Analysis
-
max time kernel
300s -
max time network
294s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2022 16:25
Static task
static1
Behavioral task
behavioral1
Sample
account.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
21 signatures
300 seconds
General
-
Target
account.exe
-
Size
834KB
-
MD5
ed087331c9c97859d6d30bca5245b42d
-
SHA1
6f1f422171174486c9de328041a0606273b763aa
-
SHA256
15af08408332677507425dd21c6e04fa469e1129c21dc9ae2d830cc5c8aa0642
-
SHA512
336290c2b7b578fd9022b8d2b5708f27be6e56a8ac2cdcc2369a705896ad00a6920c76d295f24715c3063de4e71e7829cccd80a1c63558dc662b7544522daf0a
-
SSDEEP
12288:nF75eRgPwqoXY+mzoRtbvRT7PJ7Na+6ZmvatTu7Fm8gAxYS6L9ETD:nZ5wXY+mzo3bv/Ra+CmiRusyYD
Score
10/10
Malware Config
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/4712-153-0x0000000000F60000-0x0000000000F7A000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation account.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 62 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5060 set thread context of 3192 5060 account.exe 99 PID 3192 set thread context of 4712 3192 account.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3632 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 2828 powershell.exe 4416 taskmgr.exe 4416 taskmgr.exe 2828 powershell.exe 2828 powershell.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4416 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4416 taskmgr.exe Token: SeSystemProfilePrivilege 4416 taskmgr.exe Token: SeCreateGlobalPrivilege 4416 taskmgr.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 4712 AppLaunch.exe Token: SeSecurityPrivilege 4416 taskmgr.exe Token: SeTakeOwnershipPrivilege 4416 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe 4416 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3192 account.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 5060 wrote to memory of 2828 5060 account.exe 95 PID 5060 wrote to memory of 2828 5060 account.exe 95 PID 5060 wrote to memory of 2828 5060 account.exe 95 PID 5060 wrote to memory of 3632 5060 account.exe 97 PID 5060 wrote to memory of 3632 5060 account.exe 97 PID 5060 wrote to memory of 3632 5060 account.exe 97 PID 5060 wrote to memory of 3192 5060 account.exe 99 PID 5060 wrote to memory of 3192 5060 account.exe 99 PID 5060 wrote to memory of 3192 5060 account.exe 99 PID 5060 wrote to memory of 3192 5060 account.exe 99 PID 5060 wrote to memory of 3192 5060 account.exe 99 PID 5060 wrote to memory of 3192 5060 account.exe 99 PID 5060 wrote to memory of 3192 5060 account.exe 99 PID 5060 wrote to memory of 3192 5060 account.exe 99 PID 3192 wrote to memory of 4712 3192 account.exe 102 PID 3192 wrote to memory of 4712 3192 account.exe 102 PID 3192 wrote to memory of 4712 3192 account.exe 102 PID 3192 wrote to memory of 4712 3192 account.exe 102 PID 3192 wrote to memory of 4712 3192 account.exe 102 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\account.exe"C:\Users\Admin\AppData\Local\Temp\account.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QSBpOi.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QSBpOi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58DE.tmp"2⤵
- Creates scheduled task(s)
PID:3632
-
-
C:\Users\Admin\AppData\Local\Temp\account.exe"C:\Users\Admin\AppData\Local\Temp\account.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4712
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4416
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52adcab8548e39400630414a497cbc643
SHA1a77591d3a3472c93823e32e369acd1feffab83a0
SHA25623fe76f0379955236f13bcf457e389bd73d4e38eef7c2f788c175f519a478c70
SHA512a0b4dc4735328b1c2228742a1f4f188040764df79462186d064f07518ddb2e8ea9eaeaf8bfdcd7890ae40e10b5d896059f364d4e6f8ab64a9c491dcd5fc3e724