Analysis
-
max time kernel
18s -
max time network
22s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2023 20:29
Behavioral task
behavioral1
Sample
diamond spoofer.exe
Resource
win10v2004-20220901-en
General
-
Target
diamond spoofer.exe
-
Size
3.9MB
-
MD5
e5b42dbabb058b30f7fcc8a0a2050452
-
SHA1
9ec11afec660f1e4baed9c764e7995bf755c2011
-
SHA256
58d10ab32005fe9f5bca2f8c933af8c89a43a1f49e934f26df9f8a48068ea0b5
-
SHA512
f6199e85ae115650d1c01f4d7bb888701757399611a37b03a9c53100acd8b142ec00ea98bbdca75ef1b8ee9a03043c1ce1566874645f8c3606c75bd55f9b1e23
-
SSDEEP
98304:y0T+Srp3YVrsk9N8ivyhAdsPSQxhKnWJLXq0f4ogdCyb:xfSVN8iNISOvJzqwU
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3592-132-0x00000000002D0000-0x00000000006C0000-memory.dmp family_stormkitty -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/3592-132-0x00000000002D0000-0x00000000006C0000-memory.dmp WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\svchoster.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\svchoster.exe WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3592-132-0x00000000002D0000-0x00000000006C0000-memory.dmp Nirsoft C:\Users\Admin\AppData\Local\Temp\svchoster.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\svchoster.exe Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
svchoster.exepid process 4708 svchoster.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
diamond spoofer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation diamond spoofer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
svchoster.exepid process 4708 svchoster.exe 4708 svchoster.exe 4708 svchoster.exe 4708 svchoster.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
diamond spoofer.exedescription pid process Token: SeDebugPrivilege 3592 diamond spoofer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
diamond spoofer.exepid process 3592 diamond spoofer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
diamond spoofer.execmd.exedescription pid process target process PID 3592 wrote to memory of 364 3592 diamond spoofer.exe cmd.exe PID 3592 wrote to memory of 364 3592 diamond spoofer.exe cmd.exe PID 3592 wrote to memory of 364 3592 diamond spoofer.exe cmd.exe PID 364 wrote to memory of 4708 364 cmd.exe svchoster.exe PID 364 wrote to memory of 4708 364 cmd.exe svchoster.exe PID 364 wrote to memory of 4708 364 cmd.exe svchoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\diamond spoofer.exe"C:\Users\Admin\AppData\Local\Temp\diamond spoofer.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeC:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeFilesize
391KB
MD5053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeFilesize
391KB
MD5053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
memory/364-133-0x0000000000000000-mapping.dmp
-
memory/3592-132-0x00000000002D0000-0x00000000006C0000-memory.dmpFilesize
3.9MB
-
memory/3592-134-0x00000000061E0000-0x0000000006272000-memory.dmpFilesize
584KB
-
memory/3592-135-0x0000000006830000-0x0000000006DD4000-memory.dmpFilesize
5.6MB
-
memory/3592-139-0x0000000007600000-0x0000000007676000-memory.dmpFilesize
472KB
-
memory/3592-140-0x0000000006320000-0x000000000633E000-memory.dmpFilesize
120KB
-
memory/4708-136-0x0000000000000000-mapping.dmp