Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2023 14:07
Static task
static1
Behavioral task
behavioral1
Sample
d39fa4eda171a0a3850f87eed0c8b71f7bc8bf604dd951c819a25f8963dd3d38.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d39fa4eda171a0a3850f87eed0c8b71f7bc8bf604dd951c819a25f8963dd3d38.exe
Resource
win10v2004-20220812-en
General
-
Target
d39fa4eda171a0a3850f87eed0c8b71f7bc8bf604dd951c819a25f8963dd3d38.exe
-
Size
386KB
-
MD5
567fcda09e88a7143f6865b623b47b58
-
SHA1
0ff13870fcdf98c8a764715866d063561e1ddfc0
-
SHA256
d39fa4eda171a0a3850f87eed0c8b71f7bc8bf604dd951c819a25f8963dd3d38
-
SHA512
4343096815d17e7e6f01ba724b18312b3f9e59efa3001af9374fa08c6440e8e78f83efde13ff3531612eebe4fcb1a51a6e251ea1114160176f466f6ab068da9a
-
SSDEEP
6144:YYa6hQx8ayrbor6PJ5OgCb58CxqITl2vmtYSgdANf5I:YY0xPgUr6RAgwSviYSpN2
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2380-142-0x0000000000900000-0x000000000091A000-memory.dmp family_stormkitty -
Executes dropped EXE 2 IoCs
Processes:
myekfzmci.exemyekfzmci.exepid process 4744 myekfzmci.exe 4140 myekfzmci.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
myekfzmci.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujqadxxbgsjt = "C:\\Users\\Admin\\AppData\\Roaming\\axkouqd\\glijxsotl.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\myekfzmci.exe\" C:\\Users\\Admin\\AppData\\Loca" myekfzmci.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
myekfzmci.exemyekfzmci.exedescription pid process target process PID 4744 set thread context of 4140 4744 myekfzmci.exe myekfzmci.exe PID 4140 set thread context of 2380 4140 myekfzmci.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
myekfzmci.exepid process 4140 myekfzmci.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
myekfzmci.exepid process 4744 myekfzmci.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2380 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
myekfzmci.exepid process 4140 myekfzmci.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d39fa4eda171a0a3850f87eed0c8b71f7bc8bf604dd951c819a25f8963dd3d38.exemyekfzmci.exemyekfzmci.exedescription pid process target process PID 4796 wrote to memory of 4744 4796 d39fa4eda171a0a3850f87eed0c8b71f7bc8bf604dd951c819a25f8963dd3d38.exe myekfzmci.exe PID 4796 wrote to memory of 4744 4796 d39fa4eda171a0a3850f87eed0c8b71f7bc8bf604dd951c819a25f8963dd3d38.exe myekfzmci.exe PID 4796 wrote to memory of 4744 4796 d39fa4eda171a0a3850f87eed0c8b71f7bc8bf604dd951c819a25f8963dd3d38.exe myekfzmci.exe PID 4744 wrote to memory of 4140 4744 myekfzmci.exe myekfzmci.exe PID 4744 wrote to memory of 4140 4744 myekfzmci.exe myekfzmci.exe PID 4744 wrote to memory of 4140 4744 myekfzmci.exe myekfzmci.exe PID 4744 wrote to memory of 4140 4744 myekfzmci.exe myekfzmci.exe PID 4140 wrote to memory of 2380 4140 myekfzmci.exe AppLaunch.exe PID 4140 wrote to memory of 2380 4140 myekfzmci.exe AppLaunch.exe PID 4140 wrote to memory of 2380 4140 myekfzmci.exe AppLaunch.exe PID 4140 wrote to memory of 2380 4140 myekfzmci.exe AppLaunch.exe PID 4140 wrote to memory of 2380 4140 myekfzmci.exe AppLaunch.exe -
