Analysis
-
max time kernel
487s -
max time network
491s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2023 04:24
Static task
static1
Behavioral task
behavioral1
Sample
89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe
Resource
win10v2004-20220901-en
General
-
Target
89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe
-
Size
743KB
-
MD5
b9c45a591e76542c29df77cd6d02daea
-
SHA1
7ee76c8ab9c1362e8c8af7da4b822a14f05e1bf1
-
SHA256
89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4
-
SHA512
a9656322806765e2be3f5b6174d2ca4458017c1ac341658ff777e802d3cae1c953969a21993eb7ac21720b5745dc162b98119530d844138934051a5c783c8f62
-
SSDEEP
12288:e8eejGIgzgwtqzsXCzJnBdyPRUF4umqpWGW57M:R5khSzRSA8VBM
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2808-134-0x0000000000400000-0x0000000000456000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Users\Admin\AppData\Local\IYMUGYHL\FileGrabber\Pictures\desktop.ini RegAsm.exe File created C:\Users\Admin\AppData\Local\IYMUGYHL\FileGrabber\Desktop\desktop.ini RegAsm.exe File opened for modification C:\Users\Admin\AppData\Local\IYMUGYHL\FileGrabber\Desktop\desktop.ini RegAsm.exe File created C:\Users\Admin\AppData\Local\IYMUGYHL\FileGrabber\Documents\desktop.ini RegAsm.exe File created C:\Users\Admin\AppData\Local\IYMUGYHL\FileGrabber\Downloads\desktop.ini RegAsm.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 api.ipify.org 38 ip-api.com 10 freegeoip.app 11 freegeoip.app 36 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exedescription pid process target process PID 4880 set thread context of 2808 4880 89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
RegAsm.exepid process 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe 2808 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2808 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exedescription pid process target process PID 4880 wrote to memory of 2808 4880 89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe RegAsm.exe PID 4880 wrote to memory of 2808 4880 89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe RegAsm.exe PID 4880 wrote to memory of 2808 4880 89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe RegAsm.exe PID 4880 wrote to memory of 2808 4880 89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe RegAsm.exe PID 4880 wrote to memory of 2808 4880 89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe RegAsm.exe PID 4880 wrote to memory of 2808 4880 89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe RegAsm.exe PID 4880 wrote to memory of 2808 4880 89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe RegAsm.exe PID 4880 wrote to memory of 2808 4880 89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe"C:\Users\Admin\AppData\Local\Temp\89bcd9a2a0e9ff0b086bf9c973a3ef07f41d992793f77f359b1a3fce08c18ad4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2808-133-0x0000000000000000-mapping.dmp
-
memory/2808-134-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2808-135-0x00000000061B0000-0x0000000006242000-memory.dmpFilesize
584KB
-
memory/2808-136-0x0000000006800000-0x0000000006DA4000-memory.dmpFilesize
5.6MB
-
memory/2808-137-0x00000000066A0000-0x0000000006706000-memory.dmpFilesize
408KB
-
memory/4880-132-0x0000000000580000-0x0000000000640000-memory.dmpFilesize
768KB