Analysis Overview
SHA256
ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3
Threat Level: Known bad
The file ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3 was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
StormKitty
Modifies WinLogon for persistence
AsyncRat
Async RAT payload
Executes dropped EXE
Looks up geolocation information via web service
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-17 17:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-17 17:27
Reported
2023-08-17 17:30
Platform
win10-20230703-en
Max time kernel
126s
Max time network
152s
Command Line
Signatures
AsyncRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\lignt syst.exe," | C:\Windows\system32\reg.exe | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lignt syst.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4060 set thread context of 3824 | N/A | C:\Users\Admin\AppData\Roaming\lignt syst.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\lignt syst.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe
"C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\lignt syst.exe,"
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 7
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c ping 127.0.0.1 -n 16 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe" "C:\Users\Admin\AppData\Roaming\lignt syst.exe" && ping 127.0.0.1 -n 16 > nul && "C:\Users\Admin\AppData\Roaming\lignt syst.exe"
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 16
C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\lignt syst.exe,"
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 16
C:\Users\Admin\AppData\Roaming\lignt syst.exe
"C:\Users\Admin\AppData\Roaming\lignt syst.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| AT | 185.106.94.122:4449 | tcp | |
| US | 8.8.8.8:53 | 122.94.106.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| AT | 185.106.94.122:4449 | tcp | |
| AT | 185.106.94.122:4449 | tcp | |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 97.115.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
memory/5096-117-0x0000000000F60000-0x0000000000FD6000-memory.dmp
memory/5096-118-0x00000000043F0000-0x0000000004DDC000-memory.dmp
memory/5096-119-0x0000000024CA0000-0x0000000024CB0000-memory.dmp
memory/5096-120-0x0000000028110000-0x0000000028152000-memory.dmp
memory/5096-122-0x0000000000AA0000-0x0000000000B03000-memory.dmp
memory/5096-123-0x0000000000B10000-0x0000000000BBE000-memory.dmp
memory/5096-124-0x00000000016C0000-0x0000000001909000-memory.dmp
memory/5096-125-0x00000000013E0000-0x000000000145E000-memory.dmp
memory/5096-126-0x0000000001460000-0x0000000001501000-memory.dmp
memory/5096-127-0x0000000001510000-0x00000000015AD000-memory.dmp
memory/5096-129-0x0000000001DD0000-0x0000000001EF5000-memory.dmp
memory/5096-130-0x0000000002370000-0x000000000240C000-memory.dmp
memory/5096-128-0x0000000001D10000-0x0000000001D69000-memory.dmp
memory/5096-132-0x0000000002410000-0x0000000002709000-memory.dmp
memory/5096-133-0x0000000002300000-0x0000000002327000-memory.dmp
memory/5096-134-0x0000000002710000-0x000000000285A000-memory.dmp
memory/5096-135-0x0000000002860000-0x0000000002956000-memory.dmp
memory/5096-136-0x0000000002960000-0x00000000029CA000-memory.dmp
memory/5096-138-0x00000000029D0000-0x0000000002B59000-memory.dmp