outlook_office_path 1 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d39fa4eda171a0a3850f87eed0c8b71f7bc8bf604dd951c819a25f8963dd3d38.exe"C:\Users\Admin\AppData\Local\Temp\d39fa4eda171a0a3850f87eed0c8b71f7bc8bf604dd951c819a25f8963dd3d38.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\myekfzmci.exe"C:\Users\Admin\AppData\Local\Temp\myekfzmci.exe" C:\Users\Admin\AppData\Local\Temp\uwlkypmlzr.kth2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\myekfzmci.exe"C:\Users\Admin\AppData\Local\Temp\myekfzmci.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\myekfzmci.exeFilesize
63KB
MD5b38d2a3a7b0fbe31a2fa37b61a3d6d21
SHA1c846c2dc9ebd5645e9ee0efdf427aae725b90d59
SHA256137e8b10a5d44fe35ad5c7b7fc2710ec2daab4be977f88f953bdda4f02ea9568
SHA512cc2f514d75a7e029f57acbef264985677927aac3e99d5554184083a41f5884b7fff8b03bf173a521eaf8c2428861efa3635cdab423752d1ae67074c2ba401625
-
C:\Users\Admin\AppData\Local\Temp\myekfzmci.exeFilesize
63KB
MD5b38d2a3a7b0fbe31a2fa37b61a3d6d21
SHA1c846c2dc9ebd5645e9ee0efdf427aae725b90d59
SHA256137e8b10a5d44fe35ad5c7b7fc2710ec2daab4be977f88f953bdda4f02ea9568
SHA512cc2f514d75a7e029f57acbef264985677927aac3e99d5554184083a41f5884b7fff8b03bf173a521eaf8c2428861efa3635cdab423752d1ae67074c2ba401625
-
C:\Users\Admin\AppData\Local\Temp\myekfzmci.exeFilesize
63KB
MD5b38d2a3a7b0fbe31a2fa37b61a3d6d21
SHA1c846c2dc9ebd5645e9ee0efdf427aae725b90d59
SHA256137e8b10a5d44fe35ad5c7b7fc2710ec2daab4be977f88f953bdda4f02ea9568
SHA512cc2f514d75a7e029f57acbef264985677927aac3e99d5554184083a41f5884b7fff8b03bf173a521eaf8c2428861efa3635cdab423752d1ae67074c2ba401625
-
C:\Users\Admin\AppData\Local\Temp\uwlkypmlzr.kthFilesize
7KB
MD573334dfffb46b09dd3b6fd2d60c8cd72
SHA1aaab0da1aa63c7f950254f1bee652e9670f2c657
SHA2564272d7b174d688975418efcac56ed99c7d5f114cce7366aec64e5a346cd7ee41
SHA51214962d2d9f034d0055ebc05541febb25e2b7078df00191b1f65bb960eaec57d2fe5e99eeae36d50e8301efdffd947331775ac215da3fa36cd499319acb3f0fce
-
C:\Users\Admin\AppData\Local\Temp\zbavfavyznw.nFilesize
164KB
MD597096e58a971859a9f01325bc6890a4c
SHA1346e44f528e66d777ddd5f8b6629855a8532adb3
SHA2560cf38a79b25e32f569e12fd2ca1d78b2ba6c0b43e7ce1ff24aad8b16a0495201
SHA5126a7916ac4a5ea11793e2b597620a02882bd284fd5c38a27261da5c6ede199e62b9d5a2decc0f8d093d8b09169c4b3cace92584157e59d1131c697193480393ac
-
memory/2380-141-0x0000000000000000-mapping.dmp
-
memory/2380-142-0x0000000000900000-0x000000000091A000-memory.dmpFilesize
104KB
-
memory/2380-143-0x0000000004F80000-0x0000000004FE6000-memory.dmpFilesize
408KB
-
memory/2380-145-0x0000000005990000-0x0000000005A2C000-memory.dmpFilesize
624KB
-
memory/4140-137-0x0000000000000000-mapping.dmp
-
memory/4140-144-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4140-146-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4744-132-0x0000000000000000-mapping.dmp