Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
12-02-2024 06:09
General
-
Target
96739a4d394217c2cbd895cf16acc0c8.exe
-
Size
455KB
-
MD5
96739a4d394217c2cbd895cf16acc0c8
-
SHA1
90af83fed1eb2652e133aad4f47f9354287f75a8
-
SHA256
28fe91c48fa8583da9692cbdee3c2c32038d5dc3f8ca7dcd195f74511c1d6a78
-
SHA512
846383b8cd6ff5208c96bf2063faff5c2fa1c1d5d714c11cb30d9aa84ad56f2435f70b2446cfc7006920a4b71dfc568bb36e03d5e8d077db757e673307729955
-
SSDEEP
6144:FpJ+LBFdhgY3AgXUU6EEsgg/nzzYjzZnMUzpVltygvxTUpVP/KW+q9UT95GX:vArdGPqSENgg/KRpT/vxUpMLR5k
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
A310logger Executable 8 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe"C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe"C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\MZ.exe.logFilesize
128B
MD53d238ac6dd6710907edf2ad7893a0ed2
SHA1b07aaeeb31bdc6e94097a254be088b092dc1fb68
SHA25602d215d5b6ea166e6c4c4669547cbadecbb427d5baf394fbffc7ef374a967501
SHA512c358aa68303aa99ebc019014b4c1fc2fbfa98733f1ea863bf78ca2b877dc5c610121115432d96504df9e43bdda637b067359b07228b6f129bc5ec9a01ed3ee24
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.logFilesize
496B
MD55370d1dff94d27a9a6cfab002a5c444b
SHA1fecadd9e884c57822ebeae897a3989c0e678fd1a
SHA2560ddb4ec9a919c3566a4ab48ce605f24816e6fb2efdd6e4070a54a1f5912ec946
SHA51267a3787e49e7d8ea23b3e1766639b36e685cf404042bc270f5c43dc0b0f50623778cb98c013577b3a0a3b425b608ff4e944e29df3725425ce6383759fe7534eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exeFilesize
20KB
MD51bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exeFilesize
1KB
MD5538d5c3e683346a221e89d2b73031a48
SHA1a068e14324ba61b478b91806f927f365c5323511
SHA256c9a93abcb4dd3cd7636c06705d6204530bfb12a4abce8c209faf9ed4b5e11f88
SHA512dfad7afeb9dc80ba910413373b84d4a3faa7236b626a9bef5fecdfcd5101ff2c2e2a197b8af238ff671ddcfab75f63543e55e0f222aa0d60cb3836e683d8e888
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exeFilesize
9KB
MD5a4afaa61456d573c55f2cca445767d71
SHA19cd85e295e1e98c9696aa6a34e554ce8ab3fc273
SHA2561b2a30b6ffe8c2010ad4d8b171aa87fbcd99f699f1777e04fef018a81aaaa48e
SHA512ecbc4506dd4a3cdd4d71d89ca43a6960328f14b9b7b74e36747239f04cd4b986b14b90febb4efce031f9b7b28337c9bf83aa063784059e738ebaf733fc0c193b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exeFilesize
5KB
MD546fe20730ffdea3ac1ec630163d180cd
SHA147605cb197c9ae7ba88c0f0eb0c4e9e70aab1b05
SHA2567b389a7f6431ce5c177a74c28bb0767a3bff940fcf64d8c1fca1abcbac08669c
SHA5128cf7258ecac637700f7b4057d79595519cb8eb887cd2103fe8713b11526b8e16eea64ab9e662dedfdddb6cc57405ca2cd1ff35343079d0cabd3faed2ea0808df
-
memory/436-4-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/436-32-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/436-2-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1564-53-0x00000000014F0000-0x0000000001500000-memory.dmpFilesize
64KB
-
memory/1564-52-0x00007FFD9D4C0000-0x00007FFD9DE61000-memory.dmpFilesize
9.6MB
-
memory/1564-55-0x00007FFD9D4C0000-0x00007FFD9DE61000-memory.dmpFilesize
9.6MB
-
memory/1564-54-0x00007FFD9D4C0000-0x00007FFD9DE61000-memory.dmpFilesize
9.6MB
-
memory/2260-73-0x00007FFD9D570000-0x00007FFD9DF11000-memory.dmpFilesize
9.6MB
-
memory/2260-74-0x00007FFD9D570000-0x00007FFD9DF11000-memory.dmpFilesize
9.6MB
-
memory/2540-11-0x0000000001900000-0x0000000001910000-memory.dmpFilesize
64KB
-
memory/2540-10-0x0000000074440000-0x00000000749F1000-memory.dmpFilesize
5.7MB
-
memory/2540-31-0x0000000074440000-0x00000000749F1000-memory.dmpFilesize
5.7MB
-
memory/2540-8-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2540-9-0x0000000074440000-0x00000000749F1000-memory.dmpFilesize
5.7MB
-
memory/3064-29-0x00007FFD9D980000-0x00007FFD9E321000-memory.dmpFilesize
9.6MB
-
memory/3064-27-0x00007FFD9D980000-0x00007FFD9E321000-memory.dmpFilesize
9.6MB
-
memory/3064-23-0x00007FFD9D980000-0x00007FFD9E321000-memory.dmpFilesize
9.6MB
-
memory/3064-24-0x0000000001880000-0x0000000001890000-memory.dmpFilesize
64KB
-
memory/3716-60-0x00000000014B0000-0x00000000014C0000-memory.dmpFilesize
64KB
-
memory/3716-61-0x0000000074150000-0x0000000074701000-memory.dmpFilesize
5.7MB
-
memory/3716-59-0x0000000074150000-0x0000000074701000-memory.dmpFilesize
5.7MB
-
memory/3716-75-0x0000000074150000-0x0000000074701000-memory.dmpFilesize
5.7MB
-
memory/4412-0-0x0000000000230000-0x0000000000270000-memory.dmpFilesize
256KB
-
memory/4412-1-0x00000000014A0000-0x00000000014A2000-memory.dmpFilesize
8KB
-
memory/4412-5-0x0000000000230000-0x0000000000270000-memory.dmpFilesize
256KB
-
memory/4472-56-0x0000000074150000-0x0000000074701000-memory.dmpFilesize
5.7MB
-
memory/4472-38-0x0000000074150000-0x0000000074701000-memory.dmpFilesize
5.7MB
-
memory/4472-39-0x0000000074150000-0x0000000074701000-memory.dmpFilesize
5.7MB
-
memory/4472-36-0x0000000074150000-0x0000000074701000-memory.dmpFilesize
5.7MB
-
memory/4472-37-0x00000000015B0000-0x00000000015C0000-memory.dmpFilesize
64KB