Analysis Overview
SHA256
5c206519b44d99681aa637386f513175572ec510e83ef24590f5310fd41f373c
Threat Level: Known bad
The file 5c206519b44d99681aa637386f513175572ec510e83ef24590f5310fd41f373c was found to be: Known bad.
Malicious Activity Summary
AsyncRat
StormKitty
StormKitty payload
Stealerium
Async RAT payload
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Program crash
outlook_win_path
outlook_office_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-04 01:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-04 01:47
Reported
2023-10-04 01:50
Platform
win7-20230831-en
Max time kernel
142s
Max time network
138s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1368 set thread context of 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50f1bee164f6d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b0000000002000000000010660000000100002000000008649939f06d0bfd77aa18918e8cfa706b10d4ae083e2fc63b378e756bbaa7e6000000000e800000000200002000000076d073aef7ca11285494fe06405640e42864295736725929bf6ca61ececd0aec9000000066efff5b086e22b38e7dea619575c45f49319fa0128a25b2ebcfb1528079a4a9ee1e34ab4806df7ec818c143e1bfb010a72f99a13b4251ed87b9e5363544fe2b9a75842bff0ee855b0c94ece8e4a351ed703b0a29b101f6a7a6794ee5c3d3fafcf33443bdf109eca89ad9ae6a3727acaff9f2694fe6d624bfb77c4d212e8180673e5b50efd8b83b2c20438879746c5c840000000bb29e7f25db1707a6566286729de0f02573a5ce6420393a92adcd0c2b9d63784b3683656c20e2619af29617fd711df851a1b3f8054ad904fc441f41c0333af85 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0C6C6AE1-6258-11EE-8877-7200988DF339} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000a4ea516fac787c1f0a61389296145b1b0e7053dd6463a489812a6e09f8369ed1000000000e8000000002000020000000ec61145ae031d89b07069b9e3c7fdc7372901593e778d1e357b17652277649a120000000f5de8963d71414b36e53343bd5d868d8378520edf3926b83b0bc09edbaaa9a644000000066f6b260af913a30e07c616d8db7fa29f02891cb1a185b3b42de5f80dc4e5e466f5d75b9bea1f0671dad78f234c1eb1152daece728f776192dde77732b781226 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402545949" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1368-0-0x0000000000160000-0x0000000000190000-memory.dmp
memory/1368-1-0x0000000074AF0000-0x00000000751DE000-memory.dmp
memory/1368-2-0x0000000004640000-0x0000000004680000-memory.dmp
memory/1368-3-0x00000000004B0000-0x00000000004D8000-memory.dmp
memory/1368-4-0x0000000000580000-0x000000000059A000-memory.dmp
memory/1200-5-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1200-7-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1200-9-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1368-10-0x0000000074AF0000-0x00000000751DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab6E2F.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar6F1E.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f54bb4c86fb49b638d4d352c5ced24fa |
| SHA1 | e05a42d973943d4385880b6da641ccbda1654eff |
| SHA256 | ea2a78c5e090eaa114e1258e2ad0dda9f6f4f13081178946f0c6e6d853bd9727 |
| SHA512 | 1badfdaac128525a4e65bbcf39b8e527aa1b01b28af403d30af9873f25a05c0efcf386964fe96fda7a2da960293833260639bf4bf0ba30bba33dd626afdfc05f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5ace79420c8049399bbf5114f5a69a93 |
| SHA1 | 934947c4faa91cd567b42f150452341222f57502 |
| SHA256 | ab831285c2cd9523a2a34fe0d4d1dd3918f6eb47609dfdf1960a7b129c5bb1d4 |
| SHA512 | 6fd674823947e5ea88f5ee7ae8f38acc44eb75e5cfa5f5a4c53ce7ecc97c4325779ade65c3418a5d887e926ce67d2fa9476a423696ade22fc5a459aa1ef3dc6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0cdd6ee36f188b92db38740d05c7577b |
| SHA1 | f044cb89b2a3699adc06206a47876f9d4e047a58 |
| SHA256 | 8a97340ad2d2d238744d7a477dd1270d6799b23904ac28b701afcd803e852b83 |
| SHA512 | 2269561ea830bc1323b950b1df6c0866cef252f55907759fb447c262af5007e792fcd28285e40c70f8ad64073edc91ee742591fc5ec70aaca0e6f4c4bd41af29 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d9fc8204e92f1bb31f00b8a19a499b1a |
| SHA1 | a30ad565f4a36869da1644188723d4556e142c9d |
| SHA256 | bda7a3b1cce197526432cff97f6c83a0c31064b81c279b4c580563fe0e56e3db |
| SHA512 | 14a5fd177bda328a96282b8b79098dcd6899136d38791cb9869685be7846b66cc8a38212dbcf04f6fd0785355107c5cfb5ab2f330ba6c6b5411cc2304219c4f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8ca9070146931dbd4612304547deb3de |
| SHA1 | ed23cba466efc38ea95f86807aebea4752bdd0fe |
| SHA256 | b979622c9f9297a7390b2f9d95db6639883c696da837928ceef763317b848769 |
| SHA512 | a492b00f5fed2adc4866e9a98fc7288b4499c05b285cd31bca3a19e5196fd32318cbc9e6722cbd2950ab4f72e5841c7faaac948695e9d2eeee19c59888d481f7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a339cb58715c86ca3036332cb5898cd |
| SHA1 | 3ffdc69fe9e84d9b2985c276b6bc4141bcb4724f |
| SHA256 | 443aa6f14679bc42314abebe329a5158ded709dbc49f311c44335e40a81f1368 |
| SHA512 | d2a92646f46efce78701528450cecc9e45526b5b998a91a20b23386b83ff55eff9789cced4a5f9f84c5e69285c24cbb3aad7a91fa669857d1df65ea570400f66 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 72d9fd08f8bf627c8d2ab88b6c176969 |
| SHA1 | 85848a3531a1cfb2f24e7982353ae6aad77546b8 |
| SHA256 | faf33d28c755a3ed088a224865329a034d945c973790627d1b910c0f4f9e8abc |
| SHA512 | 8db10df8901b85f16f2847349085569f8b936f9852076da864f77b911503f8d2a144aca0bb30d8df22e71ef24e883c42f242c5df6c2a025606ff5cdaa8420875 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 930bd4356417732d96d5603e734dc02b |
| SHA1 | 62893fa6f4efdbcd996d958686fa6e076964f2d7 |
| SHA256 | 1e0abcaeb341bae212f56a6e292299cdcda4438a6fd0ebe77b0aba29af6e79c3 |
| SHA512 | 288cf38c865aebad3d1ce94d716ca558a029ac255c96e0a517cda0b33ad530eb08bfc874866910bdbdcbdebbc6e69edee021cf23c2b87a66ff2c2dbe1125e782 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3b62cfb5095984ae744d10012ab8af6 |
| SHA1 | 7b23886a196e06db66bcb253ff4a245eb091852d |
| SHA256 | e452a2a2ca5b6dc6e5a506f71ef8e494daeb66c1200f0ddd1bae6f7121ebfc3d |
| SHA512 | 0447be44e4dd4d32c37fe0f41ac1882ae4be0f3596510265991c153e9354e527e70b2cf9c53413fe36d9d186975acb0356aa49e7adc4a1f5462b860db21fcc30 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2239d812c70709414dc78a95226ad191 |
| SHA1 | 259eebd87572a5d30613fe1aae1288939fa2b287 |
| SHA256 | 923ea01ff21fd74e00d98f7928ba2569aa8cf48faacb98b6db0854b29dba85b3 |
| SHA512 | 285a484dc274609b1d709d810d301cc73284da34b7d287c10e97685727bc9dcc187b4a657c219e2ab3feb53b36c754915c2b554ee17bc21e96111c22dfcee46d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a9aadb27863aa8977d2fdfe97d118c1 |
| SHA1 | 323ecab0b72d92cf698c6ec31ab16123cd3bec1f |
| SHA256 | c72eb2c60badfe4de71cc7e79d72409c21265ace722d19959a7ee669632a8783 |
| SHA512 | d274fe63855fbcaac1aca60a301e8af68d4ee8a844d7bb7128f02e1b4239de1e26d691b5bc371db44540462c7c8d79c4c862086ea2a23d610521f6f24cac4da9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb16ee1e0909e2a67a0ee044c55489a5 |
| SHA1 | 5f92483c6db9c98dc3732784d5422ec814d0c702 |
| SHA256 | 2f2061faa14e02b18c3fef74fa1806e5f0405aa7a19af28f16df3c9e0361af48 |
| SHA512 | cba0a189ff30608017895f834e174ded27be7b6960116d5dd95924006aedc1febf44db9b5187ad0c3e2dd689e0bf22ddcb1bc5697cde22772e4f2eb41888d0f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e4ac3b6ce3e13fcded1969496b61254 |
