Overview

overview

10

Static

static

10

2bb1aa0fd3...02.exe

windows7-x64

10

2bb1aa0fd3...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2022 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bb1aa0fd3ba10b9da58570bdf755402.exe

  • Size

    406KB

  • MD5

    2bb1aa0fd3ba10b9da58570bdf755402

  • SHA1

    a31cb26e9cd88c0a26b576aa4f185ed5f5135fb4

  • SHA256

    98d37790e570afd49b7a00192019f6c9e7c84e96069da4daa1b64a6cc88695a8

  • SHA512

    2cba6e41ad6978ea4914e52823d1af6c0372933eba71bc7e2ad4fd732a8c4ed905418ec0f7507835bacc81121e9784703239a2ce429406e61fd3abfea4901356

Score
10/10
blustealerstormkittycollectionevasionpersistencestealer

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bb1aa0fd3ba10b9da58570bdf755402.exe
    "C:\Users\Admin\AppData\Local\Temp\2bb1aa0fd3ba10b9da58570bdf755402.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2696
    • \??\c:\users\admin\appdata\local\temp\2bb1aa0fd3ba10b9da58570bdf755402.exe 
      c:\users\admin\appdata\local\temp\2bb1aa0fd3ba10b9da58570bdf755402.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4372
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4316
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4100
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2116
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4908
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:952
            • C:\Windows\SysWOW64\at.exe
              at 07:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
                PID:5112
              • C:\Windows\SysWOW64\at.exe
                at 07:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                6⤵
                  PID:1684
                • C:\Windows\SysWOW64\at.exe
                  at 07:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  6⤵
                    PID:4300

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2bb1aa0fd3ba10b9da58570bdf755402.exe 
          Filesize

          132KB

          MD5

          f7e5a5c100fcf5a248dfe0424bc5bbdc

          SHA1

          05fab29b3f901ea56ebc0d5e240aa747aa44ee4f

          SHA256

          fafa8057f024c7a3c30e48b63d05d712e7de1f2f38f592a03cabbe8917942a89

          SHA512

          048b661425a63033980b1253bd0e8e24de0eb6ea230e24c46eec965371cd74f7ebd27ae004f6ee006abb48879fa3258ff6d4d049380ea8da57cda5953fb91bf2

          Download Submit

        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          274KB

          MD5

          ec13047c64390d0e3973b2515dd18267

          SHA1

          32ce693670495b197ff668810c0fb6f9bcf8d5be

          SHA256

          2bd1d41b13e8918710db1c5db5f75c45ec8e4f925fc76cc5705d7c9feecebc11

          SHA512

          123d37d434cfd32a6105fb0782dc3706355911f00e71496a28be57874e9c7025a44219ec91d3d324436953f46df22dfdae3ccb278a5e1bd87cb73e2089f1c0a6

          Download Submit

        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          274KB

          MD5

          ec13047c64390d0e3973b2515dd18267

          SHA1

          32ce693670495b197ff668810c0fb6f9bcf8d5be

          SHA256

          2bd1d41b13e8918710db1c5db5f75c45ec8e4f925fc76cc5705d7c9feecebc11

          SHA512

          123d37d434cfd32a6105fb0782dc3706355911f00e71496a28be57874e9c7025a44219ec91d3d324436953f46df22dfdae3ccb278a5e1bd87cb73e2089f1c0a6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          274KB

          MD5

          5b73a07a9e91efc4b2d530684f10edae

          SHA1

          a407ac1c45eb4124cd24c162c9866d7a1fdc2b43

          SHA256

          3b5254ebb94bdcf4aab90a5ef2c96b4710c2033639a7271a928025ac3a950ae8

          SHA512

          25987d7d4275ac0505016c78c9f74f29004cc8eb57dbf7f957e58d9a28446c67b1e8bc1f21ff75716d37a026cfd6f41f7881cb71a0d80e1c013fedcda8cda567

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          274KB

          MD5

          5f77d4dab5cd5cd36d7ea729601f0f29

          SHA1

          109c17584f8f4557122dc203e44a6db667a3926e

          SHA256

          324c43068b23fb47c028b6e1835469142ecb2847eabbf8db4f1eb875a0031971

          SHA512

          3dcd037f3bd69dfd03e5dcc9019e49c86be7b0205ba600a1c8784c92fb79bd98fbc521856d203bb63418ce1d8c22fe9cb00efce00bd8b192047341947acfd959

