Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2023 14:38
Behavioral task
behavioral1
Sample
0x0009000000012023-62.exe
Resource
win7-20230712-en
General
-
Target
0x0009000000012023-62.exe
-
Size
170KB
-
MD5
958062458cd994df325348bb9f8f9d11
-
SHA1
6d678d971f4239f9304a3a6ac9941b9d7de1ba27
-
SHA256
109f96c67f55689c41320f832134501ec02389a813eba1d990d192ab378ad533
-
SHA512
e73c665f0cd3cc53ea4ca0ef50d196fce4783488759bd9f6b8d9cb842382e88327509a317dd328ddf7b7fc988cde06a46cd82fe2783165f75d5f812e231affff
-
SSDEEP
3072:O+STW8djpN6izj8mZwUFUA+16/qIPu/i9b6J2cST6+WpL:z8XN6W8mm7NiXPSi9bSY
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6085983475:AAG9ma6AdbwS2Vmvqb_xIeiP1vbivSAPlXU/sendMessage?chat_id=1829819531
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/3820-133-0x00000000000B0000-0x00000000000E0000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3820-133-0x00000000000B0000-0x00000000000E0000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\c08b365509d8e4d30c8f11f1405d5d45\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini 0x0009000000012023-62.exe File opened for modification C:\Users\Admin\AppData\Local\c08b365509d8e4d30c8f11f1405d5d45\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini 0x0009000000012023-62.exe File created C:\Users\Admin\AppData\Local\c08b365509d8e4d30c8f11f1405d5d45\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini 0x0009000000012023-62.exe File opened for modification C:\Users\Admin\AppData\Local\c08b365509d8e4d30c8f11f1405d5d45\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini 0x0009000000012023-62.exe File created C:\Users\Admin\AppData\Local\c08b365509d8e4d30c8f11f1405d5d45\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini 0x0009000000012023-62.exe File created C:\Users\Admin\AppData\Local\c08b365509d8e4d30c8f11f1405d5d45\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini 0x0009000000012023-62.exe File created C:\Users\Admin\AppData\Local\c08b365509d8e4d30c8f11f1405d5d45\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini 0x0009000000012023-62.exe File created C:\Users\Admin\AppData\Local\c08b365509d8e4d30c8f11f1405d5d45\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini 0x0009000000012023-62.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe 3820 0x0009000000012023-62.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3820 0x0009000000012023-62.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3820 wrote to memory of 1128 3820 0x0009000000012023-62.exe 90 PID 3820 wrote to memory of 1128 3820 0x0009000000012023-62.exe 90 PID 3820 wrote to memory of 1128 3820 0x0009000000012023-62.exe 90 PID 1128 wrote to memory of 4640 1128 cmd.exe 92 PID 1128 wrote to memory of 4640 1128 cmd.exe 92 PID 1128 wrote to memory of 4640 1128 cmd.exe 92 PID 1128 wrote to memory of 3904 1128 cmd.exe 93 PID 1128 wrote to memory of 3904 1128 cmd.exe 93 PID 1128 wrote to memory of 3904 1128 cmd.exe 93 PID 1128 wrote to memory of 4668 1128 cmd.exe 94 PID 1128 wrote to memory of 4668 1128 cmd.exe 94 PID 1128 wrote to memory of 4668 1128 cmd.exe 94 PID 3820 wrote to memory of 752 3820 0x0009000000012023-62.exe 95 PID 3820 wrote to memory of 752 3820 0x0009000000012023-62.exe 95 PID 3820 wrote to memory of 752 3820 0x0009000000012023-62.exe 95 PID 752 wrote to memory of 2236 752 cmd.exe 97 PID 752 wrote to memory of 2236 752 cmd.exe 97 PID 752 wrote to memory of 2236 752 cmd.exe 97 PID 752 wrote to memory of 3436 752 cmd.exe 98 PID 752 wrote to memory of 3436 752 cmd.exe 98 PID 752 wrote to memory of 3436 752 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x0009000000012023-62.exe"C:\Users\Admin\AppData\Local\Temp\0x0009000000012023-62.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4640
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:3904
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:4668
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2236
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵PID:3436
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f4b9ec30ad9f68f89b29639786cb62ef
SHA1215bb47da8fac3342b858ac3db09b033c6c46e0b
SHA256e3d6c4d4599e00882384ca981ee287ed961fa5f3828e2adb5e9ea890ab0d0525
SHA51285eb108b7e36af2b00ba3e0bc2e2ece782fbf86ef4946df5f91b8ddd978a559f4a6e4f8896b4dc7deb1ba22703ffc5dcefb650c54c60bc8d98b2411a5c2191f1
-
C:\Users\Admin\AppData\Local\c08b365509d8e4d30c8f11f1405d5d45\Admin@KHQJMFWR_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\c08b365509d8e4d30c8f11f1405d5d45\Admin@KHQJMFWR_en-US\System\Process.txt
Filesize4KB
MD551ae148ac94cc61f2ad6f6edb6f6a67c
SHA1681dbfee6834cbd7cc33612bcc068033dd41c9d1
SHA256ba86429a52e81d4b170160e5a81fa64af4c186f3e136f714728503fc16d323eb
SHA51221e6b24fbf21e32da1f2089997f4cbc7f564494ad5ad75b99ace7cf73f90fd7ba3552d0fb50d519510633ef9718e4f43c028cc1bc4f07fc99a9af1f6f2019603