Overview

overview

10

Static

static

New Order.exe

windows7-x64

10

New Order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2022 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order.exe

  • Size

    847KB

  • MD5

    c606b79a4bc00248caf9a9c34c27967c

  • SHA1

    e6023105be92a970a854a3a935786dac7eb24bb4

  • SHA256

    4649b0df03857384398c1b95c2e26768ed8a6198499a39d3efdb8d696ede4176

  • SHA512

    3849116a967cbd303e138b3e384e433c53cd2779bde4538975c51bd4d8f8fa4b0414dbce17d41d28a1cb23f537ebad6ab60168a3a16349bb8844a48c8c860a72

Score
10/10
blustealerstormkittycollectionstealer

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 4 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QWZdOXeSBeFk.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1868
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWZdOXeSBeFk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF613.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1804
    • C:\Users\Admin\AppData\Local\Temp\New Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF613.tmp
    Filesize

    1KB

    MD5

    9f8e7a129dd3d7e2f49144728c782fef

    SHA1

    3addfacb13e8bb6fa0591d072498680c2421c908

    SHA256

    b70d88a300edfd60a7b229835f4b144b9666e0f48bf8fa2a5c3b113de701381c

    SHA512

    e703482fbc234dbe04a7902114786287f4e5bf9eac5b02c891052d7d34705fb03b94f40b771795f69f6a462b2dc87b217825e73eeea801770cd9f0f69b38d686

    Download Submit

  • memory/1336-58-0x0000000001EC0000-0x0000000001ECC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1336-59-0x0000000005E30000-0x0000000005E98000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1336-57-0x00000000040D0000-0x00000000040F4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1336-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1336-64-0x0000000005AB0000-0x0000000005ADC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1336-54-0x00000000000E0000-0x00000000001B8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1336-56-0x00000000003A0000-0x00000000003C4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1788-66-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1788-65-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1788-89-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1788-68-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1788-70-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1788-73-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1788-77-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1868-88-0x000000006E880000-0x000000006EE2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1868-78-0x000000006E880000-0x000000006EE2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1960-79-0x00000000000D0000-0x00000000000EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1960-81-0x00000000000D0000-0x00000000000EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1960-84-0x00000000000D0000-0x00000000000EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1960-86-0x00000000000D0000-0x00000000000EA000-memory.dmp

    Filesize

    104KB

    Download