Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2022 16:10
Static task
static1
Behavioral task
behavioral1
Sample
7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe
Resource
win10v2004-20220812-en
General
-
Target
7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe
-
Size
534KB
-
MD5
059ad08d9e8eef31013b815016bf2c50
-
SHA1
ec7aca3235e337104cae18b08519445907e33400
-
SHA256
7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571
-
SHA512
5f496575852ca180ca92df1aeaa221613259d1666936c37602f5ca605a24b8dc3394cb0323683bfef257f9b71e9235984482482df237afe4cf59ed232a30ff68
-
SSDEEP
12288:lnC3ziKYs6O6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGH1:ln5KYs6ZlT+lQTD/O3BArRCH1
Malware Config
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/4156-144-0x0000000000DC0000-0x0000000000DDA000-memory.dmp family_stormkitty -
Executes dropped EXE 2 IoCs
pid Process 4864 hzxody.exe 2224 hzxody.exe -
resource yara_rule behavioral2/memory/2224-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2224-147-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhbbq = "C:\\Users\\Admin\\AppData\\Roaming\\eayaxcqkdieui\\agvsyjciptyuwl.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hzxody.exe\" \"C:\\Users\\Admin\\App" hzxody.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4864 set thread context of 2224 4864 hzxody.exe 86 PID 2224 set thread context of 4156 2224 hzxody.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4864 hzxody.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4156 AppLaunch.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4864 hzxody.exe 4864 hzxody.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4864 hzxody.exe 4864 hzxody.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2224 hzxody.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2396 wrote to memory of 4864 2396 7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe 85 PID 2396 wrote to memory of 4864 2396 7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe 85 PID 2396 wrote to memory of 4864 2396 7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe 85 PID 4864 wrote to memory of 2224 4864 hzxody.exe 86 PID 4864 wrote to memory of 2224 4864 hzxody.exe 86 PID 4864 wrote to memory of 2224 4864 hzxody.exe 86 PID 4864 wrote to memory of 2224 4864 hzxody.exe 86 PID 2224 wrote to memory of 4156 2224 hzxody.exe 87 PID 2224 wrote to memory of 4156 2224 hzxody.exe 87 PID 2224 wrote to memory of 4156 2224 hzxody.exe 87 PID 2224 wrote to memory of 4156 2224 hzxody.exe 87 PID 2224 wrote to memory of 4156 2224 hzxody.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe"C:\Users\Admin\AppData\Local\Temp\7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\hzxody.exe"C:\Users\Admin\AppData\Local\Temp\hzxody.exe" "C:\Users\Admin\AppData\Local\Temp\yglxfybatp.au3"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\hzxody.exe"C:\Users\Admin\AppData\Local\Temp\hzxody.exe" "C:\Users\Admin\AppData\Local\Temp\yglxfybatp.au3"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4156
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5bb2ac542b5a191a368c06ee55c9f6d5f
SHA198cfc5b9fba510408f32cfc856b2c297d4c86b37
SHA25645c74d4f072a6c2d06296ff7fb3177043be25299cdb814d1abf2d2347fdd7914
SHA512377f1df11c4a068773766c8e2a070eb6700675f9d0f1529a104cfcfd2f6337f701d9d538b45dd754365f35d9bfd06713130b65509b5eccc7980dc9a382609e9c
-
Filesize
59KB
MD57f61d9db546a2d62a163ebe19ce05443
SHA1a35302b959295e2c76c78114b9a02b3a509d16e4
SHA256584cd64ec5db4ff1b00c507f97bbc00802a00ab50dc96e7165f334dd34e2f84c
SHA512bb9f511b5ef8ec52842c095399787a8d7922ac03309ee7ca5f880021ba02f6858b8001fc95edc925ccd6ad7f7fcf8fba2151b3e5424b3e3a41731ac2a76a27d1
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
11KB
MD50c9abf2f221c9f14ad44b1f8ce8c968d
SHA181dc41f8bbaaaad9792e6e9a5739e94d979491f5
SHA256837adc8aca44519f0cbdbb7a274da7a7e4b5bd34547ad75256c7da9db87564d3
SHA512398e69d3445fffc00d05d5c0c65e73be0a08490bf5e0c4f2383de886cde0486e70f41b83cd11fbacc0eedb5f3aaf143414c73e3d8f0af1cbec7a4a23547ed902