000-mapping.dmp
-
memory/1820-135-0x0000000007E50000-0x0000000007EB6000-memory.dmpFilesize
408KB
-
memory/1820-130-0x0000000000930000-0x00000000009D0000-memory.dmpFilesize
640KB
-
memory/1820-134-0x0000000007B20000-0x0000000007BBC000-memory.dmpFilesize
624KB
-
memory/1820-133-0x0000000005360000-0x000000000536A000-memory.dmpFilesize
40KB
-
memory/1820-132-0x0000000005390000-0x0000000005422000-memory.dmpFilesize
584KB
-
memory/1820-131-0x0000000005940000-0x0000000005EE4000-memory.dmpFilesize
5.6MB
-
memory/4156-147-0x0000000000000000-mapping.dmp
-
memory/4156-148-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4156-149-0x00000000741B0000-0x0000000074761000-memory.dmpFilesize
5.7MB
-
memory/4480-137-0x0000000000000000-mapping.dmp