Malware Analysis Report

2025-01-03 06:39

Sample ID 230810-q1xq9sdb94
Target 11395702298.zip
SHA256 3d10790dafc6de3af7b597196a9dba180e6b7277d15506464821aff1517c16c9
Tags
rat default asyncrat stormkitty spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d10790dafc6de3af7b597196a9dba180e6b7277d15506464821aff1517c16c9

Threat Level: Known bad

The file 11395702298.zip was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stormkitty spyware stealer

AsyncRat

StormKitty

Async RAT payload

Asyncrat family

StormKitty payload

Stormkitty family

Async RAT payload

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

Enumerates physical storage devices

Unsigned PE

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 13:44

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 13:44

Reported

2023-08-10 13:46

Platform

win7-20230712-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\251ac55771bd3dda497329dd24c109b4\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\251ac55771bd3dda497329dd24c109b4\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File created C:\Users\Admin\AppData\Local\251ac55771bd3dda497329dd24c109b4\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\251ac55771bd3dda497329dd24c109b4\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File created C:\Users\Admin\AppData\Local\251ac55771bd3dda497329dd24c109b4\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\251ac55771bd3dda497329dd24c109b4\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File created C:\Users\Admin\AppData\Local\251ac55771bd3dda497329dd24c109b4\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\251ac55771bd3dda497329dd24c109b4\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2260 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2260 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2260 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2260 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2260 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2260 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2260 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2260 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2260 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2260 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2260 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2032 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3012 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3012 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3012 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3012 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3012 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3012 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3012 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2032 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe

"C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 google.com udp

Files

memory/2032-53-0x0000000000B20000-0x0000000000B60000-memory.dmp

memory/2032-54-0x0000000074C90000-0x000000007537E000-memory.dmp

memory/2032-55-0x0000000004B70000-0x0000000004BB0000-memory.dmp

memory/2032-122-0x0000000004B70000-0x0000000004BB0000-memory.dmp

memory/2032-126-0x0000000074C90000-0x000000007537E000-memory.dmp

memory/2032-127-0x0000000004B70000-0x0000000004BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB63E.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarB798.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 414a5d52034a2264bec4b2250295e5b0
SHA1 43217ad78c0083c90b7378f22717d25a6039f21a
SHA256 813ed3d63d0757cce8a900e5eea1de3355ee25768ad7231796b6262e575c5136
SHA512 b0c58838c152969cf59198984b107a2cfc7ee1c27e0e8d2f2c8708ea581401de13db7285309e963417ba1148052f874f218784645cb759db7b510944961592a0

C:\Users\Admin\AppData\Local\251ac55771bd3dda497329dd24c109b4\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2032-194-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 13:44

Reported

2023-08-10 13:46

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\917285dd49ea028f474fd9f7383ad889\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\917285dd49ea028f474fd9f7383ad889\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File created C:\Users\Admin\AppData\Local\917285dd49ea028f474fd9f7383ad889\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File created C:\Users\Admin\AppData\Local\917285dd49ea028f474fd9f7383ad889\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File created C:\Users\Admin\AppData\Local\917285dd49ea028f474fd9f7383ad889\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\917285dd49ea028f474fd9f7383ad889\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\917285dd49ea028f474fd9f7383ad889\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File created C:\Users\Admin\AppData\Local\917285dd49ea028f474fd9f7383ad889\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
File created C:\Users\Admin\AppData\Local\917285dd49ea028f474fd9f7383ad889\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3924 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 3924 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 3924 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1924 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1924 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1924 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1924 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1924 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1924 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1924 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1924 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3924 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 3924 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 3924 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4616 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4616 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4616 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4616 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4616 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3924 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\schtasks.exe
PID 3924 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\schtasks.exe
PID 3924 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe

"C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\161b63a97d89bf3531175f3de3ade5c1c4eab758530943f018906ea26310ed63.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 126.139.241.8.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.158.241.8.in-addr.arpa udp

Files

memory/3924-133-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3924-134-0x00000000001C0000-0x0000000000200000-memory.dmp

memory/3924-135-0x0000000004BB0000-0x0000000004C16000-memory.dmp

memory/3924-136-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/3924-137-0x0000000005C30000-0x00000000061D4000-memory.dmp

memory/3924-138-0x0000000005760000-0x00000000057F2000-memory.dmp

memory/3924-227-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3924-235-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\Users\Admin\AppData\Local\917285dd49ea028f474fd9f7383ad889\Admin@YACSFKWT_en-US\System\Process.txt

MD5 9a237eb6afb31e775989d5a2f5ef63fa
SHA1 f5935186fdc15957d26a5f19ee4c58754b1e51b6
SHA256 0fcbbc13d3b6f6fe05932ac2a012ea5081a2892769e55c99bffea316828b2c22
SHA512 1f8b04942b10edae1793c6e5ed890e6714526d869b0a161c056e1353838de269a7cb5468ec7ce42f2e573bef7ffeb7ca347087a7c67ad9a2a7edaca762cee219

memory/3924-284-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/3924-289-0x00000000066E0000-0x00000000066EA000-memory.dmp

C:\Users\Admin\AppData\Local\c235d86070e63fa5410160bf85017956\msgid.dat

MD5 0cd9bd0c2aff58c347c9d512127d7e2c
SHA1 cf40cf73d318e1c3cdbac684ac5c696713e147ae
SHA256 4cf1a1c089ca12a669060c472f0b4e22b97d3c8887382c65badf527885e34752
SHA512 a166414ab94d8bfee56ef8c2b18f155698da374138b2394d660760b5e6461ba869daa7bc963f8ff6c98055bacdee2838fc8fee87ef97755290710f294b7d3e40

memory/3924-295-0x0000000006DD0000-0x0000000006DE2000-memory.dmp

C:\Users\Admin\AppData\Local\917285dd49ea028f474fd9f7383ad889\Admin@YACSFKWT_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/3924-319-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/3924-321-0x0000000007980000-0x000000000798A000-memory.dmp