Analysis
-
max time kernel
63s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-01-2024 20:18
Static task
static1
Behavioral task
behavioral1
Sample
41c3b05debb26645393a5c7253f28e77.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
41c3b05debb26645393a5c7253f28e77.exe
Resource
win10v2004-20231215-en
General
-
Target
41c3b05debb26645393a5c7253f28e77.exe
-
Size
594KB
-
MD5
41c3b05debb26645393a5c7253f28e77
-
SHA1
e1e8fcfdc15c34f7e1ce974e4278e79879fe86ae
-
SHA256
584a847c7e779a2951440152072b93e4ecccb1b86148a2e289c2ccb86962ac34
-
SHA512
c24771dee7d0e7651b2530623332c28b434da98cc3dbadf3af597225d71a9f2c699bd65f9155424ded2e3902ca1a2f63bc234345b10db9f06e724e9d90ec8351
-
SSDEEP
12288:SfX25LrCxNuYlc+zakllH7RaR00QHtHx6fsZAvantxK13v6pcL4cUikDXR6sVc+i:SfX25LrCxNuYlcSXt0ehkASIN3CTmv+
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 5 IoCs
resource yara_rule behavioral1/memory/2080-31-0x0000000000400000-0x0000000000418000-memory.dmp family_stormkitty behavioral1/memory/2080-29-0x0000000000400000-0x0000000000418000-memory.dmp family_stormkitty behavioral1/memory/2080-27-0x0000000000400000-0x0000000000418000-memory.dmp family_stormkitty behavioral1/memory/2080-23-0x0000000000400000-0x0000000000418000-memory.dmp family_stormkitty behavioral1/memory/2080-21-0x0000000000400000-0x0000000000418000-memory.dmp family_stormkitty -
A310logger Executable 6 IoCs
resource yara_rule behavioral1/memory/2080-31-0x0000000000400000-0x0000000000418000-memory.dmp a310logger behavioral1/memory/2080-29-0x0000000000400000-0x0000000000418000-memory.dmp a310logger behavioral1/memory/2080-27-0x0000000000400000-0x0000000000418000-memory.dmp a310logger behavioral1/memory/2080-23-0x0000000000400000-0x0000000000418000-memory.dmp a310logger behavioral1/memory/2080-21-0x0000000000400000-0x0000000000418000-memory.dmp a310logger behavioral1/files/0x000e0000000146dc-101.dat a310logger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2108 set thread context of 2360 2108 41c3b05debb26645393a5c7253f28e77.exe 28 PID 2360 set thread context of 2096 2360 41c3b05debb26645393a5c7253f28e77.exe 29 PID 2360 set thread context of 2712 2360 41c3b05debb26645393a5c7253f28e77.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2360 41c3b05debb26645393a5c7253f28e77.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2108 41c3b05debb26645393a5c7253f28e77.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2360 41c3b05debb26645393a5c7253f28e77.exe 2360 41c3b05debb26645393a5c7253f28e77.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2360 2108 41c3b05debb26645393a5c7253f28e77.exe 28 PID 2108 wrote to memory of 2360 2108 41c3b05debb26645393a5c7253f28e77.exe 28 PID 2108 wrote to memory of 2360 2108 41c3b05debb26645393a5c7253f28e77.exe 28 PID 2108 wrote to memory of 2360 2108 41c3b05debb26645393a5c7253f28e77.exe 28 PID 2108 wrote to memory of 2360 2108 41c3b05debb26645393a5c7253f28e77.exe 28 PID 2360 wrote to memory of 2096 2360 41c3b05debb26645393a5c7253f28e77.exe 29 PID 2360 wrote to memory of 2096 2360 41c3b05debb26645393a5c7253f28e77.exe 29 PID 2360 wrote to memory of 2096 2360 41c3b05debb26645393a5c7253f28e77.exe 29 PID 2360 wrote to memory of 2096 2360 41c3b05debb26645393a5c7253f28e77.exe 29 PID 2360 wrote to memory of 2096 2360 41c3b05debb26645393a5c7253f28e77.exe 29 PID 2360 wrote to memory of 2096 2360 41c3b05debb26645393a5c7253f28e77.exe 29 PID 2360 wrote to memory of 2096 2360 41c3b05debb26645393a5c7253f28e77.exe 29 PID 2360 wrote to memory of 2096 2360 41c3b05debb26645393a5c7253f28e77.exe 29 PID 2360 wrote to memory of 2712 2360 41c3b05debb26645393a5c7253f28e77.exe 32 PID 2360 wrote to memory of 2712 2360 41c3b05debb26645393a5c7253f28e77.exe 32 PID 2360 wrote to memory of 2712 2360 41c3b05debb26645393a5c7253f28e77.exe 32 PID 2360 wrote to memory of 2712 2360 41c3b05debb26645393a5c7253f28e77.exe 32 PID 2360 wrote to memory of 2712 2360 41c3b05debb26645393a5c7253f28e77.exe 32 PID 2360 wrote to memory of 2712 2360 41c3b05debb26645393a5c7253f28e77.exe 32 PID 2360 wrote to memory of 2712 2360 41c3b05debb26645393a5c7253f28e77.exe 32 PID 2360 wrote to memory of 2712 2360 41c3b05debb26645393a5c7253f28e77.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"C:\Users\Admin\AppData\Local\Temp\41c3b05debb26645393a5c7253f28e77.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵PID:2096
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵PID:2080
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵PID:1856
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD502031dac40cf01757ab304d7b3f87735
SHA19d0714c5a464fab578d6bc068cfc1088e9e426e0
SHA2562a4aebaa5470e8f20b28a1e9a028894fdd0e32c7275ceac79f3671372ce842ff
SHA5123275f656df052c4be33e685a48dc915561eca460dfd9b36ad79a1c5c51ad9e566861549a964a02c21b33b8bf4ef80140ff20132f8f6e1ffb134c132453dbf14b
-
Filesize
59KB
MD552a468d9828839b86863cc84d42b7138
SHA17a2ecc7bed634dfaaf15f3b9de855fe0c731158a
SHA256e6241a5a49dfcbb8cecfafe7d60461dc4da4433e85ef1308613d7af70f0fdd4d
SHA512f346ce1906f4fcf8b6eb64b8ee60a498b9da901b29fb8820824f4431de9dc7a553474b1aa54602b420d759b3c4319b21bf5219a03c0667be33289f854ea61f04
-
Filesize
55KB
MD5cdd8eb52e9041b27568f467ffbc8bb9f
SHA1897d2c873636e235e2b2a7cd00f9a9ca39858c46
SHA256fac78fb97137e27b7ac5851b6de766515e964bf183034a16ac111ba6aef1acdb
SHA5121f6c4f63058debba539980ffdd4bc5f6db1eef53001d88d065b67ecff77e77a3c173d53ce42eaa7a0c760282973af98f774c89800a6bafbf581f7466539c6d03
-
Filesize
20KB
MD51bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533