Analysis
-
max time kernel
302s -
max time network
273s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2022 21:57
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Strictor.275982.17204.7010.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Strictor.275982.17204.7010.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Variant.Strictor.275982.17204.7010.exe
-
Size
666KB
-
MD5
21f93cfd5719b49dc5567768d441e190
-
SHA1
46af249ebd3f721b92fa350cf946f16752f208ec
-
SHA256
8c631258f16b062dbbc3c6de1c5d27b727e5c7375fdff993a252fdc98814376a
-
SHA512
106151c33f7162c44109d04b5fc6c70f62c4975e3e0e2834d0d272ecb7a9fc9ba7a071a682014e964554c1c2715ba8a77d828852d765ab7195ecf1a47cbad541
-
SSDEEP
12288:8aJcmptCO6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGHb:8aGOCZlT+lQTD/O3BArRCHb
Malware Config
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/688-146-0x0000000001310000-0x000000000132A000-memory.dmp family_stormkitty -
Executes dropped EXE 3 IoCs
pid Process 3972 ifsocnkfon.exe 1084 ifsocnkfon.exe 2164 ifsocnkfon.exe -
resource yara_rule behavioral2/memory/2164-144-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2164-148-0x0000000000400000-0x0000000000428000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhbbq = "C:\\Users\\Admin\\AppData\\Roaming\\eayaxcqkdieui\\agvsyjciptyuwl.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ifsocnkfon.exe\" \"C:\\Users\\Admin" ifsocnkfon.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3972 set thread context of 2164 3972 ifsocnkfon.exe 82 PID 2164 set thread context of 688 2164 ifsocnkfon.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3972 ifsocnkfon.exe 3972 ifsocnkfon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 688 AppLaunch.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3972 ifsocnkfon.exe 3972 ifsocnkfon.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3972 ifsocnkfon.exe 3972 ifsocnkfon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2164 ifsocnkfon.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4280 wrote to memory of 3972 4280 SecuriteInfo.com.Variant.Strictor.275982.17204.7010.exe 80 PID 4280 wrote to memory of 3972 4280 SecuriteInfo.com.Variant.Strictor.275982.17204.7010.exe 80 PID 4280 wrote to memory of 3972 4280 SecuriteInfo.com.Variant.Strictor.275982.17204.7010.exe 80 PID 3972 wrote to memory of 1084 3972 ifsocnkfon.exe 81 PID 3972 wrote to memory of 1084 3972 ifsocnkfon.exe 81 PID 3972 wrote to memory of 1084 3972 ifsocnkfon.exe 81 PID 3972 wrote to memory of 2164 3972 ifsocnkfon.exe 82 PID 3972 wrote to memory of 2164 3972 ifsocnkfon.exe 82 PID 3972 wrote to memory of 2164 3972 ifsocnkfon.exe 82 PID 3972 wrote to memory of 2164 3972 ifsocnkfon.exe 82 PID 2164 wrote to memory of 688 2164 ifsocnkfon.exe 83 PID 2164 wrote to memory of 688 2164 ifsocnkfon.exe 83 PID 2164 wrote to memory of 688 2164 ifsocnkfon.exe 83 PID 2164 wrote to memory of 688 2164 ifsocnkfon.exe 83 PID 2164 wrote to memory of 688 2164 ifsocnkfon.exe 83 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.275982.17204.7010.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.275982.17204.7010.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe"C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe" "C:\Users\Admin\AppData\Local\Temp\vsmkiov.au3"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe"C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe" "C:\Users\Admin\AppData\Local\Temp\vsmkiov.au3"3⤵
- Executes dropped EXE
PID:1084
-
-
C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe"C:\Users\Admin\AppData\Local\Temp\ifsocnkfon.exe" "C:\Users\Admin\AppData\Local\Temp\vsmkiov.au3"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:688
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
56KB
MD50ebbcdf3b97dc0a0c788e0f3a934fdc5
SHA1ba84ed9a04d433737146020c8b59ca451287a561
SHA256cc62c9b350d15702a02fd6916dd76846396de5099bb3e47bdcac4c458fe06f1c
SHA512d43e51b2fd9bce20f411af4b5f5082e00bfa6749dd9f1d23521991c89a19e26a41f2e3f6578ebebd212c6b5910182365c4cc417fb28bf4939f2328edc534cf5d
-
Filesize
11KB
MD53a3ac6b07e5d42bfdda8b6a61af5d2d8
SHA150feb992facb90163f334923197df685ac89da79
SHA256dae9ea488eeddea5f546ccd0d657200337ab92cd9c57b36e800fffe8d80c5100
SHA512a0da0517edb7743cdd049dca619ef0ed46c62a76899f0ddccb054d4601440720d5907c033a628e2cb745b270d224104cbf911ba69345adbfe34a9302423bbad8
-
Filesize
60KB
MD56abe1f3920f151258764a11b4bb5c683
SHA109d492d4dae91b5b102e2d8c16e4739e024af75a
SHA256cb7b872863205d28f4900c8a1478cd350c6d5ffa5b6d09594ee70c35b450164b
SHA512a4b2d35e36c7a1acf9ab6fa5c43dcd3fd1e732d5a09c075e2a5907f7538de09b80b4b8876692df027232490946fcb13464375e3a5666c58c0c63d637606abb93