Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2022 20:53
Static task
static1
Behavioral task
behavioral1
Sample
18112022365.scr.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
18112022365.scr.exe
Resource
win10v2004-20220812-en
General
-
Target
18112022365.scr.exe
-
Size
229KB
-
MD5
2c948d99fb2c74bc2e1065a83c9ac423
-
SHA1
5e6443132bb31fff16d94f823bc3df467de8dc84
-
SHA256
9111218e89daf7e547af7777d2cde1fe35e029c1eff85f991349308a51af3d3d
-
SHA512
6fffcc394750b99a57f438eef410333b941ced543126b2aa69ceade7b56136742104aeada34a46b7dfe090184ced384975a14b71721718c3d87ea3ccd00f3fab
-
SSDEEP
3072:F0k+T6gqPPIvuvHQFpaIYkKEPIFJzE17vt:F59HsaIYkb
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/544-153-0x0000000000800000-0x000000000081A000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 18112022365.scr.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mhpsyw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uzgludktxlq\\Mhpsyw.exe\"" 18112022365.scr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4736 set thread context of 3584 4736 18112022365.scr.exe 83 PID 3584 set thread context of 544 3584 18112022365.scr.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5092 powershell.exe 5092 powershell.exe 4736 18112022365.scr.exe 4736 18112022365.scr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3584 18112022365.scr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4736 18112022365.scr.exe Token: SeDebugPrivilege 5092 powershell.exe Token: SeDebugPrivilege 544 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3584 18112022365.scr.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4736 wrote to memory of 5092 4736 18112022365.scr.exe 79 PID 4736 wrote to memory of 5092 4736 18112022365.scr.exe 79 PID 4736 wrote to memory of 5092 4736 18112022365.scr.exe 79 PID 4736 wrote to memory of 1644 4736 18112022365.scr.exe 82 PID 4736 wrote to memory of 1644 4736 18112022365.scr.exe 82 PID 4736 wrote to memory of 1644 4736 18112022365.scr.exe 82 PID 4736 wrote to memory of 3584 4736 18112022365.scr.exe 83 PID 4736 wrote to memory of 3584 4736 18112022365.scr.exe 83 PID 4736 wrote to memory of 3584 4736 18112022365.scr.exe 83 PID 4736 wrote to memory of 3584 4736 18112022365.scr.exe 83 PID 4736 wrote to memory of 3584 4736 18112022365.scr.exe 83 PID 4736 wrote to memory of 3584 4736 18112022365.scr.exe 83 PID 4736 wrote to memory of 3584 4736 18112022365.scr.exe 83 PID 4736 wrote to memory of 3584 4736 18112022365.scr.exe 83 PID 3584 wrote to memory of 544 3584 18112022365.scr.exe 84 PID 3584 wrote to memory of 544 3584 18112022365.scr.exe 84 PID 3584 wrote to memory of 544 3584 18112022365.scr.exe 84 PID 3584 wrote to memory of 544 3584 18112022365.scr.exe 84 PID 3584 wrote to memory of 544 3584 18112022365.scr.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18112022365.scr.exe"C:\Users\Admin\AppData\Local\Temp\18112022365.scr.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\18112022365.scr.exeC:\Users\Admin\AppData\Local\Temp\18112022365.scr.exe2⤵PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\18112022365.scr.exeC:\Users\Admin\AppData\Local\Temp\18112022365.scr.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:544
-
-