Overview

overview

10

Static

static

10

d617cfaf2f...82.exe

windows7-x64

10

d617cfaf2f...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2022 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d617cfaf2f5cfcb5c50ecc28d0d02582.exe

  • Size

    406KB

  • MD5

    d617cfaf2f5cfcb5c50ecc28d0d02582

  • SHA1

    63a2d370a2c0ef547cc7a78e220e0d9021e2b4a1

  • SHA256

    4a4d5455c9e941082c8c08a96102afc9d33abc40985bfcc00b6bee8c098066fd

  • SHA512

    857a130effc4aca8d5cebaaa78eace06242e7f96332553f5676f4670fdfdab45eed3306475d8e3a9ad7facf4e3b5cceac9aeb7e25c394a82324499e0b78fe8f0

Score
10/10
blustealerstormkittycollectionevasionpersistencestealer

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d617cfaf2f5cfcb5c50ecc28d0d02582.exe
    "C:\Users\Admin\AppData\Local\Temp\d617cfaf2f5cfcb5c50ecc28d0d02582.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2132
    • \??\c:\users\admin\appdata\local\temp\d617cfaf2f5cfcb5c50ecc28d0d02582.exe 
      c:\users\admin\appdata\local\temp\d617cfaf2f5cfcb5c50ecc28d0d02582.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2260
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:752
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4536
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3328
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4744
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:4664
            • C:\Windows\SysWOW64\at.exe
              at 15:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
                PID:1652
              • C:\Windows\SysWOW64\at.exe
                at 15:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                6⤵
                  PID:3980
                • C:\Windows\SysWOW64\at.exe
                  at 15:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  6⤵
                    PID:3500

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\d617cfaf2f5cfcb5c50ecc28d0d02582.exe 
          Filesize

          132KB

          MD5

          bee47439c4960e2728594ece9ad95ba7

          SHA1

          43f4b6f607dec5bec2a33e2fb4148c38de832490

          SHA256

          8a1902d9c0dbe388b28ef5a9c8ec4c0f1802fc6ccd43471ea337dcb3d71c81d4

          SHA512

          ad84d419d61b63e36a6766ba90773b39270bf9c8e72373b52c1979097e73110f749fad0cfed5c4f233304ad0af4b6e753666911ff7db83475c16c38976c46382

          Download Submit

        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          274KB

          MD5

          7f9ebd4ed2db0d66c4be272c681bad48

          SHA1

          cefdff7b1cb786ff84458e6e16b1e2ead35f9c34

          SHA256

          d4fdf7e61db35ab2f6cbaaa4c02a9336b29d653e7249247a74c4f6fa787768b0

          SHA512

          627d9ae1a7cce0d4f3859034bd2224ea27ad1cd0d2d7592886e147ea7806de31d9bfd7a0aa4d955eb2854247b2029bd835e5b420d275f0616803efe3eec60997

          Download Submit

        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          274KB

          MD5

          7f9ebd4ed2db0d66c4be272c681bad48

          SHA1

          cefdff7b1cb786ff84458e6e16b1e2ead35f9c34

          SHA256

          d4fdf7e61db35ab2f6cbaaa4c02a9336b29d653e7249247a74c4f6fa787768b0

          SHA512

          627d9ae1a7cce0d4f3859034bd2224ea27ad1cd0d2d7592886e147ea7806de31d9bfd7a0aa4d955eb2854247b2029bd835e5b420d275f0616803efe3eec60997

          Download Submit

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          274KB

          MD5

          468112c883ae65592e4a27a9de46510c

          SHA1

          66f27fe09533610b4ec9c9cd9222417ec22b48cd

          SHA256

          0c720a8f352f5d441f7334adbb801201c0f398f85e2995a35afd44734b1f75d7

          SHA512

          5639d2c888f11fecd0c128c1a41e295e74a330f58fd653e187ce7f101275580ff9b128d71e0a7dff13f59d26ea3a2d446f38061c4a0b8543dc3c05b4faf39ca2

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          274KB

          MD5

          4f60e67eacce620aa7263e5fbbb030b7

          SHA1

          b0ccf96f932d1e5030a9b8af389067047effe589

          SHA256

          ed9111524d8b21bb27513fb1573f9fd80c4656e70b52ba57d4d88b8df006c73c

          SHA512

          1bb7f88d60c62abec1f4c8fa0022ec7140eedad2705689aba3582dfcb7b9f0d7a0de3664f9261c167d3cdc535fa921d8f02e4b10e2054f792639d5eb15439d2f

