Resubmissions

26-10-2022 21:57

221026-1t8v3ahcg6 10

26-10-2022 07:27

221026-h94beafac7 10

Analysis

  • max time kernel
    302s
  • max time network
    273s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2022 21:57

General

  • Target

    SecuriteInfo.com.Variant.Strictor.275982.17204.7010.exe

  • Size

    666KB

  • MD5

    21f93cfd5719b49dc5567768d441e190

  • SHA1

    46af249ebd3f721b92fa350cf946f16752f208ec

  • SHA256

    8c631258f16b062dbbc3c6de1c5d27b727e5c7375fdff993a252fdc98814376a

  • SHA512

    106151c33f7162c44109d04b5fc6c70f62c4975e3e0e2834d0d272ecb7a9fc9ba7a071a682014e964554c1c2715ba8a77d828852d765ab7195ecf1a47cbad541

  • SSDEEP

    12288:8aJcmptCO6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGHb:8aGOCZlT+lQTD/O3BArRCHb

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.275982.17204.7010.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.275982.17204.7010.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe
      "C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe" "C:\Users\Admin\AppData\Local\Temp\vsmkiov.au3"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe
        "C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe" "C:\Users\Admin\AppData\Local\Temp\vsmkiov.au3"
        3⤵
        • Executes dropped EXE
        PID:1084
      • C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe
        "C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe" "C:\Users\Admin\AppData\Local\Temp\vsmkiov.au3"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          4⤵
          • Accesses Microsoft Outlook profiles
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:688

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe

    Filesize

    925KB

    MD5

    0adb9b817f1df7807576c2d7068dd931

    SHA1

    4a1b94a9a5113106f40cd8ea724703734d15f118

    SHA256

    98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

    SHA512

    883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

  • C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe

    Filesize

    925KB

    MD5

    0adb9b817f1df7807576c2d7068dd931

    SHA1

    4a1b94a9a5113106f40cd8ea724703734d15f118

    SHA256

    98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

    SHA512

    883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

  • C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe

    Filesize

    925KB

    MD5

    0adb9b817f1df7807576c2d7068dd931

    SHA1

    4a1b94a9a5113106f40cd8ea724703734d15f118

    SHA256

    98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

    SHA512

    883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

  • C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe

    Filesize

    925KB

    MD5

    0adb9b817f1df7807576c2d7068dd931

    SHA1

    4a1b94a9a5113106f40cd8ea724703734d15f118

    SHA256

    98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

    SHA512

    883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

  • C:\Users\Admin\AppData\Local\Temp\tkqkwwdb.r

    Filesize

    56KB

    MD5

    0ebbcdf3b97dc0a0c788e0f3a934fdc5

    SHA1

    ba84ed9a04d433737146020c8b59ca451287a561

    SHA256

    cc62c9b350d15702a02fd6916dd76846396de5099bb3e47bdcac4c458fe06f1c

    SHA512

    d43e51b2fd9bce20f411af4b5f5082e00bfa6749dd9f1d23521991c89a19e26a41f2e3f6578ebebd212c6b5910182365c4cc417fb28bf4939f2328edc534cf5d

  • C:\Users\Admin\AppData\Local\Temp\vsmkiov.au3

    Filesize

    11KB

    MD5

    3a3ac6b07e5d42bfdda8b6a61af5d2d8

    SHA1

    50feb992facb90163f334923197df685ac89da79

    SHA256

    dae9ea488eeddea5f546ccd0d657200337ab92cd9c57b36e800fffe8d80c5100

    SHA512

    a0da0517edb7743cdd049dca619ef0ed46c62a76899f0ddccb054d4601440720d5907c033a628e2cb745b270d224104cbf911ba69345adbfe34a9302423bbad8

  • C:\Users\Admin\AppData\Local\Temp\ydvtsmv.s

    Filesize

    60KB

    MD5

    6abe1f3920f151258764a11b4bb5c683

    SHA1

    09d492d4dae91b5b102e2d8c16e4739e024af75a

    SHA256

    cb7b872863205d28f4900c8a1478cd350c6d5ffa5b6d09594ee70c35b450164b

    SHA512

    a4b2d35e36c7a1acf9ab6fa5c43dcd3fd1e732d5a09c075e2a5907f7538de09b80b4b8876692df027232490946fcb13464375e3a5666c58c0c63d637606abb93

  • memory/688-146-0x0000000001310000-0x000000000132A000-memory.dmp

    Filesize

    104KB

  • memory/688-147-0x0000000005880000-0x00000000058E6000-memory.dmp

    Filesize

    408KB

  • memory/688-149-0x0000000006260000-0x00000000062FC000-memory.dmp

    Filesize

    624KB

  • memory/2164-144-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2164-148-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB