Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2022 20:53

General

  • Target

    18112022365.scr

  • Size

    229KB

  • MD5

    2c948d99fb2c74bc2e1065a83c9ac423

  • SHA1

    5e6443132bb31fff16d94f823bc3df467de8dc84

  • SHA256

    9111218e89daf7e547af7777d2cde1fe35e029c1eff85f991349308a51af3d3d

  • SHA512

    6fffcc394750b99a57f438eef410333b941ced543126b2aa69ceade7b56136742104aeada34a46b7dfe090184ced384975a14b71721718c3d87ea3ccd00f3fab

  • SSDEEP

    3072:F0k+T6gqPPIvuvHQFpaIYkKEPIFJzE17vt:F59HsaIYkb

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18112022365.scr
    "C:\Users\Admin\AppData\Local\Temp\18112022365.scr" /S
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1356
    • C:\Users\Admin\AppData\Local\Temp\18112022365.scr
      C:\Users\Admin\AppData\Local\Temp\18112022365.scr
      2⤵
        PID:4028
      • C:\Users\Admin\AppData\Local\Temp\18112022365.scr
        C:\Users\Admin\AppData\Local\Temp\18112022365.scr
        2⤵
          PID:4208
        • C:\Users\Admin\AppData\Local\Temp\18112022365.scr
          C:\Users\Admin\AppData\Local\Temp\18112022365.scr
          2⤵
            PID:4304
          • C:\Users\Admin\AppData\Local\Temp\18112022365.scr
            C:\Users\Admin\AppData\Local\Temp\18112022365.scr
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2212
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              3⤵
              • Accesses Microsoft Outlook profiles
              • Checks processor information in registry
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:3652

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1356-144-0x00000000062E0000-0x00000000062FA000-memory.dmp

          Filesize

          104KB

        • memory/1356-138-0x0000000004810000-0x0000000004846000-memory.dmp

          Filesize

          216KB

        • memory/1356-139-0x0000000004FA0000-0x00000000055C8000-memory.dmp

          Filesize

          6.2MB

        • memory/1356-140-0x0000000005640000-0x00000000056A6000-memory.dmp

          Filesize

          408KB

        • memory/1356-141-0x00000000057A0000-0x0000000005806000-memory.dmp

          Filesize

          408KB

        • memory/1356-142-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

          Filesize

          120KB

        • memory/1356-143-0x00000000077F0000-0x0000000007E6A000-memory.dmp

          Filesize

          6.5MB

        • memory/1564-132-0x0000000000E40000-0x0000000000E7E000-memory.dmp

          Filesize

          248KB

        • memory/1564-134-0x0000000005870000-0x0000000005902000-memory.dmp

          Filesize

          584KB

        • memory/1564-135-0x0000000005800000-0x000000000580A000-memory.dmp

          Filesize

          40KB

        • memory/1564-136-0x000000000B300000-0x000000000B322000-memory.dmp

          Filesize

          136KB

        • memory/1564-133-0x0000000005F20000-0x00000000064C4000-memory.dmp

          Filesize

          5.6MB

        • memory/2212-149-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2212-151-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2212-154-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2212-158-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3652-156-0x0000000000630000-0x000000000064A000-memory.dmp

          Filesize

          104KB

        • memory/3652-157-0x0000000005420000-0x00000000054BC000-memory.dmp

          Filesize

          624KB