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          274KB

          MD5

          023fba2969a45d6bf4962c1f2dd2d09f

          SHA1

          79e3812583be98936af6bb31a0b815c698ea2ef5

          SHA256

          e5c5e8d87b96788bd0aafa8fdb8cce89aeeb34ebd43ea0044536fdd8d48d83ad

          SHA512

          3a56bf3ffbc89fd2bd5e6729fb193a343638a50884a14ff586e51060840a44992360c8ff69cb4f52bc397ea182df9a1fb8f5eab21d4eeabe87256cef7904cfdd

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          274KB

          MD5

          023fba2969a45d6bf4962c1f2dd2d09f

          SHA1

          79e3812583be98936af6bb31a0b815c698ea2ef5

          SHA256

          e5c5e8d87b96788bd0aafa8fdb8cce89aeeb34ebd43ea0044536fdd8d48d83ad

          SHA512

          3a56bf3ffbc89fd2bd5e6729fb193a343638a50884a14ff586e51060840a44992360c8ff69cb4f52bc397ea182df9a1fb8f5eab21d4eeabe87256cef7904cfdd

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          274KB

          MD5

          223c4026aea9ba307a3de4e4f3dfd800

          SHA1

          81a1200851b4755ad60912bdc45f1883fc0066db

          SHA256

          b8b1c1cf67f56a9a6f76b61835ec07e80531ce88b6c4a46260a1ab912bc9d8b4

          SHA512

          c1c83ffae6dd7545b3bd8ce4740278ce5db220e0e4aac8358fbdf92eb18d82a4d62fd356e40251dbbc0c652193205f104a99622ffa44af711f20b22d21421173

          Download Submit

        • \??\c:\users\admin\appdata\local\temp\d617cfaf2f5cfcb5c50ecc28d0d02582.exe 
          Filesize

          132KB

          MD5

          bee47439c4960e2728594ece9ad95ba7

          SHA1

          43f4b6f607dec5bec2a33e2fb4148c38de832490

          SHA256

          8a1902d9c0dbe388b28ef5a9c8ec4c0f1802fc6ccd43471ea337dcb3d71c81d4

          SHA512

          ad84d419d61b63e36a6766ba90773b39270bf9c8e72373b52c1979097e73110f749fad0cfed5c4f233304ad0af4b6e753666911ff7db83475c16c38976c46382

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          274KB

          MD5

          4f60e67eacce620aa7263e5fbbb030b7

          SHA1

          b0ccf96f932d1e5030a9b8af389067047effe589

          SHA256

          ed9111524d8b21bb27513fb1573f9fd80c4656e70b52ba57d4d88b8df006c73c

          SHA512

          1bb7f88d60c62abec1f4c8fa0022ec7140eedad2705689aba3582dfcb7b9f0d7a0de3664f9261c167d3cdc535fa921d8f02e4b10e2054f792639d5eb15439d2f

          Download Submit

        • \??\c:\windows\system\spoolsv.exe
          Filesize

          274KB

          MD5

          023fba2969a45d6bf4962c1f2dd2d09f

          SHA1

          79e3812583be98936af6bb31a0b815c698ea2ef5

          SHA256

          e5c5e8d87b96788bd0aafa8fdb8cce89aeeb34ebd43ea0044536fdd8d48d83ad

          SHA512

          3a56bf3ffbc89fd2bd5e6729fb193a343638a50884a14ff586e51060840a44992360c8ff69cb4f52bc397ea182df9a1fb8f5eab21d4eeabe87256cef7904cfdd

          Download Submit

        • \??\c:\windows\system\svchost.exe
          Filesize

          274KB

          MD5

          223c4026aea9ba307a3de4e4f3dfd800

          SHA1

          81a1200851b4755ad60912bdc45f1883fc0066db

          SHA256

          b8b1c1cf67f56a9a6f76b61835ec07e80531ce88b6c4a46260a1ab912bc9d8b4

          SHA512

          c1c83ffae6dd7545b3bd8ce4740278ce5db220e0e4aac8358fbdf92eb18d82a4d62fd356e40251dbbc0c652193205f104a99622ffa44af711f20b22d21421173

          Download Submit

        • memory/752-178-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/752-161-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2132-179-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2132-140-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2260-183-0x00000000052D0000-0x000000000536C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2260-170-0x0000000004A40000-0x0000000004AA6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2260-142-0x00000000002A0000-0x00000000002BA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3328-177-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3328-163-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4536-162-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4536-185-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4664-176-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4744-182-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download