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          274KB

          MD5

          dd9764cf9bc59c640f3dc907560595ef

          SHA1

          cc871a2890869e4342059f6bb520a6c3a6360f46

          SHA256

          6a6d7546ee2d52407fc9e901d9aa1f5de6fb1b9424bce9a7462768dd96a0ffa5

          SHA512

          569100e92d9b24027b81ad4f4f175660feef699bd230ea8e1ce125743e50d2fcd46d8ef8c7dfa6c369fd88bb5ca052bbba6b761de5da60332571153a1a6ad52d

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          274KB

          MD5

          dd9764cf9bc59c640f3dc907560595ef

          SHA1

          cc871a2890869e4342059f6bb520a6c3a6360f46

          SHA256

          6a6d7546ee2d52407fc9e901d9aa1f5de6fb1b9424bce9a7462768dd96a0ffa5

          SHA512

          569100e92d9b24027b81ad4f4f175660feef699bd230ea8e1ce125743e50d2fcd46d8ef8c7dfa6c369fd88bb5ca052bbba6b761de5da60332571153a1a6ad52d

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          274KB

          MD5

          f0940e6cf0e12a9e5e623723da20334a

          SHA1

          468ca32cf63310afddf1e4b3453369938d405cca

          SHA256

          1f48fab47bf0ee0cd8d6f2adb08b8ab952a564da24497af380e720a28904cf90

          SHA512

          aee19e434d811393546ace0ccc5cbaae34e2cb4c6b33438919fe82e9eb61f1a854a313787adf8250acd130d0835af97a692f32ff77342bb7bb686bb0b61d9dde

          Download Submit

        • \??\c:\users\admin\appdata\local\temp\2bb1aa0fd3ba10b9da58570bdf755402.exe 
          Filesize

          132KB

          MD5

          f7e5a5c100fcf5a248dfe0424bc5bbdc

          SHA1

          05fab29b3f901ea56ebc0d5e240aa747aa44ee4f

          SHA256

          fafa8057f024c7a3c30e48b63d05d712e7de1f2f38f592a03cabbe8917942a89

          SHA512

          048b661425a63033980b1253bd0e8e24de0eb6ea230e24c46eec965371cd74f7ebd27ae004f6ee006abb48879fa3258ff6d4d049380ea8da57cda5953fb91bf2

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          274KB

          MD5

          5f77d4dab5cd5cd36d7ea729601f0f29

          SHA1

          109c17584f8f4557122dc203e44a6db667a3926e

          SHA256

          324c43068b23fb47c028b6e1835469142ecb2847eabbf8db4f1eb875a0031971

          SHA512

          3dcd037f3bd69dfd03e5dcc9019e49c86be7b0205ba600a1c8784c92fb79bd98fbc521856d203bb63418ce1d8c22fe9cb00efce00bd8b192047341947acfd959

          Download Submit

        • \??\c:\windows\system\spoolsv.exe
          Filesize

          274KB

          MD5

          dd9764cf9bc59c640f3dc907560595ef

          SHA1

          cc871a2890869e4342059f6bb520a6c3a6360f46

          SHA256

          6a6d7546ee2d52407fc9e901d9aa1f5de6fb1b9424bce9a7462768dd96a0ffa5

          SHA512

          569100e92d9b24027b81ad4f4f175660feef699bd230ea8e1ce125743e50d2fcd46d8ef8c7dfa6c369fd88bb5ca052bbba6b761de5da60332571153a1a6ad52d

          Download Submit

        • \??\c:\windows\system\svchost.exe
          Filesize

          274KB

          MD5

          f0940e6cf0e12a9e5e623723da20334a

          SHA1

          468ca32cf63310afddf1e4b3453369938d405cca

          SHA256

          1f48fab47bf0ee0cd8d6f2adb08b8ab952a564da24497af380e720a28904cf90

          SHA512

          aee19e434d811393546ace0ccc5cbaae34e2cb4c6b33438919fe82e9eb61f1a854a313787adf8250acd130d0835af97a692f32ff77342bb7bb686bb0b61d9dde

          Download Submit

        • memory/952-177-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2116-178-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2116-171-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2696-140-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2696-180-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4100-185-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4100-169-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4316-149-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4316-179-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4372-156-0x0000000005350000-0x00000000053B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4372-183-0x0000000005D10000-0x0000000005DAC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4372-142-0x0000000000DA0000-0x0000000000DBA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4908-173-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4908-186-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download