Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    26-05-2022 21:34

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.23202.exe

  • Size

    615KB

  • MD5

    e07c276f913472c39c81c9caa5ae7c2e

  • SHA1

    c086259f3bcb0166c5e8b12e2ae3f3c82fa6dc3b

  • SHA256

    d410882344230e5f0e2f98fa62f97b091be51abc83cade58585c6e62bc35a1d7

  • SHA512

    e5c699c7dbd5b33d93faff11773575946b6bc65c407989b24bdb3dda0025d59c0a68962c7cbe4ea6210212c64966f3ad42f7ed6692d6fe04373accab4e96b368

Malware Config

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty Payload 3 IoCs
  • A310logger Executable 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"
      2⤵
        PID:404
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"
        2⤵
          PID:4480
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.23202.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1096
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
            3⤵
            • Suspicious use of UnmapMainImage
            PID:100
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 12
              4⤵
              • Program crash
              PID:3976
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
            3⤵
            • Accesses Microsoft Outlook profiles
            • Checks processor information in registry
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4156
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:528
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
            3⤵
            • Accesses Microsoft Outlook profiles
            • Checks processor information in registry
            • outlook_office_path
            • outlook_win_path
            PID:1748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 100 -ip 100
        1⤵
          PID:4612

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Credential Access

        Credentials in Files

        2
        T1081

        Discovery

        System Information Discovery

        2
        T1082

        Query Registry

        1
        T1012

        Collection

        Data from Local System

        2
        T1005

        Email Collection

        1
        T1114

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.log
          Filesize

          496B

          MD5

          5370d1dff94d27a9a6cfab002a5c444b

          SHA1

          fecadd9e884c57822ebeae897a3989c0e678fd1a

          SHA256

          0ddb4ec9a919c3566a4ab48ce605f24816e6fb2efdd6e4070a54a1f5912ec946

          SHA512

          67a3787e49e7d8ea23b3e1766639b36e685cf404042bc270f5c43dc0b0f50623778cb98c013577b3a0a3b425b608ff4e944e29df3725425ce6383759fe7534eb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
          Filesize

          20KB

          MD5

          1bad0cbd09b05a21157d8255dc801778

          SHA1

          ff284bba12f011b72e20d4c9537d6c455cdbf228

          SHA256

          218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9

          SHA512

          4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
          Filesize

          20KB

          MD5

          1bad0cbd09b05a21157d8255dc801778

          SHA1

          ff284bba12f011b72e20d4c9537d6c455cdbf228

          SHA256

          218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9

          SHA512

          4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533

        • memory/100-144-0x0000000000000000-mapping.dmp
        • memory/404-136-0x0000000000000000-mapping.dmp
        • memory/528-150-0x0000000000000000-mapping.dmp
        • memory/1096-146-0x0000000000400000-0x0000000000430000-memory.dmp
          Filesize

          192KB

        • memory/1096-138-0x0000000000000000-mapping.dmp
        • memory/1096-139-0x0000000000400000-0x0000000000430000-memory.dmp
          Filesize

          192KB

        • memory/1096-141-0x0000000000400000-0x0000000000430000-memory.dmp
          Filesize

          192KB

        • memory/1748-156-0x00000000741B0000-0x0000000074761000-memory.dmp
          Filesize

          5.7MB

        • memory/1748-153-0x0000000000000000-mapping.dmp
        • memory/1820-135-0x0000000007E50000-0x0000000007EB6000-memory.dmp
          Filesize

          408KB

        • memory/1820-130-0x0000000000930000-0x00000000009D0000-memory.dmp
          Filesize

          640KB

        • memory/1820-134-0x0000000007B20000-0x0000000007BBC000-memory.dmp
          Filesize

          624KB

        • memory/1820-133-0x0000000005360000-0x000000000536A000-memory.dmp
          Filesize

          40KB

        • memory/1820-132-0x0000000005390000-0x0000000005422000-memory.dmp
          Filesize

          584KB

        • memory/1820-131-0x0000000005940000-0x0000000005EE4000-memory.dmp
          Filesize

          5.6MB

        • memory/4156-147-0x0000000000000000-mapping.dmp
        • memory/4156-148-0x0000000000400000-0x0000000000418000-memory.dmp
          Filesize

          96KB

        • memory/4156-149-0x00000000741B0000-0x0000000074761000-memory.dmp
          Filesize

          5.7MB

        • memory/4480-137-0x0000000000000000-mapping.dmp