Analysis
-
max time kernel
394s -
max time network
440s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
05-10-2022 07:24
General
-
Target
Spectrum (Global) Payment Confirmation.exe
-
Size
74KB
-
MD5
67958d190ff46bb281af29ee7b6cef28
-
SHA1
226ca55977aff7838fac8a5fe8c62530f84a1e22
-
SHA256
a7256a89909f64b9dd5bdf1b1b0849c0714c97eeca3749117775fe8c1be05f1a
-
SHA512
76ad2be9eb9168814693c4a8ce392b36f414f6a940d2f11937fe3452c711f107c78a86eb04c210645ef80f9eb0d587888d1d9c9bc3eaa74a1d4e01e6b43056be
-
SSDEEP
384:WVn7l2UC+0HgRqOflaIttttttttttttttttttttttttttttt+Q34NydLAunywWqR:WVn7lj7NaIOXSNW1SAb
Malware Config
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 3 IoCs
-
Async RAT payload 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 16 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 57 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Spectrum (Global) Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Spectrum (Global) Payment Confirmation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Spectrum (Global) Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Spectrum (Global) Payment Confirmation.exe"2⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 21563⤵
- Program crash
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Spectrum (Global) Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Spectrum (Global) Payment Confirmation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Spectrum (Global) Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Spectrum (Global) Payment Confirmation.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Spectrum (Global) Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Spectrum (Global) Payment Confirmation.exe"2⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 23923⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Spectrum (Global) Payment Confirmation.exe.logFilesize
1KB
MD586d6e792cf292d47353fa2dae047a078
SHA17b12913eae29285e77d737113a8f28316863c332
SHA256f5b31295626e88fd30f12d60d579ef5682961734eebd1bb1ad5d4559426c09bb
SHA5120e91e30e6dfdb96cc91be2ff8c439771f5dde8e5d75565b931c76b96910e2e68aceb9c22f30db02bfe94248e055a951136bc80f5461abe17b3bb232656e06fe8
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5b42b8394f52b01b93879625688c3d79d
SHA13ed5877ab13e7655482c19e8b7511f8b2bfcdbb3
SHA256b7b0a0ab5e777b74a8d7ec285804091eb3a4c71fcc2c57cddfa8541d05409cdd
SHA51286357e54c29ee9c107b5655d457121f35117565fae4fdd018e56079eb7ca012e4afe0a5d5562bc2996b932b02450ad0fbb7f27047315b524138a0fe08c4f79c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
45KB
MD55f640bd48e2547b4c1a7421f080f815f
SHA1a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a
SHA256916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c
SHA512a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD53b8e4608aacf124ab46681e826958238
SHA1fb0cd5997ca694f4875838fc272f9f9dff253987
SHA256f267bbd7babc77204dde78938d6717ebea661a4089ee6feb6423dd74cdebbb22
SHA512ba3344b8fe2d6f4a6b90510768bf133845fd6c5f9e7039acc9c8c4fdbd6fbe9c6d284f7838587accdd8b630c1ba4743c6b0361b9b694d48f825b0afc33acb346
-
C:\Users\Admin\AppData\Local\Temp\078BFBFF000306D2-Admin.zipFilesize
67KB
MD54219a5d09b8ee20f6f252141dc3f52d1
SHA15b5667af9542597d5a582ece997dcd79ff6630af
SHA256f12d2a2742c293a8da0fe7d355e3a78c67f848fb228bf5a390a31c5293b06adf
SHA512908659253817b456198586227ebe844966f7d4c5e809d577eebb037a60ea0bb767da333fde5a5ef82290172464ef02079faf778cf4a1abc6f08b29cf3d81cbfa
-
C:\Users\Admin\AppData\Local\Temp\places.rawFilesize
5.0MB
MD50bbe1990240f44d9bf805d62eab40a45
SHA1c96a4ee5b9e16d58b7f801e733f027c892eb65fe
SHA256fb093c7bec5decbff83301b1088bb3cc16232e03d50fcc025af169634ac22ea1
SHA512629c5f41bf44bb8ee012ef6f17df17b23ca6c7ae242b680f7add258a2299b353bbb896dd43e46007234a9250677280b71687541e8fc03e681993a0fee6792b2d
-
C:\Users\Admin\AppData\Local\acc589071e8e0a03231dd76fd3846b60\msgid.datFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
memory/384-373-0x0000000000000000-mapping.dmp
-
memory/648-977-0x0000000007E80000-0x0000000007ECB000-memory.dmpFilesize
300KB
-
memory/648-913-0x0000000000000000-mapping.dmp
-
memory/748-382-0x0000000000000000-mapping.dmp
-
memory/1020-1302-0x0000000000000000-mapping.dmp
-
memory/1248-901-0x00000000065F0000-0x0000000006940000-memory.dmpFilesize
3.3MB
-
memory/1448-1004-0x0000000000424EDE-mapping.dmp
-
memory/1872-311-0x0000000000424EDE-mapping.dmp
-
memory/1872-795-0x0000000005D10000-0x0000000005D22000-memory.dmpFilesize
72KB
-
memory/1872-794-0x0000000005C70000-0x0000000005C7A000-memory.dmpFilesize
40KB
-
memory/1872-345-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2132-147-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-183-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-140-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-141-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-142-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-143-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-144-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-145-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-146-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-120-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-148-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-149-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-150-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-151-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-152-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-153-0x0000000000B90000-0x0000000000BA8000-memory.dmpFilesize
