Analysis
-
max time kernel
158s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 12:03
General
-
Target
Serverv1.exe
-
Size
175KB
-
MD5
86ec635a29a4c13bd3d32d34ec028efe
-
SHA1
c5ab23555b3921ae012aa945b9f1bb72dbd6fd59
-
SHA256
e25817f6fe634b116ec878c734495b848b68a56a12cb43181bc07d9da3be3835
-
SHA512
567e186c9f47bbf58114337e5bc2b696d2e65c93269b77cf60dc94f487b3c082196b30992d4992c2eee9dc9a59e7d0024d6bd2ae64e31e6515e699ff9f5065ea
-
SSDEEP
3072:2e8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gT1wAqE+Wpor:XXtb5KcXr7XmfgqtjhAxZ0b26
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6959532402:AAG6PUhEHO5sJn075QDj3pF3kOIEoYH6CpY/sendMessage?chat_id=6075361534
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1704-0-0x0000000000740000-0x0000000000772000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 10 IoCs
Processes:
Serverv1.exedescription ioc process File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Serverv1.exe File opened for modification C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Serverv1.exe File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini Serverv1.exe File opened for modification C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Serverv1.exe File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini Serverv1.exe File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Serverv1.exe File opened for modification C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Serverv1.exe File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Serverv1.exe File opened for modification C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Serverv1.exe File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Serverv1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 85 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Serverv1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Serverv1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Serverv1.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Serverv1.exepid process 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe 1704 Serverv1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Serverv1.exesvchost.exedescription pid process Token: SeDebugPrivilege 1704 Serverv1.exe Token: SeManageVolumePrivilege 936 svchost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Serverv1.execmd.execmd.exedescription pid process target process PID 1704 wrote to memory of 3048 1704 Serverv1.exe cmd.exe PID 1704 wrote to memory of 3048 1704 Serverv1.exe cmd.exe PID 1704 wrote to memory of 3048 1704 Serverv1.exe cmd.exe PID 3048 wrote to memory of 3916 3048 cmd.exe chcp.com PID 3048 wrote to memory of 3916 3048 cmd.exe chcp.com PID 3048 wrote to memory of 3916 3048 cmd.exe chcp.com PID 3048 wrote to memory of 2868 3048 cmd.exe netsh.exe PID 3048 wrote to memory of 2868 3048 cmd.exe netsh.exe PID 3048 wrote to memory of 2868 3048 cmd.exe netsh.exe PID 3048 wrote to memory of 3468 3048 cmd.exe findstr.exe PID 3048 wrote to memory of 3468 3048 cmd.exe findstr.exe PID 3048 wrote to memory of 3468 3048 cmd.exe findstr.exe PID 1704 wrote to memory of 5016 1704 Serverv1.exe cmd.exe PID 1704 wrote to memory of 5016 1704 Serverv1.exe cmd.exe PID 1704 wrote to memory of 5016 1704 Serverv1.exe cmd.exe PID 5016 wrote to memory of 2572 5016 cmd.exe chcp.com PID 5016 wrote to memory of 2572 5016 cmd.exe chcp.com PID 5016 wrote to memory of 2572 5016 cmd.exe chcp.com PID 5016 wrote to memory of 2208 5016 cmd.exe netsh.exe PID 5016 wrote to memory of 2208 5016 cmd.exe netsh.exe PID 5016 wrote to memory of 2208 5016 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Serverv1.exe"C:\Users\Admin\AppData\Local\Temp\Serverv1.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:3916
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:2868
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:3468
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2572
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵PID:2208
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3016
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\System\Process.txt
Filesize4KB
MD510143d6b360f19c15e42c771e4203a52
SHA1ad79d9dc4e51dd353f61f3a34684f467cb9e6cc6
SHA2567a3768c688f25d3cdbc3869512c067f3648660d8275d51c55ed5c1c45f6b2fe8
SHA512a3b86aaa8b69c9fddfcead1622c4c254682922b93264e086944817b8f1e9ada337e45154de3287c7baab0984bd0e2ccb1645e45b8482df7b53fce52e80e80230
-
Filesize
16KB
MD589c891803047aeb46ddbecb96f6aa300
SHA1603c7e1ad219808a6680353fdd7454e16ad695fa
SHA2562b5c6b9a356ee0c721f6faad137e52763e5dba7ce6658fdca7d99edf12644ceb
SHA5120dfb264b9e8ed8ad14a7cb37fb8ee734cc75d8694eec0f5f8ad132bbb796183624bd8ef766da21c691a2a0d45f36057d39d2ef771c62607ee31a1d0fc81f0b28