Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2023 06:07
Static task
static1
Behavioral task
behavioral1
Sample
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe
Resource
win10v2004-20221111-en
General
-
Target
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe
-
Size
335KB
-
MD5
c7fbe52e88456eabb4d4a1a1a0670cf4
-
SHA1
3b479f15645c31c7067c31aede6e1802093ac78b
-
SHA256
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746
-
SHA512
3302aa29196e3864850c7f6bfdc274a285f3f51fd1d60b0e728caa29b4f25bc70f30429819de1ea27855841fa0ec00f0fec69c1745794a96c5c19d11d0c8fa05
-
SSDEEP
6144:wcjrQ/rcaXeLfKqsmLjCkHhUcuS37N7E+rdR2cFoWIEh89dHHWtjunUU:wcjiuJsmXCkStSLNnRVFopEhAdH2tK
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5980420064:AAHGrlOU2WsgF90Pcyz-L7wrGgC_Cj54k4Q/sendMessage?chat_id=806259874
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\wwst.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\wwst.exe family_stormkitty behavioral1/memory/1580-143-0x0000000000BE0000-0x0000000000C12000-memory.dmp family_stormkitty -
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\wwst.exe asyncrat C:\Users\Admin\AppData\Local\Temp\wwst.exe asyncrat behavioral1/memory/1580-143-0x0000000000BE0000-0x0000000000C12000-memory.dmp asyncrat -
Executes dropped EXE 3 IoCs
Processes:
WindowsDataC.exeRunIt.exewwst.exepid process 2208 WindowsDataC.exe 1932 RunIt.exe 1580 wwst.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exeRunIt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataC.exe = "C:\\ProgramData\\WindowsDataC.exe" 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rnts.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Rnts.exe" RunIt.exe -
Drops desktop.ini file(s) 8 IoCs
Processes:
wwst.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini wwst.exe File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini wwst.exe File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini wwst.exe File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini wwst.exe File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini wwst.exe File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini wwst.exe File opened for modification C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini wwst.exe File created C:\Users\Admin\AppData\Local\02b399f142bf7ce91ea3aa10029008a5\Admin@COXNLIOB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini wwst.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wwst.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wwst.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 wwst.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
wwst.exepid process 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe 1580 wwst.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wwst.exedescription pid process Token: SeDebugPrivilege 1580 wwst.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exewwst.execmd.execmd.exedescription pid process target process PID 3388 wrote to memory of 2208 3388 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe WindowsDataC.exe PID 3388 wrote to memory of 2208 3388 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe WindowsDataC.exe PID 3388 wrote to memory of 1932 3388 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe RunIt.exe PID 3388 wrote to memory of 1932 3388 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe RunIt.exe PID 3388 wrote to memory of 1932 3388 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe RunIt.exe PID 3388 wrote to memory of 1580 3388 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe wwst.exe PID 3388 wrote to memory of 1580 3388 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe wwst.exe PID 3388 wrote to memory of 1580 3388 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe wwst.exe PID 1580 wrote to memory of 3352 1580 wwst.exe cmd.exe PID 1580 wrote to memory of 3352 1580 wwst.exe cmd.exe PID 1580 wrote to memory of 3352 1580 wwst.exe cmd.exe PID 3352 wrote to memory of 3480 3352 cmd.exe chcp.com PID 3352 wrote to memory of 3480 3352 cmd.exe chcp.com PID 3352 wrote to memory of 3480 3352 cmd.exe chcp.com PID 3352 wrote to memory of 2632 3352 cmd.exe netsh.exe PID 3352 wrote to memory of 2632 3352 cmd.exe netsh.exe PID 3352 wrote to memory of 2632 3352 cmd.exe netsh.exe PID 3352 wrote to memory of 3820 3352 cmd.exe findstr.exe PID 3352 wrote to memory of 3820 3352 cmd.exe findstr.exe PID 3352 wrote to memory of 3820 3352 cmd.exe findstr.exe PID 1580 wrote to memory of 1612 1580 wwst.exe cmd.exe PID 1580 wrote to memory of 1612 1580 wwst.exe cmd.exe PID 1580 wrote to memory of 1612 1580 wwst.exe cmd.exe PID 1612 wrote to memory of 2032 1612 cmd.exe chcp.com PID 1612 wrote to memory of 2032 1612 cmd.exe chcp.com PID 1612 wrote to memory of 2032 1612 cmd.exe chcp.com PID 1612 wrote to memory of 4440 1612 cmd.exe netsh.exe PID 1612 wrote to memory of 4440 1612 cmd.exe netsh.exe PID 1612 wrote to memory of 4440 1612 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe"C:\Users\Admin\AppData\Local\Temp\82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\WindowsDataC.exe"C:\ProgramData\WindowsDataC.