Overview

overview

10

Static

static

SecuriteIn...01.exe

windows7-x64

6

SecuriteIn...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2022 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.4201.exe

  • Size

    31KB

  • MD5

    993af3de9afbbf18492a7624dc1520d0

  • SHA1

    ffbbb6e36177177f00641f248e0a597d14d5a860

  • SHA256

    519049c140f5a4f0d6d2115f921d105b1bd4bf46f2e9f66a45762ba5c9cda9e0

  • SHA512

    c59274fce6b8a066a6b38988dd159ef09d964bdce7457f18da481e21a70bffa636411b5e386abf23c27c5a494d5a7bbe1ec4a0548f6f22977d59b682632b285a

  • SSDEEP

    768:6XaPBXOLr3u9Ngw1MYwVL6nXfelWhl9lqSg6KJY6Zy:6XaJ+ZkMP6nXcWhl9lqS3Kfy

Score
10/10
blustealerstormkittycollectionpersistencestealer

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4201.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4201.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4856
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4201.exe
      C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4201.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1844

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/460-132-0x0000000000250000-0x000000000025E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/460-133-0x00000000057A0000-0x00000000057F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/460-134-0x00000000058B0000-0x0000000005962000-memory.dmp

    Filesize

    712KB

    Download

  • memory/460-135-0x0000000005F20000-0x00000000064C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/460-136-0x0000000005A10000-0x0000000005AA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/460-137-0x00000000059A0000-0x00000000059C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1056-147-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1056-156-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1056-152-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1056-149-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1844-155-0x00000000057C0000-0x000000000585C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1844-154-0x00000000007C0000-0x00000000007DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4856-142-0x00000000053C0000-0x0000000005426000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4856-145-0x00000000064B0000-0x00000000064CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4856-144-0x0000000007890000-0x0000000007F0A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4856-143-0x0000000006010000-0x000000000602E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4856-139-0x00000000026C0000-0x00000000026F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4856-141-0x00000000052E0000-0x0000000005346000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4856-140-0x0000000005460000-0x0000000005A88000-memory.dmp

    Filesize

    6.2MB

    Download