96KB
-
memory/2132-154-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-155-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-156-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-157-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-158-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-159-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-160-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-161-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-162-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-163-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-164-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-165-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-166-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-167-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-168-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-169-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-170-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-171-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-172-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-173-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-174-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-175-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-176-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-177-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-178-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-179-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-180-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-181-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-182-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-139-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-184-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-198-0x0000000006320000-0x00000000063D6000-memory.dmpFilesize
728KB
-
memory/2132-199-0x00000000064A0000-0x0000000006532000-memory.dmpFilesize
584KB
-
memory/2132-200-0x0000000006580000-0x00000000065A2000-memory.dmpFilesize
136KB
-
memory/2132-202-0x00000000065C0000-0x0000000006910000-memory.dmpFilesize
3.3MB
-
memory/2132-121-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-122-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-123-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-124-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-125-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-126-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-127-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-128-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-130-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-131-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-307-0x0000000005570000-0x0000000005602000-memory.dmpFilesize
584KB
-
memory/2132-308-0x00000000074D0000-0x00000000079CE000-memory.dmpFilesize
5.0MB
-
memory/2132-138-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-137-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-136-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-135-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-133-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-129-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-132-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2132-134-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2172-407-0x0000000000000000-mapping.dmp
-
memory/2912-1106-0x0000000000000000-mapping.dmp
-
memory/3604-295-0x0000000008C70000-0x0000000008C8A000-memory.dmpFilesize
104KB
-
memory/3604-274-0x0000000006ED0000-0x0000000006F36000-memory.dmpFilesize
408KB
-
memory/3604-214-0x0000000000000000-mapping.dmp
-
memory/3604-250-0x0000000000B20000-0x0000000000B56000-memory.dmpFilesize
216KB
-
memory/3604-294-0x0000000009550000-0x0000000009BC8000-memory.dmpFilesize
6.5MB
-
memory/3604-283-0x0000000007DB0000-0x0000000007E26000-memory.dmpFilesize
472KB
-
memory/3604-279-0x0000000008070000-0x00000000080BB000-memory.dmpFilesize
300KB
-
memory/3604-278-0x0000000006FB0000-0x0000000006FCC000-memory.dmpFilesize
112KB
-
memory/3604-275-0x0000000006F40000-0x0000000006FA6000-memory.dmpFilesize
408KB
-
memory/3604-255-0x0000000006FE0000-0x0000000007608000-memory.dmpFilesize
6.2MB
-
memory/3612-1083-0x0000000000000000-mapping.dmp
-
memory/3760-608-0x0000000000000000-mapping.dmp
-
memory/4340-1296-0x0000000000000000-mapping.dmp
-
memory/4508-602-0x0000000000000000-mapping.dmp
-
memory/4512-616-0x0000000000000000-mapping.dmp
-
memory/4688-1310-0x0000000000000000-mapping.dmp
-
memory/4828-1068-0x0000000000000000-mapping.dmp
-
memory/4872-1104-0x0000000000000000-mapping.dmp
-
memory/4944-403-0x0000000000000000-mapping.dmp