Analysis
-
max time kernel
77s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2023 21:48
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20221111-en
General
-
Target
tmp.exe
-
Size
308KB
-
MD5
67019931e1e4a3ce1d18e85e2c3db44a
-
SHA1
f16e0d3080cfbf02d804138c8acd988eda314880
-
SHA256
2980fa511cf6d3783e2f5afeaf46a07d09d8bb5e9e7a6ddd9f6d33890d4766c8
-
SHA512
e99310c34f751f723bfee28a2b0004611a7b22b781335b7c874dd46d1a6555b520102129bfedaeb83314423b0450be57fe8eab8fab2c0ab78d67b5ada4837fb1
-
SSDEEP
6144:YEtXoAKIx27rgZZQwl9BAoMEoAOZfCxNOlGWf1ssvgWFqlN:YEtXocx27roZ0oME/OZfCxN/m1sagWy
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1616-132-0x00000000000E0000-0x0000000000130000-memory.dmp family_stormkitty -
Downloads MZ/PE file
-
Processes:
resource yara_rule behavioral2/memory/1616-143-0x000000001BEC0000-0x000000001BF44000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com 21 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier tmp.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4544 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 960 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
tmp.exepid process 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe 1616 tmp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tmp.exemsiexec.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1616 tmp.exe Token: SeSecurityPrivilege 4420 msiexec.exe Token: SeDebugPrivilege 960 taskkill.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
tmp.execmd.execmd.execmd.exedescription pid process target process PID 1616 wrote to memory of 1420 1616 tmp.exe cmd.exe PID 1616 wrote to memory of 1420 1616 tmp.exe cmd.exe PID 1420 wrote to memory of 2556 1420 cmd.exe chcp.com PID 1420 wrote to memory of 2556 1420 cmd.exe chcp.com PID 1420 wrote to memory of 3944 1420 cmd.exe netsh.exe PID 1420 wrote to memory of 3944 1420 cmd.exe netsh.exe PID 1420 wrote to memory of 808 1420 cmd.exe findstr.exe PID 1420 wrote to memory of 808 1420 cmd.exe findstr.exe PID 1616 wrote to memory of 4204 1616 tmp.exe cmd.exe PID 1616 wrote to memory of 4204 1616 tmp.exe cmd.exe PID 4204 wrote to memory of 1796 4204 cmd.exe chcp.com PID 4204 wrote to memory of 1796 4204 cmd.exe chcp.com PID 4204 wrote to memory of 2844 4204 cmd.exe netsh.exe PID 4204 wrote to memory of 2844 4204 cmd.exe netsh.exe PID 1616 wrote to memory of 5024 1616 tmp.exe cmd.exe PID 1616 wrote to memory of 5024 1616 tmp.exe cmd.exe PID 5024 wrote to memory of 4236 5024 cmd.exe chcp.com PID 5024 wrote to memory of 4236 5024 cmd.exe chcp.com PID 5024 wrote to memory of 960 5024 cmd.exe taskkill.exe PID 5024 wrote to memory of 960 5024 cmd.exe taskkill.exe PID 5024 wrote to memory of 4544 5024 cmd.exe timeout.exe PID 5024 wrote to memory of 4544 5024 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe -
outlook_win_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\system32\findstr.exefindstr All3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEB9A.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 16163⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dllFilesize
293KB
MD57a2d5deab61f043394a510f4e2c0866f
SHA1ca16110c9cf6522cd7bea32895fd0f697442849b
SHA25675db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
448KB
MD56d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
C:\Users\Admin\AppData\Local\Temp\tmpEB9A.tmp.batFilesize
232B
MD5c7b98f4685471d92e4c566bec7e4858d
SHA12482d3c82adb909e0dfcdab22a1b449c6d2d4536
SHA256ae34674fc4340059e2199a1a5b55af1cfb91465526691d2b782966ce798e243e
SHA512f54e3d94b508576ee9e1f322133226dbaa7f1044d5eb93bb2cc670473d615010d5cc958808c9c271428316a94276e04ff4969a94b7c4a03101bb714e20cb9f30
-
memory/808-138-0x0000000000000000-mapping.dmp
-
memory/960-147-0x0000000000000000-mapping.dmp
-
memory/1420-135-0x0000000000000000-mapping.dmp
-
memory/1616-142-0x000000001BDC0000-0x000000001BE36000-memory.dmpFilesize
472KB
-
memory/1616-132-0x00000000000E0000-0x0000000000130000-memory.dmpFilesize
320KB
-
memory/1616-143-0x000000001BEC0000-0x000000001BF44000-memory.dmpFilesize
528KB
-
memory/1616-133-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmpFilesize
10.8MB
-
memory/1616-134-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmpFilesize
10.8MB
-
memory/1616-149-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmpFilesize
10.8MB
-
memory/1796-140-0x0000000000000000-mapping.dmp
-
memory/2556-136-0x0000000000000000-mapping.dmp
-
memory/2844-141-0x0000000000000000-mapping.dmp
-
memory/3944-137-0x0000000000000000-mapping.dmp
-
memory/4204-139-0x0000000000000000-mapping.dmp
-
memory/4236-146-0x0000000000000000-mapping.dmp
-
memory/4544-148-0x0000000000000000-mapping.dmp
-
memory/5024-144-0x0000000000000000-mapping.dmp