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\wwst.exe"C:\Users\Admin\AppData\Local\Temp\wwst.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Users\Admin\AppData\Local\Temp\RunIt.exe"C:\Users\Admin\AppData\Local\Temp\RunIt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WindowsDataC.exeFilesize
335KB
MD5c7fbe52e88456eabb4d4a1a1a0670cf4
SHA13b479f15645c31c7067c31aede6e1802093ac78b
SHA25682acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746
SHA5123302aa29196e3864850c7f6bfdc274a285f3f51fd1d60b0e728caa29b4f25bc70f30429819de1ea27855841fa0ec00f0fec69c1745794a96c5c19d11d0c8fa05
-
C:\ProgramData\WindowsDataC.exeFilesize
335KB
MD5c7fbe52e88456eabb4d4a1a1a0670cf4
SHA13b479f15645c31c7067c31aede6e1802093ac78b
SHA25682acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746
SHA5123302aa29196e3864850c7f6bfdc274a285f3f51fd1d60b0e728caa29b4f25bc70f30429819de1ea27855841fa0ec00f0fec69c1745794a96c5c19d11d0c8fa05
-
C:\Users\Admin\AppData\Local\Temp\RunIt.exeFilesize
143KB
MD5d067619856f7f3079375960f62b99369
SHA1964d548557dec3aa8e851526b71adca4b4ddbfd5
SHA2569770561d2a27dbc16c230fe88af51f718d7d6274fcd63a3f109c381be848b4a9
SHA5121ec891082ac133833217ce8314f6d163451c5554b789cbf8a5ff0d5ebd0b55a7ec49ea5c408bf784e6952a37526de9e77e6c39b9a4ea3b950c3fda44e7f973b8
-
C:\Users\Admin\AppData\Local\Temp\RunIt.exeFilesize
143KB
MD5d067619856f7f3079375960f62b99369
SHA1964d548557dec3aa8e851526b71adca4b4ddbfd5
SHA2569770561d2a27dbc16c230fe88af51f718d7d6274fcd63a3f109c381be848b4a9
SHA5121ec891082ac133833217ce8314f6d163451c5554b789cbf8a5ff0d5ebd0b55a7ec49ea5c408bf784e6952a37526de9e77e6c39b9a4ea3b950c3fda44e7f973b8
-
C:\Users\Admin\AppData\Local\Temp\wwst.exeFilesize
175KB
MD55224b9398f4ed7a52b85b432b3d50a04
SHA1c7bfe32e841f87c2b15a8a9266ddb981e8786157
SHA25682e62dbfd6aa5df5162e2a6a9cd5a0dfb97f94fb5f5bf531ca9f974ec0464ae2
SHA5122a6374f9bbad9f198e671d2707abfee1d74af935da62c89acac9e5be6467008b96f1879e61ab76a4a9fbf4b568b8d2f697bbc4fe79dc32eef7461686ca245ef0
-
C:\Users\Admin\AppData\Local\Temp\wwst.exeFilesize
175KB
MD55224b9398f4ed7a52b85b432b3d50a04
SHA1c7bfe32e841f87c2b15a8a9266ddb981e8786157
SHA25682e62dbfd6aa5df5162e2a6a9cd5a0dfb97f94fb5f5bf531ca9f974ec0464ae2
SHA5122a6374f9bbad9f198e671d2707abfee1d74af935da62c89acac9e5be6467008b96f1879e61ab76a4a9fbf4b568b8d2f697bbc4fe79dc32eef7461686ca245ef0
-
memory/1580-143-0x0000000000BE0000-0x0000000000C12000-memory.dmpFilesize
200KB
-
memory/1580-161-0x0000000006100000-0x0000000006112000-memory.dmpFilesize
72KB
-
memory/1580-160-0x00000000060F0000-0x00000000060FA000-memory.dmpFilesize
40KB
-
memory/1580-138-0x0000000000000000-mapping.dmp
-
memory/1580-150-0x00000000058B0000-0x0000000005916000-memory.dmpFilesize
408KB
-
memory/1612-157-0x0000000000000000-mapping.dmp
-
memory/1932-146-0x0000000005A90000-0x0000000006034000-memory.dmpFilesize
5.6MB
-
memory/1932-137-0x0000000000000000-mapping.dmp
-
memory/1932-145-0x0000000000950000-0x000000000097A000-memory.dmpFilesize
168KB
-
memory/1932-147-0x0000000005410000-0x00000000054A2000-memory.dmpFilesize
584KB
-
memory/1932-148-0x00000000054E0000-0x000000000557C000-memory.dmpFilesize
624KB
-
memory/1932-149-0x0000000005580000-0x000000000558A000-memory.dmpFilesize
40KB
-
memory/2032-158-0x0000000000000000-mapping.dmp
-
memory/2208-144-0x00007FFED96F0000-0x00007FFEDA1B1000-memory.dmpFilesize
10.8MB
-
memory/2208-152-0x00007FFED96F0000-0x00007FFEDA1B1000-memory.dmpFilesize
10.8MB
-
memory/2208-134-0x0000000000000000-mapping.dmp
-
memory/2632-155-0x0000000000000000-mapping.dmp
-
memory/3352-153-0x0000000000000000-mapping.dmp
-
memory/3388-151-0x00007FFED96F0000-0x00007FFEDA1B1000-memory.dmpFilesize
10.8MB
-
memory/3388-132-0x00000000006C0000-0x000000000071C000-memory.dmpFilesize
368KB
-
memory/3388-133-0x00007FFED96F0000-0x00007FFEDA1B1000-memory.dmpFilesize
10.8MB
-
memory/3480-154-0x0000000000000000-mapping.dmp
-
memory/3820-156-0x0000000000000000-mapping.dmp
-
memory/4440-159-0x0000000000000000-mapping.dmp