Overview

overview

10

Static

static

doc 202209...01.exe

windows7-x64

10

doc 202209...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2022 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc 202209200099010100101.exe

  • Size

    775KB

  • MD5

    208ea4fa3dacf520513730003b3849ff

  • SHA1

    218f95bb8e3e032c6b182197df35ee55579aba67

  • SHA256

    54c419e5d402c052ca814fa728a82fdb2cfd67788960112429ef2f4734e9c866

  • SHA512

    ea5070ce837bca364be4e6f42fae5cf2e831c6486abf74e90d1de9fcb6277bdf51fb3859dcf1f97745a9a3848097219835359e16a2cd953d48212b3cf666f0ea

  • SSDEEP

    12288:Efhcgyb1Qj5eeJe194GwyU0ao1SS5GMT4h3mOvud94f2:EfPySj5eEgw9oIS5JeWqud94f2

Score
10/10
blustealerstormkittycollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5617443580:AAFX8iYrXMCASkw95O815OVGuLWLdSgh8Qo/sendMessage?chat_id=5334267822

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\doc 202209200099010100101.exe
    "C:\Users\Admin\AppData\Local\Temp\doc 202209200099010100101.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZKauJhJCKAhpgs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZKauJhJCKAhpgs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp56F5.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1992
    • C:\Users\Admin\AppData\Local\Temp\doc 202209200099010100101.exe
      "C:\Users\Admin\AppData\Local\Temp\doc 202209200099010100101.exe"
      2⤵
        PID:3044
      • C:\Users\Admin\AppData\Local\Temp\doc 202209200099010100101.exe
        "C:\Users\Admin\AppData\Local\Temp\doc 202209200099010100101.exe"
        2⤵
          PID:4668
        • C:\Users\Admin\AppData\Local\Temp\doc 202209200099010100101.exe
          "C:\Users\Admin\AppData\Local\Temp\doc 202209200099010100101.exe"
          2⤵
            PID:3400
          • C:\Users\Admin\AppData\Local\Temp\doc 202209200099010100101.exe
            "C:\Users\Admin\AppData\Local\Temp\doc 202209200099010100101.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2276
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              3⤵
              • Accesses Microsoft Outlook profiles
              • Checks processor information in registry
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:3156

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp56F5.tmp
          Filesize

          1KB

          MD5

          b292277512bc2fdef3c44a67d973ae02

          SHA1

          346290c65c5e6f3d17c09f00d2a079236c97e66b

          SHA256

          5393dc0ffed8c770551333a60ece158fe1b1ef0a6b0b8622bfd71f8bc5d3c478

          SHA512

          58f6c4835b0633a4a3750536a70ca06ae3cb8544bb19a8e39d988b7d87a49bfa0f601bbbbea1c0315ebe21dda31ff2cac1f5a9b7eb19f92ff19e684abda44554

          Download Submit

        • memory/1064-133-0x0000000005DA0000-0x0000000006344000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1064-134-0x0000000005710000-0x00000000057A2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1064-135-0x0000000005700000-0x000000000570A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1064-136-0x00000000016A0000-0x000000000173C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/1064-137-0x00000000095E0000-0x0000000009646000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1064-132-0x0000000000CB0000-0x0000000000D78000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1816-159-0x0000000070930000-0x000000007097C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1816-163-0x0000000007300000-0x000000000730A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1816-158-0x0000000006550000-0x0000000006582000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1816-167-0x00000000075B0000-0x00000000075B8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1816-166-0x00000000075D0000-0x00000000075EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1816-165-0x00000000074C0000-0x00000000074CE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1816-145-0x0000000005160000-0x0000000005788000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1816-140-0x00000000026A0000-0x00000000026D6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1816-164-0x0000000007510000-0x00000000075A6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/1816-152-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1816-153-0x0000000005060000-0x00000000050C6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1816-162-0x0000000007290000-0x00000000072AA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1816-161-0x00000000078E0000-0x0000000007F5A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1816-156-0x0000000005E60000-0x0000000005E7E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1816-160-0x0000000006530000-0x000000000654E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2276-157-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

          Download

        • memory/2276-149-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

          Download

        • memory/2276-147-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

          Download

        • memory/3156-155-0x0000000000B70000-0x0000000000B8A000-memory.dmp

          Filesize

          104KB

          Download