Analysis Overview
SHA256
d759f7ea910f871740c8f5f920da899e231b285831e352c10ebe4e75ae7cb936
Threat Level: Known bad
The file Chrome.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
StormKitty payload
StormKitty
Async RAT payload
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-20 08:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-20 08:16
Reported
2023-09-20 08:19
Platform
win7-20230831-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2344 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\Chrome.exe | C:\Windows\system32\WerFault.exe |
| PID 2344 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\Chrome.exe | C:\Windows\system32\WerFault.exe |
| PID 2344 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\Chrome.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2344 -s 112
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-20 08:16
Reported
2023-09-20 08:18
Platform
win10v2004-20230915-en
Max time kernel
65s
Max time network
69s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Chrome.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Chrome.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Chrome.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Chrome.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp68DC.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"'
C:\Users\Admin\AppData\Roaming\Chrome.exe
"C:\Users\Admin\AppData\Roaming\Chrome.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| RU | 185.17.0.246:4449 | tcp | |
| US | 8.8.8.8:53 | 246.0.17.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.22.238.8.in-addr.arpa | udp |
| RU | 185.17.0.246:4449 | tcp | |
| RU | 185.17.0.246:4449 | tcp |
Files
memory/3980-0-0x0000022899430000-0x0000022899448000-memory.dmp
memory/3980-2-0x00007FFBCD630000-0x00007FFBCE0F1000-memory.dmp
memory/3980-4-0x00000228B36D0000-0x00000228B36E0000-memory.dmp
memory/3980-3-0x00000228B36D0000-0x00000228B36E0000-memory.dmp
memory/3980-5-0x00000228B36D0000-0x00000228B36E0000-memory.dmp
memory/3980-10-0x00007FFBEB490000-0x00007FFBEB685000-memory.dmp
memory/3980-11-0x00007FFBD8E30000-0x00007FFBD8E49000-memory.dmp
memory/3980-12-0x00007FFBCD630000-0x00007FFBCE0F1000-memory.dmp
memory/3980-13-0x00007FFBEB490000-0x00007FFBEB685000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp68DC.tmp.bat
| MD5 | 1ff6f6d2257bfa61572faf73960d6244 |
| SHA1 | dc9ec8cbf4a7f79d0061b35e6ce784b33f404503 |
| SHA256 | 197e620b085740ba6e1227f492d81dfe85efe0f4d8acafaa727734aa0a06af87 |
| SHA512 | c22c35b91ebdb4ed9ef7f07b5e0271f43ec77822297aa65ca1024d59964218b6a8f4d87ac47e2f978680c1282459965cc491093ed65474dd248f812f301ace15 |
C:\Users\Admin\AppData\Roaming\Chrome.exe
| MD5 | addca39503803ebc2679b91ec072e4ea |
| SHA1 | 2cbc529d83090fb67f7a101c539ad319dbd84fff |
| SHA256 | d759f7ea910f871740c8f5f920da899e231b285831e352c10ebe4e75ae7cb936 |
| SHA512 | 7573259f3e566a55fb5eabf174e69842c7cdeacdc934819f6079d5e5e7f8048d6c7d500a22cc6e5422d71a2e831f7ddc605103b36ff8c51f387e7d64b0691c4a |
C:\Users\Admin\AppData\Roaming\Chrome.exe
| MD5 | addca39503803ebc2679b91ec072e4ea |
| SHA1 | 2cbc529d83090fb67f7a101c539ad319dbd84fff |
| SHA256 | d759f7ea910f871740c8f5f920da899e231b285831e352c10ebe4e75ae7cb936 |
| SHA512 | 7573259f3e566a55fb5eabf174e69842c7cdeacdc934819f6079d5e5e7f8048d6c7d500a22cc6e5422d71a2e831f7ddc605103b36ff8c51f387e7d64b0691c4a |
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Chrome.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/1468-20-0x00007FFBCDC00000-0x00007FFBCE6C1000-memory.dmp
memory/1468-21-0x0000021DAC270000-0x0000021DAC280000-memory.dmp
memory/1468-22-0x0000021DAC270000-0x0000021DAC280000-memory.dmp
memory/1468-23-0x0000021DAC270000-0x0000021DAC280000-memory.dmp
memory/1468-24-0x0000021DAC270000-0x0000021DAC280000-memory.dmp
memory/1468-25-0x00007FFBD8E30000-0x00007FFBD8E49000-memory.dmp
memory/1468-26-0x0000021DAC270000-0x0000021DAC280000-memory.dmp
memory/1468-27-0x0000021DAC270000-0x0000021DAC280000-memory.dmp
memory/1468-28-0x00007FFBCDC00000-0x00007FFBCE6C1000-memory.dmp
memory/1468-29-0x0000021DAC270000-0x0000021DAC280000-memory.dmp
memory/1468-30-0x0000021DAC270000-0x0000021DAC280000-memory.dmp
memory/1468-31-0x0000021DAC270000-0x0000021DAC280000-memory.dmp
memory/1468-32-0x0000021DAC270000-0x0000021DAC280000-memory.dmp
memory/1468-33-0x0000021DC4E70000-0x0000021DC4EE6000-memory.dmp
memory/1468-34-0x0000021DC5180000-0x0000021DC52A2000-memory.dmp
memory/1468-35-0x0000021DC4DD0000-0x0000021DC4DEE000-memory.dmp
memory/1468-74-0x0000021DC4EF0000-0x0000021DC4F12000-memory.dmp
memory/1468-75-0x0000021DC5610000-0x0000021DC5744000-memory.dmp
memory/1468-76-0x0000021DAC290000-0x0000021DAC29A000-memory.dmp