Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 14:22
Behavioral task
behavioral1
Sample
a0.exe
Resource
win7-20230220-en
General
-
Target
a0.exe
-
Size
170KB
-
MD5
a0ce182a26b24adf936411f4ea796ab7
-
SHA1
a764ea86541665181d7080fe2a2c534a6acc6c5b
-
SHA256
85ca4cd1bdc0b219e0513bca055913d18debf0e6ef752a5814cb9b87af2bd646
-
SHA512
de9db377614cfead6043022d2413d47821cd38dd5e751a6e91d3e37db4965217c92607495e15dcee834afec4fd22490635cd0377ec6f510126bf65dd4824b69b
-
SSDEEP
3072:T+STW8djpN6izj8mZw24FBPBrL2eFcyZlVqIPu/i9bDq2cKk6+Wpn:w8XN6W8mm2anrL2eFcyvVXPSi9b+
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5081755732:AAFIzASZTZ42XUhPubF2E6ugH8B5BoBq2GY/sendMessage?chat_id=1184265544
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4608-133-0x00000000006E0000-0x0000000000710000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4608-133-0x00000000006E0000-0x0000000000710000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 9 IoCs
Processes:
a0.exedescription ioc process File created C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini a0.exe File created C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini a0.exe File opened for modification C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini a0.exe File created C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini a0.exe File opened for modification C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini a0.exe File created C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini a0.exe File created C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini a0.exe File opened for modification C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini a0.exe File created C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini a0.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
a0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a0.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 a0.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
a0.exepid process 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe 4608 a0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a0.exedescription pid process Token: SeDebugPrivilege 4608 a0.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
a0.execmd.execmd.exedescription pid process target process PID 4608 wrote to memory of 5032 4608 a0.exe cmd.exe PID 4608 wrote to memory of 5032 4608 a0.exe cmd.exe PID 4608 wrote to memory of 5032 4608 a0.exe cmd.exe PID 5032 wrote to memory of 3424 5032 cmd.exe chcp.com PID 5032 wrote to memory of 3424 5032 cmd.exe chcp.com PID 5032 wrote to memory of 3424 5032 cmd.exe chcp.com PID 5032 wrote to memory of 4224 5032 cmd.exe netsh.exe PID 5032 wrote to memory of 4224 5032 cmd.exe netsh.exe PID 5032 wrote to memory of 4224 5032 cmd.exe netsh.exe PID 5032 wrote to memory of 4216 5032 cmd.exe findstr.exe PID 5032 wrote to memory of 4216 5032 cmd.exe findstr.exe PID 5032 wrote to memory of 4216 5032 cmd.exe findstr.exe PID 4608 wrote to memory of 3476 4608 a0.exe cmd.exe PID 4608 wrote to memory of 3476 4608 a0.exe cmd.exe PID 4608 wrote to memory of 3476 4608 a0.exe cmd.exe PID 3476 wrote to memory of 4028 3476 cmd.exe chcp.com PID 3476 wrote to memory of 4028 3476 cmd.exe chcp.com PID 3476 wrote to memory of 4028 3476 cmd.exe chcp.com PID 3476 wrote to memory of 4464 3476 cmd.exe netsh.exe PID 3476 wrote to memory of 4464 3476 cmd.exe netsh.exe PID 3476 wrote to memory of 4464 3476 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0.exe"C:\Users\Admin\AppData\Local\Temp\a0.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\Admin@ROBKQPFG_en-US\System\Process.txtFilesize
4KB
MD55227152178d38972478d94d20dc00a6c
SHA155bf99c838f2d4008e37e6276a1b14d860cf6daf
SHA256beb68c766870eedeabda216fee5bd4c593e1832f8c2b99f0bbc192fb5836dd5d
SHA51250b91c86170fcf037408b435ddb26361cd7014581709a9cebb8389c02233114f9c98962b9641af438916b179653cf87ec84a9de81af5a7670393527af21e80d6
-
C:\Users\Admin\AppData\Local\c68c3832e6261ad2ce43d41b243d6c46\msgid.datFilesize
3B
MD50a113ef6b61820daa5611c870ed8d5ee
SHA1eaa67f3a93d0acb08d8a5e8ff9866f51983b3c3b
SHA2565e968ce47ce4a17e3823c29332a39d049a8d0afb08d157eb6224625f92671a51
SHA512bb602aa6ebb8decd4a7293b1c428cf4889df083d0984378ceefc600a371ac96de20ed1fbc8adf3baa8e63a28d20b750b1dd2512c51cf78490b602b5bc50e47c1
-
memory/4608-133-0x00000000006E0000-0x0000000000710000-memory.dmpFilesize
192KB
-
memory/4608-134-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/4608-135-0x00000000053B0000-0x0000000005416000-memory.dmpFilesize
408KB
-
memory/4608-221-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/4608-279-0x0000000005FD0000-0x0000000006062000-memory.dmpFilesize
584KB
-
memory/4608-280-0x0000000006620000-0x0000000006BC4000-memory.dmpFilesize
5.6MB
-
memory/4608-282-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/4608-285-0x00000000060F0000-0x00000000060FA000-memory.dmpFilesize
40KB
-
memory/4608-291-0x0000000006110000-0x0000000006122000-memory.dmpFilesize
72KB
-
memory/4608-315-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB