Analysis
-
max time kernel
136s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2023 01:47
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA INVOICE.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
PROFORMA INVOICE.exe
Resource
win10v2004-20230915-en
General
-
Target
PROFORMA INVOICE.exe
-
Size
169KB
-
MD5
ea3090debf7241bf0c754c6e30c4a46c
-
SHA1
f238fbb8bfe0e8c417e9b7ba8e192cd9948c88d2
-
SHA256
0f757aaa17a6d470967a7e011d6016985dafeaaf409d72a008f970e827894065
-
SHA512
4f50447ae754e839d9ea8b013ee0a5fe51ce3996e1745c18fe87c70fad3bdab3d2cdf38e4e77d057671d8c470523c329758ee09cc3e55af9c2a1560d9ffd9a74
-
SSDEEP
3072:hR+GZNq7KCQBvB4jvA6gMqEqF2A0K0jyzWiPAwHsrUYMP4qY:h3e+fvBMI6gTTF2A07jy+wMoYJq
Malware Config
Extracted
asyncrat
Default
79.134.225.113:9346
KωUORNيקzXשuZ伊Ufo开MΖ
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1156-29-0x0000000007600000-0x0000000007722000-memory.dmp family_stormkitty -
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1156-9-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat behavioral2/memory/1156-21-0x0000000007100000-0x0000000007288000-memory.dmp asyncrat -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
cvtres.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cvtres.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cvtres.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cvtres.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFORMA INVOICE.exedescription pid process target process PID 3736 set thread context of 1156 3736 PROFORMA INVOICE.exe cvtres.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1740 1156 WerFault.exe cvtres.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
PROFORMA INVOICE.execvtres.exepid process 3736 PROFORMA INVOICE.exe 3736 PROFORMA INVOICE.exe 3736 PROFORMA INVOICE.exe 3736 PROFORMA INVOICE.exe 3736 PROFORMA INVOICE.exe 3736 PROFORMA INVOICE.exe 3736 PROFORMA INVOICE.exe 3736 PROFORMA INVOICE.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe 1156 cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PROFORMA INVOICE.execvtres.exedescription pid process Token: SeDebugPrivilege 3736 PROFORMA INVOICE.exe Token: SeDebugPrivilege 1156 cvtres.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
PROFORMA INVOICE.execvtres.execmd.execmd.exedescription pid process target process PID 3736 wrote to memory of 4672 3736 PROFORMA INVOICE.exe RegAsm.exe PID 3736 wrote to memory of 4672 3736 PROFORMA INVOICE.exe RegAsm.exe PID 3736 wrote to memory of 4672 3736 PROFORMA INVOICE.exe RegAsm.exe PID 3736 wrote to memory of 2876 3736 PROFORMA INVOICE.exe WsatConfig.exe PID 3736 wrote to memory of 2876 3736 PROFORMA INVOICE.exe WsatConfig.exe PID 3736 wrote to memory of 460 3736 PROFORMA INVOICE.exe jsc.exe PID 3736 wrote to memory of 460 3736 PROFORMA INVOICE.exe jsc.exe PID 3736 wrote to memory of 460 3736 PROFORMA INVOICE.exe jsc.exe PID 3736 wrote to memory of 5052 3736 PROFORMA INVOICE.exe SMSvcHost.exe PID 3736 wrote to memory of 5052 3736 PROFORMA INVOICE.exe SMSvcHost.exe PID 3736 wrote to memory of 1156 3736 PROFORMA INVOICE.exe cvtres.exe PID 3736 wrote to memory of 1156 3736 PROFORMA INVOICE.exe cvtres.exe PID 3736 wrote to memory of 1156 3736 PROFORMA INVOICE.exe cvtres.exe PID 3736 wrote to memory of 1156 3736 PROFORMA INVOICE.exe cvtres.exe PID 3736 wrote to memory of 1156 3736 PROFORMA INVOICE.exe cvtres.exe PID 3736 wrote to memory of 1156 3736 PROFORMA INVOICE.exe cvtres.exe PID 3736 wrote to memory of 1156 3736 PROFORMA INVOICE.exe cvtres.exe PID 3736 wrote to memory of 1156 3736 PROFORMA INVOICE.exe cvtres.exe PID 1156 wrote to memory of 2756 1156 cvtres.exe cmd.exe PID 1156 wrote to memory of 2756 1156 cvtres.exe cmd.exe PID 1156 