Resubmissions

26-10-2022 21:57

221026-1vezdahch3 8

26-10-2022 16:10

221026-tmvxasgbg8 10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2022 16:10

General

  • Target

    7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe

  • Size

    534KB

  • MD5

    059ad08d9e8eef31013b815016bf2c50

  • SHA1

    ec7aca3235e337104cae18b08519445907e33400

  • SHA256

    7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571

  • SHA512

    5f496575852ca180ca92df1aeaa221613259d1666936c37602f5ca605a24b8dc3394cb0323683bfef257f9b71e9235984482482df237afe4cf59ed232a30ff68

  • SSDEEP

    12288:lnC3ziKYs6O6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGH1:ln5KYs6ZlT+lQTD/O3BArRCH1

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe
    "C:\Users\Admin\AppData\Local\Temp\7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\hzxody.exe
      "C:\Users\Admin\AppData\Local\Temp\hzxody.exe" "C:\Users\Admin\AppData\Local\Temp\yglxfybatp.au3"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Users\Admin\AppData\Local\Temp\hzxody.exe
        "C:\Users\Admin\AppData\Local\Temp\hzxody.exe" "C:\Users\Admin\AppData\Local\Temp\yglxfybatp.au3"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          4⤵
          • Accesses Microsoft Outlook profiles
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:4156

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\avaujwweoog.aqh

    Filesize

    54KB

    MD5

    bb2ac542b5a191a368c06ee55c9f6d5f

    SHA1

    98cfc5b9fba510408f32cfc856b2c297d4c86b37

    SHA256

    45c74d4f072a6c2d06296ff7fb3177043be25299cdb814d1abf2d2347fdd7914

    SHA512

    377f1df11c4a068773766c8e2a070eb6700675f9d0f1529a104cfcfd2f6337f701d9d538b45dd754365f35d9bfd06713130b65509b5eccc7980dc9a382609e9c

  • C:\Users\Admin\AppData\Local\Temp\bambwmgwb.hx

    Filesize

    59KB

    MD5

    7f61d9db546a2d62a163ebe19ce05443

    SHA1

    a35302b959295e2c76c78114b9a02b3a509d16e4

    SHA256

    584cd64ec5db4ff1b00c507f97bbc00802a00ab50dc96e7165f334dd34e2f84c

    SHA512

    bb9f511b5ef8ec52842c095399787a8d7922ac03309ee7ca5f880021ba02f6858b8001fc95edc925ccd6ad7f7fcf8fba2151b3e5424b3e3a41731ac2a76a27d1

  • C:\Users\Admin\AppData\Local\Temp\hzxody.exe

    Filesize

    925KB

    MD5

    0adb9b817f1df7807576c2d7068dd931

    SHA1

    4a1b94a9a5113106f40cd8ea724703734d15f118

    SHA256

    98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

    SHA512

    883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

  • C:\Users\Admin\AppData\Local\Temp\hzxody.exe

    Filesize

    925KB

    MD5

    0adb9b817f1df7807576c2d7068dd931

    SHA1

    4a1b94a9a5113106f40cd8ea724703734d15f118

    SHA256

    98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

    SHA512

    883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

  • C:\Users\Admin\AppData\Local\Temp\hzxody.exe

    Filesize

    925KB

    MD5

    0adb9b817f1df7807576c2d7068dd931

    SHA1

    4a1b94a9a5113106f40cd8ea724703734d15f118

    SHA256

    98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

    SHA512

    883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

  • C:\Users\Admin\AppData\Local\Temp\yglxfybatp.au3

    Filesize

    11KB

    MD5

    0c9abf2f221c9f14ad44b1f8ce8c968d

    SHA1

    81dc41f8bbaaaad9792e6e9a5739e94d979491f5

    SHA256

    837adc8aca44519f0cbdbb7a274da7a7e4b5bd34547ad75256c7da9db87564d3

    SHA512

    398e69d3445fffc00d05d5c0c65e73be0a08490bf5e0c4f2383de886cde0486e70f41b83cd11fbacc0eedb5f3aaf143414c73e3d8f0af1cbec7a4a23547ed902

  • memory/2224-142-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/2224-147-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

  • memory/4156-144-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

    Filesize

    104KB

  • memory/4156-145-0x0000000005350000-0x00000000053B6000-memory.dmp

    Filesize

    408KB

  • memory/4156-146-0x0000000005D10000-0x0000000005DAC000-memory.dmp

    Filesize

    624KB