Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1800s -
max time network
1688s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2022, 04:42
Behavioral task
behavioral1
Sample
350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe
Resource
win10v2004-20220812-en
General
-
Target
350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe
-
Size
140KB
-
MD5
93b5c69e8b112eb6220e44b41caba6d7
-
SHA1
1b39574ba17317ea31de83175846610dd870f802
-
SHA256
350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48
-
SHA512
6348f041fea14348cf056a0387041a7a8cc711bf35b92884fc1384cb2f019c1b6ec5d43695e92ec65fc48071130e653ff4041ad9c4825b4e4a4d4bb29c1121b7
-
SSDEEP
1536:SdXO/Zws3kTnvzbhNBPmxue2SRQg0dkEwiqoVionmunqT4Iit7gN:SsZTkLfhjFSiO3oMPTJi+N
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/1544-135-0x0000000000510000-0x000000000052A000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 icanhazip.com -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CCF72AD7-BA15-4133-9028-547C7384D610}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7E795AEA-4B8C-462E-B6EE-FD18130D6AA6}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8078728F-8830-4D29-8350-FFDA98301D92}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{17B83B94-7FA1-4759-A6C4-60FC1DCF9B9C}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{AD5F2D82-28B5-43DF-A41C-4A788934BA14}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A8872EB1-EAE5-4F40-8909-485713C27BAC}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2136 set thread context of 1544 2136 350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe 77 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1544 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2136 350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2136 wrote to memory of 1544 2136 350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe 77 PID 2136 wrote to memory of 1544 2136 350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe 77 PID 2136 wrote to memory of 1544 2136 350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe 77 PID 2136 wrote to memory of 1544 2136 350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe 77 PID 2136 wrote to memory of 1544 2136 350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe 77 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe"C:\Users\Admin\AppData\Local\Temp\350e90c78478820a9240472f315c2ab90fea577893a121a1959e5c6b427d0b48.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1544
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:1480