wrote to memory of 2756 1156 cvtres.exe cmd.exe PID 2756 wrote to memory of 2100 2756 cmd.exe chcp.com PID 2756 wrote to memory of 2100 2756 cmd.exe chcp.com PID 2756 wrote to memory of 2100 2756 cmd.exe chcp.com PID 2756 wrote to memory of 4744 2756 cmd.exe netsh.exe PID 2756 wrote to memory of 4744 2756 cmd.exe netsh.exe PID 2756 wrote to memory of 4744 2756 cmd.exe netsh.exe PID 2756 wrote to memory of 4040 2756 cmd.exe findstr.exe PID 2756 wrote to memory of 4040 2756 cmd.exe findstr.exe PID 2756 wrote to memory of 4040 2756 cmd.exe findstr.exe PID 1156 wrote to memory of 5012 1156 cvtres.exe cmd.exe PID 1156 wrote to memory of 5012 1156 cvtres.exe cmd.exe PID 1156 wrote to memory of 5012 1156 cvtres.exe cmd.exe PID 5012 wrote to memory of 4064 5012 cmd.exe chcp.com PID 5012 wrote to memory of 4064 5012 cmd.exe chcp.com PID 5012 wrote to memory of 4064 5012 cmd.exe chcp.com PID 5012 wrote to memory of 2868 5012 cmd.exe netsh.exe PID 5012 wrote to memory of 2868 5012 cmd.exe netsh.exe PID 5012 wrote to memory of 2868 5012 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
cvtres.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cvtres.exe -
outlook_win_path 1 IoCs
Processes:
cvtres.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4672
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"2⤵PID:2876
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵PID:460
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"2⤵PID:5052
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2100
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:4744
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:4040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 31403⤵
- Program crash
PID:1740 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:4064
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵PID:2868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1156 -ip 11561⤵PID:1452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\System\Process.txt
Filesize3KB
MD5858d21e9c2b2d58d5ce420a35ef26fa2
SHA144d7c7367b1300076c7499452ca2930e67bace5b
SHA256a3bd8d66cbad3964b03e1f4f664b1e665984ef2d3b9f69c1d57190191cf03cc8
SHA51277e458f9380fc1ebd43dee0abcc045f99480e7ae46932d4654cc661c78d1ae83ca0cb38afb8cbacaf9e5acf3a205cbbdcbb65d2129a90eb42bb507fa0ebd7409
-
C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\System\Process.txt
Filesize3KB
MD5858d21e9c2b2d58d5ce420a35ef26fa2
SHA144d7c7367b1300076c7499452ca2930e67bace5b
SHA256a3bd8d66cbad3964b03e1f4f664b1e665984ef2d3b9f69c1d57190191cf03cc8
SHA51277e458f9380fc1ebd43dee0abcc045f99480e7ae46932d4654cc661c78d1ae83ca0cb38afb8cbacaf9e5acf3a205cbbdcbb65d2129a90eb42bb507fa0ebd7409
-
C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\System\Process.txt
Filesize3KB
MD5858d21e9c2b2d58d5ce420a35ef26fa2
SHA144d7c7367b1300076c7499452ca2930e67bace5b
SHA256a3bd8d66cbad3964b03e1f4f664b1e665984ef2d3b9f69c1d57190191cf03cc8
SHA51277e458f9380fc1ebd43dee0abcc045f99480e7ae46932d4654cc661c78d1ae83ca0cb38afb8cbacaf9e5acf3a205cbbdcbb65d2129a90eb42bb507fa0ebd7409
-
Filesize
5.0MB
MD5d323a4dc560e546b81bc8cb0c92b3b88
SHA1d1f635b2406aefe247f56239fd6a0ab02710149d
SHA256403bbe142a59f699a89903789ea0c9fa0e606bf67bde3b750c631323ce70e6c6
SHA5128e85ac339c215c07532f41d45c7f1d475675f69928ddc25bc3e7af49487732936b171e71355fe4888de325a7cff3283aa8025749f202983a6d7ea2832c40afd7
-
Filesize
92KB
MD56e98ae51f6cacb49a7830bede7ab9920
SHA11b7e9e375bd48cae50343e67ecc376cf5016d4ee
SHA256192cd04b9a4d80701bb672cc3678912d1df8f6b987c2b4991d9b6bfbe8f011fd
SHA5123e7cdda870cbde0655cc30c2f7bd3afee96fdfbe420987ae6ea2709089c0a8cbc8bb9187ef3b4ec3f6a019a9a8b465588b61029869f5934e0820b2461c4a9b2b
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2