Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 15:58
Static task
static1
Behavioral task
behavioral1
Sample
b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe
Resource
win10v2004-20220812-en
General
-
Target
b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe
-
Size
285KB
-
MD5
6c1f437246623bf56541b7871468788f
-
SHA1
8bfdfcc20897525de3f0b8b50992dbf26963771c
-
SHA256
b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82
-
SHA512
2543b4248c0d57c8cdc314638442ec5a280de26044b0a3652980867f302fdf9579e0a9bd38337aa004befc231dfb13780f2f13bdaa3fe0deebbb2be5008b83df
-
SSDEEP
6144:/QarTYtulUh/iDV8clenjluFJAdUwTjPpr7TVg//1371N8P1uGlaN:/D0ulUhA8clOjluFJA+wTjJTVg/d371J
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\f.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\f.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\f.exe family_stormkitty behavioral1/memory/1216-59-0x000000013FD00000-0x000000013FD20000-memory.dmp family_stormkitty -
Executes dropped EXE 1 IoCs
Processes:
f.exepid process 1216 f.exe -
Drops startup file 1 IoCs
Processes:
b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe -
Loads dropped DLL 1 IoCs
Processes:
b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exepid process 836 b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exepid process 836 b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exedescription pid process target process PID 836 wrote to memory of 1216 836 b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe f.exe PID 836 wrote to memory of 1216 836 b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe f.exe PID 836 wrote to memory of 1216 836 b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe f.exe PID 836 wrote to memory of 1216 836 b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe f.exe -
outlook_office_path 1 IoCs
Processes:
f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f.exe -
outlook_win_path 1 IoCs
Processes:
f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe"C:\Users\Admin\AppData\Local\Temp\b452fc7395cc20a0044ff1697a4588b925d58fd8b0fd8aea1596f80e860bfe82.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f.exeC:\Users\Admin\AppData\Local\Temp\f.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f.exeFilesize
114KB
MD50d60b0f3fa8652a22e28ba2f378c5f8b
SHA16f925ecdb46e911943f220ded64af51c068fb49e
SHA2562e09d54fffde9e427d070e4ac730b1e408ee0b4a624e5895e46ad4f98e4e65dd
SHA512b17f5d1ff3e34361646b505cc70c42dd1fa04b5c3b5c59d9141fab263a0679d2b11fef000dffce781e478873259667cc3cb00d88d3631a8ff09be551f3a7c4e6
-
C:\Users\Admin\AppData\Local\Temp\f.exeFilesize
114KB
MD50d60b0f3fa8652a22e28ba2f378c5f8b
SHA16f925ecdb46e911943f220ded64af51c068fb49e
SHA2562e09d54fffde9e427d070e4ac730b1e408ee0b4a624e5895e46ad4f98e4e65dd
SHA512b17f5d1ff3e34361646b505cc70c42dd1fa04b5c3b5c59d9141fab263a0679d2b11fef000dffce781e478873259667cc3cb00d88d3631a8ff09be551f3a7c4e6
-
C:\Users\Admin\AppData\Local\Temp\pwtmp\Browsers\Firefox\Bookmarks.txtFilesize
115B
MD50ca02d5a982debc89a18a061bac91a4b
SHA18f0cfe7f0dade0a74f698ba1ea1384045710060c
SHA25663ed103f5076c20b34f36efa685154aaeda7b66c206fa2f2588994fd9c60de7f
SHA512a3aff8e71e8288d97b167b9f72bb0be2a4cc5fb4b7d0975e04c792d053aa30e5882005863c7666ef94b08976a924903d52d614c2220836d0b1c247031c87f1ce
-
\Users\Admin\AppData\Local\Temp\f.exeFilesize
114KB
MD50d60b0f3fa8652a22e28ba2f378c5f8b
SHA16f925ecdb46e911943f220ded64af51c068fb49e
SHA2562e09d54fffde9e427d070e4ac730b1e408ee0b4a624e5895e46ad4f98e4e65dd
SHA512b17f5d1ff3e34361646b505cc70c42dd1fa04b5c3b5c59d9141fab263a0679d2b11fef000dffce781e478873259667cc3cb00d88d3631a8ff09be551f3a7c4e6
-
memory/836-54-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1216-56-0x0000000000000000-mapping.dmp
-
memory/1216-59-0x000000013FD00000-0x000000013FD20000-memory.dmpFilesize
128KB