Malware Analysis Report

2025-01-03 06:30

Sample ID 230920-j6md6ahb37
Target Chrome.exe
SHA256 d759f7ea910f871740c8f5f920da899e231b285831e352c10ebe4e75ae7cb936
Tags
asyncrat stormkitty default discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d759f7ea910f871740c8f5f920da899e231b285831e352c10ebe4e75ae7cb936

Threat Level: Known bad

The file Chrome.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default discovery rat spyware stealer

AsyncRat

StormKitty payload

StormKitty

Async RAT payload

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-20 08:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-20 08:16

Reported

2023-09-20 08:19

Platform

win7-20230831-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Chrome.exe C:\Windows\system32\WerFault.exe
PID 2344 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Chrome.exe C:\Windows\system32\WerFault.exe
PID 2344 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Chrome.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Chrome.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2344 -s 112

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-20 08:16

Reported

2023-09-20 08:18

Platform

win10v2004-20230915-en

Max time kernel

65s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Chrome.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Chrome.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Chrome.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Chrome.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp68DC.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"'

C:\Users\Admin\AppData\Roaming\Chrome.exe

"C:\Users\Admin\AppData\Roaming\Chrome.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
RU 185.17.0.246:4449 tcp
US 8.8.8.8:53 246.0.17.185.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
RU 185.17.0.246:4449 tcp
RU 185.17.0.246:4449 tcp

Files

memory/3980-0-0x0000022899430000-0x0000022899448000-memory.dmp

memory/3980-2-0x00007FFBCD630000-0x00007FFBCE0F1000-memory.dmp

memory/3980-4-0x00000228B36D0000-0x00000228B36E0000-memory.dmp

memory/3980-3-0x00000228B36D0000-0x00000228B36E0000-memory.dmp

memory/3980-5-0x00000228B36D0000-0x00000228B36E0000-memory.dmp

memory/3980-10-0x00007FFBEB490000-0x00007FFBEB685000-memory.dmp

memory/3980-11-0x00007FFBD8E30000-0x00007FFBD8E49000-memory.dmp

memory/3980-12-0x00007FFBCD630000-0x00007FFBCE0F1000-memory.dmp

memory/3980-13-0x00007FFBEB490000-0x00007FFBEB685000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp68DC.tmp.bat

MD5 1ff6f6d2257bfa61572faf73960d6244
SHA1 dc9ec8cbf4a7f79d0061b35e6ce784b33f404503
SHA256 197e620b085740ba6e1227f492d81dfe85efe0f4d8acafaa727734aa0a06af87
SHA512 c22c35b91ebdb4ed9ef7f07b5e0271f43ec77822297aa65ca1024d59964218b6a8f4d87ac47e2f978680c1282459965cc491093ed65474dd248f812f301ace15

C:\Users\Admin\AppData\Roaming\Chrome.exe

MD5 addca39503803ebc2679b91ec072e4ea
SHA1 2cbc529d83090fb67f7a101c539ad319dbd84fff
SHA256 d759f7ea910f871740c8f5f920da899e231b285831e352c10ebe4e75ae7cb936
SHA512 7573259f3e566a55fb5eabf174e69842c7cdeacdc934819f6079d5e5e7f8048d6c7d500a22cc6e5422d71a2e831f7ddc605103b36ff8c51f387e7d64b0691c4a

C:\Users\Admin\AppData\Roaming\Chrome.exe

MD5 addca39503803ebc2679b91ec072e4ea
SHA1 2cbc529d83090fb67f7a101c539ad319dbd84fff
SHA256 d759f7ea910f871740c8f5f920da899e231b285831e352c10ebe4e75ae7cb936
SHA512 7573259f3e566a55fb5eabf174e69842c7cdeacdc934819f6079d5e5e7f8048d6c7d500a22cc6e5422d71a2e831f7ddc605103b36ff8c51f387e7d64b0691c4a

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Chrome.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/1468-20-0x00007FFBCDC00000-0x00007FFBCE6C1000-memory.dmp

memory/1468-21-0x0000021DAC270000-0x0000021DAC280000-memory.dmp

memory/1468-22-0x0000021DAC270000-0x0000021DAC280000-memory.dmp

memory/1468-23-0x0000021DAC270000-0x0000021DAC280000-memory.dmp

memory/1468-24-0x0000021DAC270000-0x0000021DAC280000-memory.dmp

memory/1468-25-0x00007FFBD8E30000-0x00007FFBD8E49000-memory.dmp

memory/1468-26-0x0000021DAC270000-0x0000021DAC280000-memory.dmp

memory/1468-27-0x0000021DAC270000-0x0000021DAC280000-memory.dmp

memory/1468-28-0x00007FFBCDC00000-0x00007FFBCE6C1000-memory.dmp

memory/1468-29-0x0000021DAC270000-0x0000021DAC280000-memory.dmp

memory/1468-30-0x0000021DAC270000-0x0000021DAC280000-memory.dmp

memory/1468-31-0x0000021DAC270000-0x0000021DAC280000-memory.dmp

memory/1468-32-0x0000021DAC270000-0x0000021DAC280000-memory.dmp

memory/1468-33-0x0000021DC4E70000-0x0000021DC4EE6000-memory.dmp

memory/1468-34-0x0000021DC5180000-0x0000021DC52A2000-memory.dmp

memory/1468-35-0x0000021DC4DD0000-0x0000021DC4DEE000-memory.dmp

memory/1468-74-0x0000021DC4EF0000-0x0000021DC4F12000-memory.dmp

memory/1468-75-0x0000021DC5610000-0x0000021DC5744000-memory.dmp

memory/1468-76-0x0000021DAC290000-0x0000021DAC29A000-memory.dmp