| SHA1 | 3ed53a415de2a141f93a5d5d6cddb34653a7cbdc |
| SHA256 | c96aac358357561d07651727b95a268585020d550df42a9f33d728eeb16a231d |
| SHA512 | b88263cb18458a437ba05204e873bc476008b28b904039a287adf348386a407de1284d0c0f2fefe02dcb986a650c09023044369ee7605aaf379adc33660e577e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8cbf9c2dbb20464245a098d6046890d9 |
| SHA1 | e9d26d99caea088579a0e639359e0f36efa229e2 |
| SHA256 | 41d213e787588a6149a23ad82ece82895a9ae9bd450e828b9e75b05e993eadec |
| SHA512 | 4ae0bd62f232bddd89982acc48e3ff225cd2b7bd272a119376b87812e55f0f92876bbafd902417ed49344a10890703f38696c6c40fa283619841b6db076eaab7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 663e83b10f50894d3815a55ddb70663d |
| SHA1 | db7bbbde5e4b805add8c9cb73a216d1f5957136a |
| SHA256 | a6b104d47469c309a803e8010385241cc6dd4f9948e037cb92215b392c962caa |
| SHA512 | 104b7b6269f57bd355abed38cd8093bc369d5e4bf31c601d5a7e469ca36a8ac104da669d60948e6d0443c3da1cd2c788fd1f4eb75f6f1fe48151a6abbd0420cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40708b0eb6eab6975151c12d52ef84f3 |
| SHA1 | fa5b3a4ea5bf8acca85f6205f85e76e09fca9707 |
| SHA256 | 6517cbc333014b43bff637bb300220d18b570c7d849fad5b37ed4e1742218b48 |
| SHA512 | 0b89448fdcdc6204216bc22c04cb4247b0cf65553952b639e5592307da9e1a3aed136ef55fa7b124ed5be1a4c81a132b35c8e615fac5f17d4df48cba3b5aeb15 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18069ab3a443e6fde608861d2e99ec2c |
| SHA1 | 57668c998392ed349c153b0ec7a84544733e4d71 |
| SHA256 | 7ab0ba901c28271918f5e393e5aa36160b72459388843ace7ff910113245a1e6 |
| SHA512 | 7951362f64ec1e1314d137d13b7c6bd398e252ca4b37488727a179dc25f50b3f3f7ba451782caff933c7a265cc891f78c1ecbe15890ad6b7ba8da3fa32ae4e8e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d440b9321eb35150cc78baeae3b2fa6a |
| SHA1 | fd3fee950e273fee1fba632a50fc15c03642b048 |
| SHA256 | 7be056c0174197075ca15fb6730b9fc1158de729e0cfa4fbb430129c20173c6a |
| SHA512 | 6d2fbfcf24a66510f99453539179067750402bfd44e66e96b29b08037bf6103b748f31955981758d085fa2cdf901346404b7e3b0d361a01de4e8a7ec1949949d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5eeafa9136ffedda531d8ca4d17b8bf |
| SHA1 | 745f8c4665e0fe8396df3b6d3ff0b1ff7494ebb7 |
| SHA256 | ea627d0c3fa5397a665265c533362fa70a78a416103a2b0c0b1470b6d2d7b36d |
| SHA512 | 59ad96ed16acb3bb21167c9e93f77f1e3af9bbccdbd8ba192a8e6752832048503c9a7e1b73c617638d745573b0476f12e05e791ae2b640e5520b6025d217f416 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-04 01:47
Reported
2023-10-04 01:50
Platform
win10v2004-20230915-en
Max time kernel
136s
Max time network
137s
Command Line
Signatures
AsyncRat
Stealerium
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3736 set thread context of 1156 | N/A | C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1156 -ip 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 3140
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| N/A | 10.127.0.118:9346 | tcp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| DE | 79.134.225.113:9346 | tcp | |
| US | 8.8.8.8:53 | 113.225.134.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| DE | 79.134.225.113:9346 | tcp | |
| DE | 79.134.225.113:9346 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
memory/3736-0-0x0000000000890000-0x00000000008C0000-memory.dmp
memory/3736-1-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/3736-2-0x00000000057E0000-0x0000000005D84000-memory.dmp
memory/3736-3-0x00000000052D0000-0x0000000005362000-memory.dmp
