Analysis
-
max time kernel
150s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2022, 06:33
Static task
static1
Behavioral task
behavioral1
Sample
hesaphareketi-01.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
hesaphareketi-01.exe
Resource
win10v2004-20220812-en
General
-
Target
hesaphareketi-01.exe
-
Size
649KB
-
MD5
bc8d543a0797561e76f944e6bfc4990e
-
SHA1
489c5b7a55500f2121ffafd7621dd6c823aee243
-
SHA256
49bdfdd87717e7988577673f3b78e9f3aca231ff6d2f5162209004769764fc42
-
SHA512
75af675d881853aae556af089f64efed72382a05f38b43aa16e7111ddc5cccd98748ad17a462d52ee88d7a6e5f11f6d74d0c2db6963605eeb98eb6c5840d2e88
Malware Config
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/3508-146-0x00000000009C0000-0x00000000009DA000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4820 set thread context of 4340 4820 hesaphareketi-01.exe 77 PID 4340 set thread context of 3508 4340 hesaphareketi-01.exe 78 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4820 hesaphareketi-01.exe 4820 hesaphareketi-01.exe 4820 hesaphareketi-01.exe 4820 hesaphareketi-01.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4820 hesaphareketi-01.exe Token: SeDebugPrivilege 3508 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4340 hesaphareketi-01.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4820 wrote to memory of 4340 4820 hesaphareketi-01.exe 77 PID 4820 wrote to memory of 4340 4820 hesaphareketi-01.exe 77 PID 4820 wrote to memory of 4340 4820 hesaphareketi-01.exe 77 PID 4820 wrote to memory of 4340 4820 hesaphareketi-01.exe 77 PID 4820 wrote to memory of 4340 4820 hesaphareketi-01.exe 77 PID 4820 wrote to memory of 4340 4820 hesaphareketi-01.exe 77 PID 4820 wrote to memory of 4340 4820 hesaphareketi-01.exe 77 PID 4820 wrote to memory of 4340 4820 hesaphareketi-01.exe 77 PID 4340 wrote to memory of 3508 4340 hesaphareketi-01.exe 78 PID 4340 wrote to memory of 3508 4340 hesaphareketi-01.exe 78 PID 4340 wrote to memory of 3508 4340 hesaphareketi-01.exe 78 PID 4340 wrote to memory of 3508 4340 hesaphareketi-01.exe 78 PID 4340 wrote to memory of 3508 4340 hesaphareketi-01.exe 78 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3508
-
-