Analysis
-
max time kernel
197s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/05/2023, 20:07
Behavioral task
behavioral1
Sample
panel.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
panel.exe
Resource
win10v2004-20230220-en
General
-
Target
panel.exe
-
Size
170KB
-
MD5
470a8267b5eba7eb998d9fa69532f849
-
SHA1
1152ddb2ab93aae9983e3e8b5c4f367875323e3e
-
SHA256
6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e
-
SHA512
5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d
-
SSDEEP
3072:O+STW8djpN6izj8mZwHQiWZqswqIPu/i9b+J2cOZTMi56+WpL:z8XN6W8mmdUwXPSi9b2c3
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/memory/1712-54-0x0000000001090000-0x00000000010C0000-memory.dmp family_stormkitty behavioral1/memory/1712-55-0x0000000000CF0000-0x0000000000D30000-memory.dmp family_stormkitty -
Async RAT payload 3 IoCs
resource yara_rule behavioral1/memory/1712-54-0x0000000001090000-0x00000000010C0000-memory.dmp asyncrat behavioral1/memory/1712-55-0x0000000000CF0000-0x0000000000D30000-memory.dmp asyncrat behavioral1/memory/1712-56-0x0000000000CF0000-0x0000000000D30000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\2d4994e1c1b26bffefcaeb378b5b46f2\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini panel.exe File created C:\Users\Admin\AppData\Local\2d4994e1c1b26bffefcaeb378b5b46f2\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini panel.exe File opened for modification C:\Users\Admin\AppData\Local\2d4994e1c1b26bffefcaeb378b5b46f2\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini panel.exe File created C:\Users\Admin\AppData\Local\2d4994e1c1b26bffefcaeb378b5b46f2\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini panel.exe File opened for modification C:\Users\Admin\AppData\Local\2d4994e1c1b26bffefcaeb378b5b46f2\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini panel.exe File created C:\Users\Admin\AppData\Local\2d4994e1c1b26bffefcaeb378b5b46f2\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini panel.exe File opened for modification C:\Users\Admin\AppData\Local\2d4994e1c1b26bffefcaeb378b5b46f2\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini panel.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 panel.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier panel.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1712 panel.exe 1712 panel.exe 1712 panel.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1712 panel.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2032 1712 panel.exe 29 PID 1712 wrote to memory of 2032 1712 panel.exe 29 PID 1712 wrote to memory of 2032 1712 panel.exe 29 PID 1712 wrote to memory of 2032 1712 panel.exe 29 PID 2032 wrote to memory of 1600 2032 cmd.exe 31 PID 2032 wrote to memory of 1600 2032 cmd.exe 31 PID 2032 wrote to memory of 1600 2032 cmd.exe 31 PID 2032 wrote to memory of 1600 2032 cmd.exe 31 PID 2032 wrote to memory of 1608 2032 cmd.exe 32 PID 2032 wrote to memory of 1608 2032 cmd.exe 32 PID 2032 wrote to memory of 1608 2032 cmd.exe 32 PID 2032 wrote to memory of 1608 2032 cmd.exe 32 PID 2032 wrote to memory of 1656 2032 cmd.exe 33 PID 2032 wrote to memory of 1656 2032 cmd.exe 33 PID 2032 wrote to memory of 1656 2032 cmd.exe 33 PID 2032 wrote to memory of 1656 2032 cmd.exe 33 PID 1712 wrote to memory of 1184 1712 panel.exe 34 PID 1712 wrote to memory of 1184 1712 panel.exe 34 PID 1712 wrote to memory of 1184 1712 panel.exe 34 PID 1712 wrote to memory of 1184 1712 panel.exe 34 PID 1184 wrote to memory of 1140 1184 cmd.exe 36 PID 1184 wrote to memory of 1140 1184 cmd.exe 36 PID 1184 wrote to memory of 1140 1184 cmd.exe 36 PID 1184 wrote to memory of 1140 1184 cmd.exe 36 PID 1184 wrote to memory of 1688 1184 cmd.exe 37 PID 1184 wrote to memory of 1688 1184 cmd.exe 37 PID 1184 wrote to memory of 1688 1184 cmd.exe 37 PID 1184 wrote to memory of 1688 1184 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\panel.exe"C:\Users\Admin\AppData\Local\Temp\panel.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1600
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:1608
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1140
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵PID:1688
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99