memory/3736-4-0x0000000005370000-0x000000000540C000-memory.dmp
memory/3736-5-0x0000000005270000-0x0000000005280000-memory.dmp
memory/3736-6-0x0000000005280000-0x000000000528A000-memory.dmp
memory/3736-7-0x00000000055B0000-0x00000000055D8000-memory.dmp
memory/3736-8-0x0000000005620000-0x000000000563A000-memory.dmp
memory/1156-9-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1156-11-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/3736-12-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/1156-13-0x0000000005350000-0x0000000005360000-memory.dmp
memory/1156-14-0x00000000771F1000-0x00000000771F2000-memory.dmp
memory/1156-15-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/1156-16-0x0000000005350000-0x0000000005360000-memory.dmp
memory/1156-19-0x0000000005B30000-0x0000000005B96000-memory.dmp
memory/1156-20-0x0000000007080000-0x00000000070F6000-memory.dmp
memory/1156-21-0x0000000007100000-0x0000000007288000-memory.dmp
memory/1156-22-0x0000000007020000-0x000000000703E000-memory.dmp
memory/1156-27-0x0000000007060000-0x000000000706A000-memory.dmp
memory/1156-29-0x0000000007600000-0x0000000007722000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6BBA.tmp.dat
| MD5 | 6e98ae51f6cacb49a7830bede7ab9920 |
| SHA1 | 1b7e9e375bd48cae50343e67ecc376cf5016d4ee |
| SHA256 | 192cd04b9a4d80701bb672cc3678912d1df8f6b987c2b4991d9b6bfbe8f011fd |
| SHA512 | 3e7cdda870cbde0655cc30c2f7bd3afee96fdfbe420987ae6ea2709089c0a8cbc8bb9187ef3b4ec3f6a019a9a8b465588b61029869f5934e0820b2461c4a9b2b |
C:\Users\Admin\AppData\Local\Temp\tmp6BDC.tmp.dat
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
memory/1156-64-0x0000000006CD0000-0x0000000006CF2000-memory.dmp
C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/1156-79-0x0000000008A00000-0x0000000008D54000-memory.dmp
C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\System\Process.txt
| MD5 | 858d21e9c2b2d58d5ce420a35ef26fa2 |
| SHA1 | 44d7c7367b1300076c7499452ca2930e67bace5b |
| SHA256 | a3bd8d66cbad3964b03e1f4f664b1e665984ef2d3b9f69c1d57190191cf03cc8 |
| SHA512 | 77e458f9380fc1ebd43dee0abcc045f99480e7ae46932d4654cc661c78d1ae83ca0cb38afb8cbacaf9e5acf3a205cbbdcbb65d2129a90eb42bb507fa0ebd7409 |
C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\System\Process.txt
| MD5 | 858d21e9c2b2d58d5ce420a35ef26fa2 |
| SHA1 | 44d7c7367b1300076c7499452ca2930e67bace5b |
| SHA256 | a3bd8d66cbad3964b03e1f4f664b1e665984ef2d3b9f69c1d57190191cf03cc8 |
| SHA512 | 77e458f9380fc1ebd43dee0abcc045f99480e7ae46932d4654cc661c78d1ae83ca0cb38afb8cbacaf9e5acf3a205cbbdcbb65d2129a90eb42bb507fa0ebd7409 |
C:\Users\Admin\AppData\Local\Temp\places.raw
| MD5 | d323a4dc560e546b81bc8cb0c92b3b88 |
| SHA1 | d1f635b2406aefe247f56239fd6a0ab02710149d |
| SHA256 | 403bbe142a59f699a89903789ea0c9fa0e606bf67bde3b750c631323ce70e6c6 |
| SHA512 | 8e85ac339c215c07532f41d45c7f1d475675f69928ddc25bc3e7af49487732936b171e71355fe4888de325a7cff3283aa8025749f202983a6d7ea2832c40afd7 |
C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\System\Process.txt
| MD5 | 858d21e9c2b2d58d5ce420a35ef26fa2 |
| SHA1 | 44d7c7367b1300076c7499452ca2930e67bace5b |
| SHA256 | a3bd8d66cbad3964b03e1f4f664b1e665984ef2d3b9f69c1d57190191cf03cc8 |
| SHA512 | 77e458f9380fc1ebd43dee0abcc045f99480e7ae46932d4654cc661c78d1ae83ca0cb38afb8cbacaf9e5acf3a205cbbdcbb65d2129a90eb42bb507fa0ebd7409 |
memory/1156-190-0x0000000005350000-0x0000000005360000-memory.dmp
memory/1156-198-0x0000000007860000-0x00000000078AC000-memory.dmp
memory/1156-205-0x00000000746F0000-0x0000000074EA0000-memory.dmp