Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2022 20:53
Static task
static1
Behavioral task
behavioral1
Sample
18112022365.scr
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
18112022365.scr
Resource
win10v2004-20221111-en
General
-
Target
18112022365.scr
-
Size
229KB
-
MD5
2c948d99fb2c74bc2e1065a83c9ac423
-
SHA1
5e6443132bb31fff16d94f823bc3df467de8dc84
-
SHA256
9111218e89daf7e547af7777d2cde1fe35e029c1eff85f991349308a51af3d3d
-
SHA512
6fffcc394750b99a57f438eef410333b941ced543126b2aa69ceade7b56136742104aeada34a46b7dfe090184ced384975a14b71721718c3d87ea3ccd00f3fab
-
SSDEEP
3072:F0k+T6gqPPIvuvHQFpaIYkKEPIFJzE17vt:F59HsaIYkb
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/3652-156-0x0000000000630000-0x000000000064A000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 18112022365.scr -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mhpsyw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uzgludktxlq\\Mhpsyw.exe\"" 18112022365.scr -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 69 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1564 set thread context of 2212 1564 18112022365.scr 91 PID 2212 set thread context of 3652 2212 18112022365.scr 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1356 powershell.exe 1356 powershell.exe 1564 18112022365.scr 1564 18112022365.scr 1564 18112022365.scr 1564 18112022365.scr 1564 18112022365.scr 1564 18112022365.scr -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2212 18112022365.scr -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1564 18112022365.scr Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 3652 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2212 18112022365.scr -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1564 wrote to memory of 1356 1564 18112022365.scr 84 PID 1564 wrote to memory of 1356 1564 18112022365.scr 84 PID 1564 wrote to memory of 1356 1564 18112022365.scr 84 PID 1564 wrote to memory of 4028 1564 18112022365.scr 88 PID 1564 wrote to memory of 4028 1564 18112022365.scr 88 PID 1564 wrote to memory of 4028 1564 18112022365.scr 88 PID 1564 wrote to memory of 4208 1564 18112022365.scr 89 PID 1564 wrote to memory of 4208 1564 18112022365.scr 89 PID 1564 wrote to memory of 4208 1564 18112022365.scr 89 PID 1564 wrote to memory of 4304 1564 18112022365.scr 90 PID 1564 wrote to memory of 4304 1564 18112022365.scr 90 PID 1564 wrote to memory of 4304 1564 18112022365.scr 90 PID 1564 wrote to memory of 2212 1564 18112022365.scr 91 PID 1564 wrote to memory of 2212 1564 18112022365.scr 91 PID 1564 wrote to memory of 2212 1564 18112022365.scr 91 PID 1564 wrote to memory of 2212 1564 18112022365.scr 91 PID 1564 wrote to memory of 2212 1564 18112022365.scr 91 PID 1564 wrote to memory of 2212 1564 18112022365.scr 91 PID 1564 wrote to memory of 2212 1564 18112022365.scr 91 PID 1564 wrote to memory of 2212 1564 18112022365.scr 91 PID 2212 wrote to memory of 3652 2212 18112022365.scr 92 PID 2212 wrote to memory of 3652 2212 18112022365.scr 92 PID 2212 wrote to memory of 3652 2212 18112022365.scr 92 PID 2212 wrote to memory of 3652 2212 18112022365.scr 92 PID 2212 wrote to memory of 3652 2212 18112022365.scr 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18112022365.scr"C:\Users\Admin\AppData\Local\Temp\18112022365.scr" /S1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\18112022365.scrC:\Users\Admin\AppData\Local\Temp\18112022365.scr2⤵PID:4028
-
-
C:\Users\Admin\AppData\Local\Temp\18112022365.scrC:\Users\Admin\AppData\Local\Temp\18112022365.scr2⤵PID:4208
-
-
C:\Users\Admin\AppData\Local\Temp\18112022365.scrC:\Users\Admin\AppData\Local\Temp\18112022365.scr2⤵PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\18112022365.scrC:\Users\Admin\AppData\Local\Temp\18112022365.scr2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3652
-
-