Analysis Overview
SHA256
584a847c7e779a2951440152072b93e4ecccb1b86148a2e289c2ccb86962ac34
Threat Level: Known bad
The file 41c3b05debb26645393a5c7253f28e77 was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
A310logger
StormKitty
A310logger Executable
Reads user/profile data of web browsers
Reads local data of messenger clients
Executes dropped EXE
Looks up geolocation information via web service
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
outlook_office_path
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
outlook_win_path
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-25 22:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-25 22:59
Reported
2023-12-26 23:05
Platform
win7-20231215-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1104 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe |
| PID 1104 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe |
| PID 1104 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe |
| PID 1104 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe
"C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"
C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe
"C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"
Network
Files
memory/1104-1-0x00000000000D0000-0x00000000001D0000-memory.dmp
memory/1104-2-0x00000000000C0000-0x00000000000C2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-25 22:59
Reported
2023-12-26 23:05
Platform
win10v2004-20231215-en
Max time kernel
110s
Max time network
104s
Command Line
Signatures
A310logger
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
A310logger Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3924 set thread context of 1236 | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe |
| PID 1236 set thread context of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
| PID 1236 set thread context of 332 | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
| PID 1236 set thread context of 4748 | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe
"C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"
C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe
"C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3924 -ip 3924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 368
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 80
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4748 -ip 4748
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | 97.115.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.51:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.231.121.79:80 | tcp | |
| N/A | 20.103.156.88:443 | tcp | |
| N/A | 20.103.156.88:443 | tcp | |
| N/A | 20.103.156.88:443 | tcp | |
| GB | 88.221.134.51:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.51:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| GB | 88.221.134.51:80 | tcp | |
| GB | 88.221.134.51:80 | tcp | |
| GB | 88.221.134.51:80 | tcp | |
| GB | 88.221.134.51:80 | tcp | |
| GB | 88.221.134.51:80 | tcp | |
| GB | 88.221.134.51:80 | tcp |
Files
memory/1236-5-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1992-8-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1992-10-0x0000000001880000-0x0000000001890000-memory.dmp
memory/1992-11-0x0000000073C20000-0x00000000741D1000-memory.dmp
memory/1992-9-0x0000000073C20000-0x00000000741D1000-memory.dmp
memory/1236-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3924-2-0x0000000000A60000-0x0000000000A62000-memory.dmp
memory/3924-1-0x0000000000440000-0x0000000000540000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
| MD5 | 1bad0cbd09b05a21157d8255dc801778 |
| SHA1 | ff284bba12f011b72e20d4c9537d6c455cdbf228 |
| SHA256 | 218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9 |
| SHA512 | 4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533 |
memory/1028-23-0x00007FFBE86F0000-0x00007FFBE9091000-memory.dmp
memory/1028-24-0x00000000019E0000-0x00000000019F0000-memory.dmp
memory/1028-28-0x00007FFBE86F0000-0x00007FFBE9091000-memory.dmp
memory/1028-29-0x00007FFBE86F0000-0x00007FFBE9091000-memory.dmp
memory/1992-31-0x0000000073C20000-0x00000000741D1000-memory.dmp
memory/1236-32-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.log
| MD5 | 5370d1dff94d27a9a6cfab002a5c444b |
| SHA1 | fecadd9e884c57822ebeae897a3989c0e678fd1a |
| SHA256 | 0ddb4ec9a919c3566a4ab48ce605f24816e6fb2efdd6e4070a54a1f5912ec946 |
| SHA512 | 67a3787e49e7d8ea23b3e1766639b36e685cf404042bc270f5c43dc0b0f50623778cb98c013577b3a0a3b425b608ff4e944e29df3725425ce6383759fe7534eb |
memory/332-36-0x0000000073E30000-0x00000000743E1000-memory.dmp
memory/332-37-0x0000000001240000-0x0000000001250000-memory.dmp
memory/332-38-0x0000000073E30000-0x00000000743E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\MZ.exe.log
| MD5 | 3d238ac6dd6710907edf2ad7893a0ed2 |
| SHA1 | b07aaeeb31bdc6e94097a254be088b092dc1fb68 |
| SHA256 | 02d215d5b6ea166e6c4c4669547cbadecbb427d5baf394fbffc7ef374a967501 |
| SHA512 | c358aa68303aa99ebc019014b4c1fc2fbfa98733f1ea863bf78ca2b877dc5c610121115432d96504df9e43bdda637b067359b07228b6f129bc5ec9a01ed3ee24 |
memory/3024-51-0x00007FFBE8160000-0x00007FFBE8B01000-memory.dmp
memory/3024-52-0x0000000001400000-0x0000000001410000-memory.dmp
memory/3024-54-0x00007FFBE8160000-0x00007FFBE8B01000-memory.dmp
memory/3024-53-0x00007FFBE8160000-0x00007FFBE8B01000-memory.dmp
memory/332-55-0x0000000073E30000-0x00000000743E1000-memory.dmp
memory/3024-56-0x00007FFBE8160000-0x00007FFBE8B01000-memory.dmp