Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 13:07
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
General
-
Target
file.exe
-
Size
170KB
-
MD5
d59d7514d7df3d20f969fa6b5517eb01
-
SHA1
bdc5bee56769d229403a4c116875e65db2fd3e8c
-
SHA256
d2274cca6f30f46595535f1b67f2f4e493eb97ec1a11258bd73ed6bd702d025d
-
SHA512
a5f21cb4f51f99f67de4b8bf82add5a9aa123f025837a0a07cf587b3f8f5e1a6a5c9a7e04c863ef77a3c22c350c61b97ec87e3e15e22aca78ce1cfb447f636d9
-
SSDEEP
3072:++STW8djpN6izj8mZwdJqutB+YDpqIPu/i9bVK2cPVI6+Wp7:j8XN6W8mmHPtppXPSi9b4
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5360303860:AAH_YAk63cASK9FV95ft07Rf6tjatzAINIE/sendMessage?chat_id=5676635446
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1984-132-0x0000000000CE0000-0x0000000000D10000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1984-132-0x0000000000CE0000-0x0000000000D10000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
Processes:
file.exedescription ioc process File created C:\Users\Admin\AppData\Local\d4aa2a5a0d536d4a0925b0db7757577e\Admin@XZIOFAVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini file.exe File created C:\Users\Admin\AppData\Local\d4aa2a5a0d536d4a0925b0db7757577e\Admin@XZIOFAVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini file.exe File opened for modification C:\Users\Admin\AppData\Local\d4aa2a5a0d536d4a0925b0db7757577e\Admin@XZIOFAVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini file.exe File created C:\Users\Admin\AppData\Local\d4aa2a5a0d536d4a0925b0db7757577e\Admin@XZIOFAVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini file.exe File opened for modification C:\Users\Admin\AppData\Local\d4aa2a5a0d536d4a0925b0db7757577e\Admin@XZIOFAVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini file.exe File created C:\Users\Admin\AppData\Local\d4aa2a5a0d536d4a0925b0db7757577e\Admin@XZIOFAVD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini file.exe File created C:\Users\Admin\AppData\Local\d4aa2a5a0d536d4a0925b0db7757577e\Admin@XZIOFAVD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini file.exe File created C:\Users\Admin\AppData\Local\d4aa2a5a0d536d4a0925b0db7757577e\Admin@XZIOFAVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini file.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier file.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
file.exepid process 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe 1984 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 1984 file.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
file.execmd.execmd.exedescription pid process target process PID 1984 wrote to memory of 2024 1984 file.exe cmd.exe PID 1984 wrote to memory of 2024 1984 file.exe cmd.exe PID 1984 wrote to memory of 2024 1984 file.exe cmd.exe PID 2024 wrote to memory of 2680 2024 cmd.exe chcp.com PID 2024 wrote to memory of 2680 2024 cmd.exe chcp.com PID 2024 wrote to memory of 2680 2024 cmd.exe chcp.com PID 2024 wrote to memory of 4020 2024 cmd.exe netsh.exe PID 2024 wrote to memory of 4020 2024 cmd.exe netsh.exe PID 2024 wrote to memory of 4020 2024 cmd.exe netsh.exe PID 2024 wrote to memory of 5080 2024 cmd.exe findstr.exe PID 2024 wrote to memory of 5080 2024 cmd.exe findstr.exe PID 2024 wrote to memory of 5080 2024 cmd.exe findstr.exe PID 1984 wrote to memory of 4256 1984 file.exe cmd.exe PID 1984 wrote to memory of 4256 1984 file.exe cmd.exe PID 1984 wrote to memory of 4256 1984 file.exe cmd.exe PID 4256 wrote to memory of 2468 4256 cmd.exe chcp.com PID 4256 wrote to memory of 2468 4256 cmd.exe chcp.com PID 4256 wrote to memory of 2468 4256 cmd.exe chcp.com PID 4256 wrote to memory of 4196 4256 cmd.exe netsh.exe PID 4256 wrote to memory of 4196 4256 cmd.exe netsh.exe PID 4256 wrote to memory of 4196 4256 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1984-132-0x0000000000CE0000-0x0000000000D10000-memory.dmpFilesize
192KB
-
memory/1984-133-0x0000000005790000-0x00000000057F6000-memory.dmpFilesize
408KB
-
memory/1984-134-0x00000000065C0000-0x0000000006652000-memory.dmpFilesize
584KB
-
memory/1984-135-0x0000000006C10000-0x00000000071B4000-memory.dmpFilesize
5.6MB
-
memory/1984-144-0x0000000005BA0000-0x0000000005BB2000-memory.dmpFilesize
72KB
-
memory/1984-143-0x00000000066F0000-0x00000000066FA000-memory.dmpFilesize
40KB
-
memory/2024-136-0x0000000000000000-mapping.dmp
-
memory/2468-141-0x0000000000000000-mapping.dmp
-
memory/2680-137-0x0000000000000000-mapping.dmp
-
memory/4020-138-0x0000000000000000-mapping.dmp
-
memory/4196-142-0x0000000000000000-mapping.dmp
-
memory/4256-140-0x0000000000000000-mapping.dmp
-
memory/5080-139-0x0000000000000000-mapping.dmp