Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2023, 11:57
Behavioral task
behavioral1
Sample
1006.exe
Resource
win7-20230621-en
General
-
Target
1006.exe
-
Size
225KB
-
MD5
883784a3500e2389e6e1816696dba87b
-
SHA1
f4364ff100c016d5cf78a3a4e3bedb287555f2ce
-
SHA256
0373eb783358fbf3b810fe1156efffd5847913c62db0e6c690e802300a5640ab
-
SHA512
f5d4d508dfeee159d339b9833d8128a6486b866639cd5dcba381b873188c3a6e643961477e723e38d100c3a5b47b0c83499e18504b1a6e5f5e68a73bf01e73f3
-
SSDEEP
3072:/+STW8djpN6izj8mZwgWDZ5IRN9MBQVahUbBEgDzazaLEV55NlmwXcFOC+UX6+WO:08XN6W8mmgqQMhUbOKEV55NlXkOI
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6154715708:AAHDKp_4g6Ye1lnxUlsJvFSuNl2Zm6A__-E/sendMessage?chat_id=1165040754
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/5084-133-0x0000000000700000-0x000000000073E000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/5084-133-0x0000000000700000-0x000000000073E000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini 1006.exe File created C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini 1006.exe File opened for modification C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini 1006.exe File created C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini 1006.exe File opened for modification C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini 1006.exe File created C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini 1006.exe File created C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini 1006.exe File created C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini 1006.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 42 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A7724123-7EA1-4D60-923F-41F8263619C3}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{823FD992-9FC0-4ECC-A1A1-2A0C4AE0FA2C}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{175010C8-32B9-4CF1-B036-8C71E521AE22}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{32E2D72C-4DA1-4C53-B76E-F45AE347F754}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C08AC3CB-7E99-4854-9744-B74F46B7A058}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{521450CF-304F-48D2-86EF-E9B8DD47D6BF}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9985FA88-FEA7-40F0-AE57-C2470EA71EE1}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B571A12D-FF7B-4E6B-91A6-38CC09F21B9F}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 1006.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 1006.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe 5084 1006.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5084 1006.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5084 wrote to memory of 1192 5084 1006.exe 84 PID 5084 wrote to memory of 1192 5084 1006.exe 84 PID 5084 wrote to memory of 1192 5084 1006.exe 84 PID 1192 wrote to memory of 3624 1192 cmd.exe 87 PID 1192 wrote to memory of 3624 1192 cmd.exe 87 PID 1192 wrote to memory of 3624 1192 cmd.exe 87 PID 1192 wrote to memory of 3224 1192 cmd.exe 88 PID 1192 wrote to memory of 3224 1192 cmd.exe 88 PID 1192 wrote to memory of 3224 1192 cmd.exe 88 PID 1192 wrote to memory of 2040 1192 cmd.exe 89 PID 1192 wrote to memory of 2040 1192 cmd.exe 89 PID 1192 wrote to memory of 2040 1192 cmd.exe 89 PID 5084 wrote to memory of 4276 5084 1006.exe 90 PID 5084 wrote to memory of 4276 5084 1006.exe 90 PID 5084 wrote to memory of 4276 5084 1006.exe 90 PID 4276 wrote to memory of 2300 4276 cmd.exe 92 PID 4276 wrote to memory of 2300 4276 cmd.exe 92 PID 4276 wrote to memory of 2300 4276 cmd.exe 92 PID 4276 wrote to memory of 4316 4276 cmd.exe 93 PID 4276 wrote to memory of 4316 4276 cmd.exe 93 PID 4276 wrote to memory of 4316 4276 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\1006.exe"C:\Users\Admin\AppData\Local\Temp\1006.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:3624
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:3224
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2300
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵PID:4316
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:1876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD5fa733611ef13bd333ebfbab7eed14b63
SHA1a3fc12f37f04ba3fa82daefe36bd945eee45682f
SHA256d5202cfaa87f58037dbd7143fd3a1336dd15c50d58269d1f6a9dc3ea307dbb53
SHA512c2671da490ca8d57b424e013f8886d43ef64061591a16673c0b355d2326d46ade7fff529a499019af547dc841851af281b97388505cc58c0360b63b9aa2ae10e
-
C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\System\Process.txt
Filesize4KB
MD5e92bf9c721dae145a350dd4fdd144ef1
SHA12307fa250244bc419de1dbe3ac561e959ddcb17b
SHA2561f64d3fe94de462aa5d9667758034b2cbae00362bf2cf965099c82049ffcd417
SHA5124d4606cd626f96a5f5d4d9dd19b316391b2c84d1ed992fa04b76b30f8ee3fd89b3d9fe13f5eeac3f319f0030bae22d85153a5f4efa901b17fc48e92191ecee3f