Analysis
-
max time kernel
83s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2023 00:46
Behavioral task
behavioral1
Sample
file_2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file_2.exe
Resource
win10v2004-20221111-en
General
-
Target
file_2.exe
-
Size
354KB
-
MD5
a8bc3922060ac04531cc345cf32187a4
-
SHA1
1587cf4a2597c265562618f819e7de0793b82b77
-
SHA256
1bd0003b7c27d07166b5967d4cfff1ec606d2dd47e3ea63cfeb3e0ded1920965
-
SHA512
9d4b8e32d837642de9bfc9b57a606522d6340958bc49e49ad6e06ea5c30ef985970f82b4445a6719c7abeef56f1cb2335049889e7b73ba350e55e16c586e8136
-
SSDEEP
6144:ZEORvVBke0lARaQICciUyHd3AdA2ElfejV23oT3E1TfJ79TrOxLHq/hNnJLji:ZEKBke0l69cq9Hzo6F79Tr3pNR
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1616-132-0x0000019F44E80000-0x0000019F44EE0000-memory.dmp family_stormkitty -
Downloads MZ/PE file
-
Processes:
resource yara_rule behavioral2/memory/1616-143-0x0000019F5FE80000-0x0000019F5FF04000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file_2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation file_2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
file_2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file_2.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file_2.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file_2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 icanhazip.com 15 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
file_2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 file_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier file_2.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2016 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3936 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
file_2.exepid process 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe 1616 file_2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
file_2.exemsiexec.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1616 file_2.exe Token: SeSecurityPrivilege 3792 msiexec.exe Token: SeDebugPrivilege 3936 taskkill.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
file_2.execmd.execmd.execmd.exedescription pid process target process PID 1616 wrote to memory of 1348 1616 file_2.exe cmd.exe PID 1616 wrote to memory of 1348 1616 file_2.exe cmd.exe PID 1348 wrote to memory of 2676 1348 cmd.exe chcp.com PID 1348 wrote to memory of 2676 1348 cmd.exe chcp.com PID 1348 wrote to memory of 2920 1348 cmd.exe netsh.exe PID 1348 wrote to memory of 2920 1348 cmd.exe netsh.exe PID 1348 wrote to memory of 2988 1348 cmd.exe findstr.exe PID 1348 wrote to memory of 2988 1348 cmd.exe findstr.exe PID 1616 wrote to memory of 3424 1616 file_2.exe cmd.exe PID 1616 wrote to memory of 3424 1616 file_2.exe cmd.exe PID 3424 wrote to memory of 2824 3424 cmd.exe chcp.com PID 3424 wrote to memory of 2824 3424 cmd.exe chcp.com PID 3424 wrote to memory of 2020 3424 cmd.exe netsh.exe PID 3424 wrote to memory of 2020 3424 cmd.exe netsh.exe PID 1616 wrote to memory of 3968 1616 file_2.exe cmd.exe PID 1616 wrote to memory of 3968 1616 file_2.exe cmd.exe PID 3968 wrote to memory of 5028 3968 cmd.exe chcp.com PID 3968 wrote to memory of 5028 3968 cmd.exe chcp.com PID 3968 wrote to memory of 3936 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 3936 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 2016 3968 cmd.exe timeout.exe PID 3968 wrote to memory of 2016 3968 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
file_2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file_2.exe -
outlook_win_path 1 IoCs
Processes:
file_2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file_2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file_2.exe"C:\Users\Admin\AppData\Local\Temp\file_2.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\system32\findstr.exefindstr All3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp339.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 16163⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dllFilesize
293KB
MD57a2d5deab61f043394a510f4e2c0866f
SHA1ca16110c9cf6522cd7bea32895fd0f697442849b
SHA25675db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
448KB
MD56d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
C:\Users\Admin\AppData\Local\Temp\tmp339.tmp.batFilesize
235B
MD58e25ede48fd06e2091e7e073709cf04f
SHA1dbcd5a1bd03cc7f3e3e7a5771fae4a99bcb1f26d
SHA256de09126a318cc86477829580caefc37b8acf8d60df546c3507f35440d8256f6f
SHA5123c25b59b95f1d6ff416945e1655e5f9dd78310c47e7baebfdd7b8e1101cb0fbfb1c6e83da20a77c1c6c509c5ba9234746f6adb5710acae9372fdcf3a1534de82
-
memory/1348-135-0x0000000000000000-mapping.dmp
-
memory/1616-132-0x0000019F44E80000-0x0000019F44EE0000-memory.dmpFilesize
384KB
-
memory/1616-134-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmpFilesize
10.8MB
-
memory/1616-142-0x0000019F5FD70000-0x0000019F5FDE6000-memory.dmpFilesize
472KB
-
memory/1616-143-0x0000019F5FE80000-0x0000019F5FF04000-memory.dmpFilesize
528KB
-
memory/1616-149-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmpFilesize
10.8MB
-
memory/1616-133-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmpFilesize
10.8MB
-
memory/2016-148-0x0000000000000000-mapping.dmp
-
memory/2020-141-0x0000000000000000-mapping.dmp
-
memory/2676-136-0x0000000000000000-mapping.dmp
-
memory/2824-140-0x0000000000000000-mapping.dmp
-
memory/2920-137-0x0000000000000000-mapping.dmp
-
memory/2988-138-0x0000000000000000-mapping.dmp
-
memory/3424-139-0x0000000000000000-mapping.dmp
-
memory/3936-147-0x0000000000000000-mapping.dmp
-
memory/3968-144-0x0000000000000000-mapping.dmp
-
memory/5028-146-0x0000000000000000-mapping.dmp