memory/5096-137-0x0000000002330000-0x000000000234E000-memory.dmp
memory/5096-141-0x00000000043D0000-0x00000000043E1000-memory.dmp
memory/5096-140-0x0000000002E10000-0x0000000002E3D000-memory.dmp
memory/5096-142-0x0000000002350000-0x000000000235A000-memory.dmp
memory/5096-139-0x0000000002B60000-0x0000000002BFA000-memory.dmp
memory/5096-143-0x00000000043F0000-0x0000000004DDC000-memory.dmp
memory/5096-144-0x0000000004E40000-0x0000000004F37000-memory.dmp
memory/5096-145-0x000000001F680000-0x000000001F7C3000-memory.dmp
memory/5096-147-0x000000001F970000-0x000000001FA9C000-memory.dmp
memory/5096-146-0x000000001F7D0000-0x000000001F865000-memory.dmp
memory/5096-131-0x0000000001D70000-0x0000000001DC1000-memory.dmp
memory/5096-148-0x0000000022E70000-0x00000000242A7000-memory.dmp
memory/5096-149-0x000000001F870000-0x000000001F8B9000-memory.dmp
memory/5096-150-0x00000000242B0000-0x000000002435A000-memory.dmp
memory/5096-151-0x0000000024360000-0x0000000024A52000-memory.dmp
memory/5096-153-0x000000001F8C0000-0x000000001F8D5000-memory.dmp
memory/5096-154-0x0000000024AB0000-0x0000000024AD5000-memory.dmp
memory/5096-155-0x0000000024AE0000-0x0000000024AF7000-memory.dmp
memory/5096-156-0x0000000024BB0000-0x0000000024BE4000-memory.dmp
memory/5096-152-0x0000000024A60000-0x0000000024AAC000-memory.dmp
memory/5096-158-0x0000000024CB0000-0x0000000024D56000-memory.dmp
memory/5096-157-0x0000000024BF0000-0x0000000024BFB000-memory.dmp
memory/5096-159-0x0000000024C70000-0x0000000024C9A000-memory.dmp
memory/5096-160-0x0000000024E20000-0x0000000024F86000-memory.dmp
memory/5096-161-0x0000000024F90000-0x000000002504F000-memory.dmp
memory/5096-162-0x0000000025050000-0x00000000251E5000-memory.dmp
memory/5096-163-0x0000000025640000-0x0000000025900000-memory.dmp
memory/5096-164-0x0000000026590000-0x00000000268BE000-memory.dmp
memory/5096-165-0x00000000268C0000-0x0000000026B46000-memory.dmp
memory/5096-166-0x0000000026B50000-0x0000000026B80000-memory.dmp
memory/5096-167-0x0000000026B80000-0x0000000026BEC000-memory.dmp
memory/5096-168-0x0000000026BF0000-0x0000000026C0B000-memory.dmp
memory/5096-169-0x0000000026C10000-0x0000000026C47000-memory.dmp
memory/5096-172-0x0000000025AD0000-0x0000000025AD8000-memory.dmp
memory/5096-170-0x0000000026C50000-0x0000000026D27000-memory.dmp
memory/5096-171-0x0000000027130000-0x000000002718C000-memory.dmp
memory/5096-173-0x0000000027190000-0x000000002719B000-memory.dmp
memory/5096-174-0x0000000027EA0000-0x0000000027EB4000-memory.dmp
memory/5096-175-0x0000000027EC0000-0x0000000028089000-memory.dmp
memory/5096-176-0x0000000028090000-0x00000000280E6000-memory.dmp
memory/5096-177-0x00000000280F0000-0x0000000028101000-memory.dmp
memory/5096-179-0x0000000028210000-0x00000000283BC000-memory.dmp
memory/5096-178-0x0000000028180000-0x0000000028188000-memory.dmp
memory/5096-180-0x0000000028720000-0x00000000287BE000-memory.dmp
C:\Users\Admin\AppData\Roaming\lignt syst.exe
| MD5 | 3165e5045b93dd77931c69b373226483 |
| SHA1 | c4652b4087ef45c0ff18f7f01922905bdeb0ffe7 |
| SHA256 | ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3 |
| SHA512 | 07e9821f3ae56b32d6ba6fed9db634c9f5041d2f5c3279f9596dbdb38d8e2d77c8a42a078ef527c8bf87a528fe6f66947098280e2c8d1e8dba5539a8a26e99de |
C:\Users\Admin\AppData\Roaming\lignt syst.exe
| MD5 | 3165e5045b93dd77931c69b373226483 |
| SHA1 | c4652b4087ef45c0ff18f7f01922905bdeb0ffe7 |
