Analysis Overview
SHA256
799ad2554344216d192896a517536862c2435f054182bb8e468f6dd9f15f3e33
Threat Level: Known bad
The file VESSELDETAILS.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty
Snake Keylogger
Snake Keylogger payload
StormKitty payload
RedLine
Detects Redline Stealer samples
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-05 21:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-05 21:01
Reported
2023-05-05 23:16
Platform
win7-20230220-en
Max time kernel
88s
Max time network
123s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1768 set thread context of 1860 | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xTXuqPdjAiGmQt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC256.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xTXuqPdjAiGmQt.exe"
C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/1768-54-0x0000000000940000-0x00000000009CE000-memory.dmp
memory/1768-55-0x0000000004B50000-0x0000000004B90000-memory.dmp
memory/1768-56-0x00000000003E0000-0x00000000003F0000-memory.dmp
memory/1768-57-0x0000000004B50000-0x0000000004B90000-memory.dmp
memory/1768-58-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1768-59-0x0000000004DC0000-0x0000000004E22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC256.tmp
| MD5 | 2e513d80776316b18b3eacf78aa21a69 |
| SHA1 | 3426067d4db8b09ba9bc189ac1f49e4bc1a1ecf8 |
| SHA256 | 93796655cc094767a7007fee50e772c6de53d2032f6750cdc9ed5ffd6adafb9c |
| SHA512 | e47b4824076bb52f775fca69014b77a6fa2c911194697a9d426776a47014fa58c5cbb8efa838dec195758250f4d2015e6a52e0a03c4b98d7abea7d401dfee59b |
memory/1768-67-0x0000000004B20000-0x0000000004B48000-memory.dmp
memory/1860-68-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1860-75-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1860-77-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1860-73-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1860-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1860-71-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1860-70-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1860-69-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1860-78-0x0000000004A40000-0x0000000004A80000-memory.dmp
memory/1860-79-0x0000000004A40000-0x0000000004A80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-05 21:01
Reported
2023-05-05 23:16
Platform
win10v2004-20230220-en
Max time kernel
156s
Max time network
168s
Command Line
Signatures
Detects Redline Stealer samples
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3152 set thread context of 1348 | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xTXuqPdjAiGmQt.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xTXuqPdjAiGmQt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F11.tmp"
C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\VESSELDETAILS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.247.210.254:80 | tcp | |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.17.30.184.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| IE | 13.69.239.74:443 | tcp | |
| US | 8.247.210.254:80 | tcp | |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 168.6.122.193.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.247.210.254:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/3152-133-0x0000000000960000-0x00000000009EE000-memory.dmp
memory/3152-134-0x0000000005870000-0x0000000005E14000-memory.dmp
memory/3152-135-0x00000000053A0000-0x0000000005432000-memory.dmp
memory/3152-136-0x0000000005530000-0x000000000553A000-memory.dmp
memory/3152-137-0x0000000005590000-0x00000000055A0000-memory.dmp
memory/3152-138-0x0000000005590000-0x00000000055A0000-memory.dmp
memory/3152-139-0x00000000073B0000-0x000000000744C000-memory.dmp
memory/1400-144-0x0000000001550000-0x0000000001586000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8F11.tmp
| MD5 | 86c7145123471841dce4155232c73fd7 |
| SHA1 | 536f39eed9215a0ca4df70f8425942ce0c8dcd48 |
| SHA256 | 4620a539b44f41f260e61278d51540c5ad2b36c29e4a94771d908c08f9ca6fc4 |
| SHA512 | f588d6074bb3883424b96ff5dafaf17aae793856738ce972e3e3fb566aae9ec68e0094a3c66389c4eb9ce0308b5c8ce42f385a3cfadfbb0a59dbc343db6f01f5 |
memory/1348-146-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1400-147-0x00000000057D0000-0x0000000005DF8000-memory.dmp
memory/1400-149-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/1400-150-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/1400-152-0x0000000005E00000-0x0000000005E66000-memory.dmp
memory/1400-151-0x0000000005660000-0x0000000005682000-memory.dmp
memory/1400-153-0x0000000005FE0000-0x0000000006046000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyxuyxvs.1cr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1400-163-0x0000000006570000-0x000000000658E000-memory.dmp
memory/1348-164-0x0000000005290000-0x00000000052A0000-memory.dmp
memory/1400-165-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/1400-166-0x0000000006BD0000-0x0000000006C02000-memory.dmp
memory/1400-167-0x0000000070250000-0x000000007029C000-memory.dmp
memory/1400-177-0x0000000006BB0000-0x0000000006BCE000-memory.dmp
memory/1400-178-0x0000000007FB0000-0x000000000862A000-memory.dmp
memory/1400-179-0x0000000007900000-0x000000000791A000-memory.dmp
memory/1400-180-0x000000007F4B0000-0x000000007F4C0000-memory.dmp
memory/1400-181-0x0000000007980000-0x000000000798A000-memory.dmp
memory/1400-182-0x0000000007B90000-0x0000000007C26000-memory.dmp
memory/1400-183-0x0000000007B40000-0x0000000007B4E000-memory.dmp
memory/1400-184-0x0000000007C50000-0x0000000007C6A000-memory.dmp
memory/1400-185-0x0000000007C30000-0x0000000007C38000-memory.dmp
memory/1348-188-0x0000000005290000-0x00000000052A0000-memory.dmp