Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 09:01
Static task
static1
Behavioral task
behavioral1
Sample
COTIZAR_.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
COTIZAR_.exe
Resource
win10v2004-20220901-en
General
-
Target
COTIZAR_.exe
-
Size
19KB
-
MD5
496c17c3ffba9e26c620d7bf6f14ecbf
-
SHA1
c16449a9b28e207148cc5d6a4a1c28cafb8273ee
-
SHA256
54aea79392cacfa0125aec072799e235bb3d18f6c45aeba807099fd0b6be873f
-
SHA512
2840e98115db24f21e04e7e020317bf5daa7fbe0836f2752ff41fdfdd9d7c55d41c869874fa0d2fe5de4b734cc173498d80a9dab3b99a69455874811a093c55f
-
SSDEEP
384:iyPIfwSaB6m71+Tes8ZpHzGovUJAYkr5kYZFP:iygfwTcesiRPPrk+FP
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/2480-146-0x0000000000C00000-0x0000000000C1A000-memory.dmp family_stormkitty -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2636 HGTRFFDDFNOP.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation COTIZAR_.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2636 set thread context of 1072 2636 HGTRFFDDFNOP.exe 87 PID 1072 set thread context of 2480 1072 Regsvcs.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2636 HGTRFFDDFNOP.exe 2636 HGTRFFDDFNOP.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1388 COTIZAR_.exe Token: SeDebugPrivilege 2636 HGTRFFDDFNOP.exe Token: SeDebugPrivilege 2480 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1072 Regsvcs.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1388 wrote to memory of 2636 1388 COTIZAR_.exe 84 PID 1388 wrote to memory of 2636 1388 COTIZAR_.exe 84 PID 1388 wrote to memory of 2636 1388 COTIZAR_.exe 84 PID 2636 wrote to memory of 1292 2636 HGTRFFDDFNOP.exe 86 PID 2636 wrote to memory of 1292 2636 HGTRFFDDFNOP.exe 86 PID 2636 wrote to memory of 1292 2636 HGTRFFDDFNOP.exe 86 PID 2636 wrote to memory of 1072 2636 HGTRFFDDFNOP.exe 87 PID 2636 wrote to memory of 1072 2636 HGTRFFDDFNOP.exe 87 PID 2636 wrote to memory of 1072 2636 HGTRFFDDFNOP.exe 87 PID 2636 wrote to memory of 1072 2636 HGTRFFDDFNOP.exe 87 PID 2636 wrote to memory of 1072 2636 HGTRFFDDFNOP.exe 87 PID 2636 wrote to memory of 1072 2636 HGTRFFDDFNOP.exe 87 PID 2636 wrote to memory of 1072 2636 HGTRFFDDFNOP.exe 87 PID 2636 wrote to memory of 1072 2636 HGTRFFDDFNOP.exe 87 PID 1072 wrote to memory of 2480 1072 Regsvcs.exe 88 PID 1072 wrote to memory of 2480 1072 Regsvcs.exe 88 PID 1072 wrote to memory of 2480 1072 Regsvcs.exe 88 PID 1072 wrote to memory of 2480 1072 Regsvcs.exe 88 PID 1072 wrote to memory of 2480 1072 Regsvcs.exe 88 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\COTIZAR_.exe"C:\Users\Admin\AppData\Local\Temp\COTIZAR_.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\ProgramData\HGTRFFDDFNOP.exe"C:\ProgramData\HGTRFFDDFNOP.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"3⤵PID:1292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2480
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD56011926471a8578b303f3a3a9706b388
SHA13ac4b05207201b7c244dc5f4698f4836cdfa0e17
SHA256c56f98685ca1e175f3ba33af2bdfa28d9759b68f0c14cecfd86bae6ff4272c48
SHA512ce8b05879401d7fdd53969096460fe14b00d0cf09ec8fff3ccbb195c3007974cf5db584c5b20a2fdfe7825d8f939cd8546f05151e01d00bd39b090b997622b42
-
Filesize
139KB
MD56011926471a8578b303f3a3a9706b388
SHA13ac4b05207201b7c244dc5f4698f4836cdfa0e17
SHA256c56f98685ca1e175f3ba33af2bdfa28d9759b68f0c14cecfd86bae6ff4272c48
SHA512ce8b05879401d7fdd53969096460fe14b00d0cf09ec8fff3ccbb195c3007974cf5db584c5b20a2fdfe7825d8f939cd8546f05151e01d00bd39b090b997622b42