| SHA256 | ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3 |
| SHA512 | 07e9821f3ae56b32d6ba6fed9db634c9f5041d2f5c3279f9596dbdb38d8e2d77c8a42a078ef527c8bf87a528fe6f66947098280e2c8d1e8dba5539a8a26e99de |
memory/4060-186-0x0000000000F40000-0x0000000000FB6000-memory.dmp
memory/4060-187-0x0000000004010000-0x00000000049FC000-memory.dmp
memory/4060-188-0x0000000024130000-0x0000000024140000-memory.dmp
memory/4060-189-0x0000000028C80000-0x0000000028C9A000-memory.dmp
memory/4060-190-0x00000000290C0000-0x00000000290C6000-memory.dmp
memory/4060-191-0x0000000004010000-0x00000000049FC000-memory.dmp
memory/4060-192-0x00000000006C0000-0x0000000000723000-memory.dmp
memory/4060-193-0x0000000000730000-0x00000000007DE000-memory.dmp
memory/4060-194-0x0000000001290000-0x00000000014D9000-memory.dmp
memory/4060-195-0x0000000001000000-0x000000000107E000-memory.dmp
memory/4060-196-0x00000000014E0000-0x0000000001581000-memory.dmp
memory/4060-251-0x0000000024130000-0x0000000024140000-memory.dmp
memory/3824-375-0x0000000000400000-0x0000000000416000-memory.dmp
memory/3824-376-0x00007FFF31030000-0x00007FFF31A1C000-memory.dmp
memory/3824-384-0x00000269C4830000-0x00000269C4840000-memory.dmp
memory/4060-435-0x0000000004010000-0x00000000049FC000-memory.dmp
memory/3824-436-0x00007FFF4DEB0000-0x00007FFF4E08B000-memory.dmp
memory/3824-440-0x00000269C4830000-0x00000269C4840000-memory.dmp
memory/3824-439-0x00000269C4830000-0x00000269C4840000-memory.dmp
memory/3824-442-0x00007FFF31030000-0x00007FFF31A1C000-memory.dmp
memory/3824-443-0x00000269C4BF0000-0x00000269C4C66000-memory.dmp
memory/3824-444-0x00000269C4C70000-0x00000269C4D92000-memory.dmp
memory/3824-445-0x00000269ABCE0000-0x00000269ABCFE000-memory.dmp
memory/3824-446-0x00000269C4830000-0x00000269C4840000-memory.dmp
memory/3824-447-0x00000269C4D90000-0x00000269C4EC4000-memory.dmp
memory/3824-448-0x00000269ABE70000-0x00000269ABE7A000-memory.dmp
memory/3824-472-0x00000269C52C0000-0x00000269C52E2000-memory.dmp
memory/3824-473-0x00007FFF4DEB0000-0x00007FFF4E08B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFEA6.tmp.dat
| MD5 | dcac7589c66728ce87f51aea48746c0c |
| SHA1 | 8bf1e0ddd49c658154017b4efd781b35f2c2b3e5 |
| SHA256 | 41d3cff236378944c160e16cb500f69df28b7b962b9a4f768de1ace20486b2fe |
| SHA512 | 3be051430ffdd638dc0c44876fb4595588d1248bae3623782f02e1eca5b33ad89c33dfa03c3c9ed1fbb434b3237bd810283a4cc3924f4af07b5ac6e0c5b0fad6 |
C:\Users\Admin\AppData\Local\Temp\tmpFEB8.tmp.dat
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\Users\Admin\AppData\Local\296a85e6e23dcd3bb3d834ed3182be3c\Admin@MCPGVJNB_en-US\System\Process.txt
| MD5 | 5623e66668bb26727a2013cb157ff285 |
| SHA1 | 5a5e29564e0df99a2f2a5da4ba152e6d63a29731 |
| SHA256 | dc839d3bdf975426b2644db390d374de9c05e4a4ebb02c3f216b7157e6723471 |
| SHA512 | da520708193e0ba7d4a7aa9982b6da7f68e44c02e53aa7aa5362a2792a3a30f8bf67b8397bfccbaa602b58fde4b39ee74a10dc19f98e735ca411beb782fafe85 |
memory/3824-566-0x00000269C4830000-0x00000269C4840000-memory.dmp
memory/3824-568-0x00000269C4830000-0x00000269C4840000-memory.dmp
memory/3824-570-0x00000269C5350000-0x00000269C53CA000-memory.dmp
memory/3824-610-0x00000269C53D0000-0x00000269C5454000-memory.dmp
C:\Users\Admin\AppData\Local\296a85e6e23dcd3bb3d834ed3182be3c\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |