Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe
Resource
win10v2004-20240412-en
General
-
Target
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe
-
Size
980KB
-
MD5
f5314596dce7444d09432a391bf7f669
-
SHA1
b1186e0501078a510ad0a4af1bbefc2f7f9dee5c
-
SHA256
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be
-
SHA512
0b45253fcaafbd9b5d4d10e8f7a313a46ea99cff8b9455e884db5f378e41578faab769beaddfb8fee81d72c46131cb7e967fe5e421053902ba190dff800e97f8
-
SSDEEP
24576:3TbBv5rUEFP5eAsXpp3q1BGa6mXcqIAXiAZfzI6u:RBfP5vCAKLAXiAZs
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/372-77-0x0000000001170000-0x0000000002170000-memory.dmp family_stormkitty behavioral1/memory/372-79-0x0000000001170000-0x0000000002170000-memory.dmp family_stormkitty behavioral1/memory/372-81-0x0000000001170000-0x0000000002170000-memory.dmp family_stormkitty behavioral1/memory/372-82-0x0000000001170000-0x00000000011A0000-memory.dmp family_stormkitty -
Executes dropped EXE 1 IoCs
Processes:
swbglvlssx.bmppid process 1300 swbglvlssx.bmp -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 3052 cmd.exe -
Drops desktop.ini file(s) 6 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\6187b61fb25af42b5650a81361798a51\Admin@KXIPPCKF_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\6187b61fb25af42b5650a81361798a51\Admin@KXIPPCKF_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\6187b61fb25af42b5650a81361798a51\Admin@KXIPPCKF_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\6187b61fb25af42b5650a81361798a51\Admin@KXIPPCKF_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Local\6187b61fb25af42b5650a81361798a51\Admin@KXIPPCKF_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\6187b61fb25af42b5650a81361798a51\Admin@KXIPPCKF_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
swbglvlssx.bmpdescription pid process target process PID 1300 set thread context of 372 1300 swbglvlssx.bmp RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RegSvcs.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 1916 ipconfig.exe 2668 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
swbglvlssx.bmpRegSvcs.exepid process 1300 swbglvlssx.bmp 1300 swbglvlssx.bmp 1300 swbglvlssx.bmp 1300 swbglvlssx.bmp 1300 swbglvlssx.bmp 1300 swbglvlssx.bmp 372 RegSvcs.exe 372 RegSvcs.exe 372 RegSvcs.exe 372 RegSvcs.exe 372 RegSvcs.exe 372 RegSvcs.exe 372 RegSvcs.exe 372 RegSvcs.exe 372 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 372 RegSvcs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exeWScript.execmd.execmd.execmd.exeswbglvlssx.bmpRegSvcs.execmd.execmd.exedescription pid process target process PID 1400 wrote to memory of 2504 1400 c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe WScript.exe PID 1400 wrote to memory of 2504 1400 c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe WScript.exe PID 1400 wrote to memory of 2504 1400 c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe WScript.exe PID 1400 wrote to memory of 2504 1400 c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe WScript.exe PID 2504 wrote to memory of 2796 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2796 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2796 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2796 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 3052 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 3052 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 3052 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 3052 2504 WScript.exe cmd.exe PID 2796 wrote to memory of 1916 2796 cmd.exe ipconfig.exe PID 2796 wrote to memory of 1916 2796 cmd.exe ipconfig.exe PID 2796 wrote to memory of 1916 2796 cmd.exe ipconfig.exe PID 2796 wrote to memory of 1916 2796 cmd.exe ipconfig.exe PID 3052 wrote to memory of 1300 3052 cmd.exe swbglvlssx.bmp PID 3052 wrote to memory of 1300 3052 cmd.exe swbglvlssx.bmp PID 3052 wrote to memory of 1300 3052 cmd.exe swbglvlssx.bmp PID 3052 wrote to memory of 1300 3052 cmd.exe swbglvlssx.bmp PID 2504 wrote to memory of 2188 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2188 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2188 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2188 2504 WScript.exe cmd.exe PID 2188 wrote to memory of 2668 2188 cmd.exe ipconfig.exe PID 2188 wrote to memory of 2668 2188 cmd.exe ipconfig.exe PID 2188 wrote to memory of 2668 2188 cmd.exe ipconfig.exe PID 2188 wrote to memory of 2668 2188 cmd.exe ipconfig.exe PID 1300 wrote to memory of 372 1300 swbglvlssx.bmp RegSvcs.exe PID 1300 wrote to memory of 372 1300 swbglvlssx.bmp RegSvcs.exe PID 1300 wrote to memory of 372 1300 swbglvlssx.bmp RegSvcs.exe PID 1300 wrote to memory of 372 1300 swbglvlssx.bmp RegSvcs.exe PID 1300 wrote to memory of 372 1300 swbglvlssx.bmp RegSvcs.exe PID 1300 wrote to memory of 372 1300 swbglvlssx.bmp RegSvcs.exe PID 1300 wrote to memory of 372 1300 swbglvlssx.bmp RegSvcs.exe PID 1300 wrote to memory of 372 1300 swbglvlssx.bmp RegSvcs.exe PID 1300 wrote to memory of 372 1300 swbglvlssx.bmp RegSvcs.exe PID 372 wrote to memory of 1616 372 RegSvcs.exe cmd.exe PID 372 wrote to memory of 1616 372 RegSvcs.exe cmd.exe PID 372 wrote to memory of 1616 372 RegSvcs.exe cmd.exe PID 372 wrote to memory of 1616 372 RegSvcs.exe cmd.exe PID 1616 wrote to memory of 2880 1616 cmd.exe chcp.com PID 1616 wrote to memory of 2880 1616 cmd.exe chcp.com PID 1616 wrote to memory of 2880 1616 cmd.exe chcp.com PID 1616 wrote to memory of 2880 1616 cmd.exe chcp.com PID 1616 wrote to memory of 880 1616 cmd.exe netsh.exe PID 1616 wrote to memory of 880 1616 cmd.exe netsh.exe PID 1616 wrote to memory of 880 1616 cmd.exe netsh.exe PID 1616 wrote to memory of 880 1616 cmd.exe netsh.exe PID 1616 wrote to memory of 1112 1616 cmd.exe findstr.exe PID 1616 wrote to memory of 1112 1616 cmd.exe findstr.exe PID 1616 wrote to memory of 1112 1616 cmd.exe findstr.exe PID 1616 wrote to memory of 1112 1616 cmd.exe findstr.exe PID 372 wrote to memory of 1752 372 RegSvcs.exe cmd.exe PID 372 wrote to memory of 1752 372 RegSvcs.exe cmd.exe PID 372 wrote to memory of 1752 372 RegSvcs.exe cmd.exe PID 372 wrote to memory of 1752 372 RegSvcs.exe cmd.exe PID 1752 wrote to memory of 2060 1752 cmd.exe chcp.com PID 1752 wrote to memory of 2060 1752 cmd.exe chcp.com PID 1752 wrote to memory of 2060 1752 cmd.exe chcp.com PID 1752 wrote to memory of 2060 1752 cmd.exe chcp.com PID 1752 wrote to memory of 1384 1752 cmd.exe netsh.exe PID 1752 wrote to memory of 1384 1752 cmd.exe netsh.exe PID 1752 wrote to memory of 1384 1752 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe"C:\Users\Admin\AppData\Local\Temp\c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xikg.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c swbglvlssx.bmp vcpadlxuao.dat3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\swbglvlssx.bmpswbglvlssx.bmp vcpadlxuao.dat4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile7⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All7⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\88aae9043eb411c41390c3c6f32b12ab\msgid.datFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Temp\Cab4543.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\anrpi.3gpFilesize
36KB
MD5406db994bb11c5320a6d2780c8af9419
SHA110503f33ae662a8eb92dc3198ffc074cc736b24c
SHA256ee4366252ab52d6c079246c14d9407457a91a64065816ac2c26acc2582c41fd2
SHA5121a5e66f74f7112e2e0cdec4d5e997c02656efb0182b1c1aa292437eb711046c3b110a8adb548d603f17d67c764b1aa5f189408050cc6478ad38bcfe238342e72
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwjwmi.lscFilesize
292KB
MD5042b73b18e96dd8e5848507d7ac60ddc
SHA1cc789c7fca70c7a2cb3666a4c691cfafa74f3cb2
SHA256d5f12fabd9bab67d33cf3e26a325c7f720dc9d58b505605c5b17a2e26b7b7437
SHA5128c9bd44c14960f587abc387fe817be479e02c2b7c503b849d441101f2f248460d0452040f646c1832b19a5690db47b43687250e295835abe7cee4900f0768969
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcpadlxuao.datFilesize
93.6MB
MD5aa1915f975679c2099d0a9fdacabfd85
SHA16fa5f8a05ad8b06b4a4464560c669c1067cb8f4a
SHA25648842b595e9dfa512f008c6d77520c4cfdea84c16336a2f1c5003f1964b0d8da
SHA51267b016129ec10111c81f25f922369eaae486437ad6614f5cfb0339e260d29f2e27010f0ec14addd2d7aa8212bfa783740f9989284ee175524da349a1b198ad9b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xikg.vbeFilesize
71KB
MD55ae9f9fdd5c7d683b7f9f2ea276b2fb7
SHA1a71eed0968de9caf7636a1c81322f27588af0546
SHA256b1b3fd9a4ae874afe1ac1af617d6e7210dfe831a9057bbebdf74f3086f5af8b1
SHA51249343720b71d35fd28d0567b751a01e0d504204845930caa0cec3879f95c056703894e0579fd4d7f75c763f382323b66f259c6a3c1959b26b7a0a44316f50f2b
-
C:\Users\Admin\AppData\Local\Temp\Tar5284.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
\Users\Admin\AppData\Local\Temp\RarSFX0\swbglvlssx.bmpFilesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
memory/372-82-0x0000000001170000-0x00000000011A0000-memory.dmpFilesize
192KB
-
memory/372-81-0x0000000001170000-0x0000000002170000-memory.dmpFilesize
16.0MB
-
memory/372-83-0x0000000073100000-0x00000000737EE000-memory.dmpFilesize
6.9MB
-
memory/372-84-0x0000000000D20000-0x0000000000D60000-memory.dmpFilesize
256KB
-
memory/372-179-0x0000000000D20000-0x0000000000D60000-memory.dmpFilesize
256KB
-
memory/372-183-0x0000000073100000-0x00000000737EE000-memory.dmpFilesize
6.9MB
-
memory/372-184-0x0000000000D20000-0x0000000000D60000-memory.dmpFilesize
256KB
-
memory/372-79-0x0000000001170000-0x0000000002170000-memory.dmpFilesize
16.0MB
-
memory/372-77-0x0000000001170000-0x0000000002170000-memory.dmpFilesize
16.0MB
-
memory/372-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/372-74-0x0000000001170000-0x0000000002170000-memory.dmpFilesize
16.0MB
-
memory/372-267-0x0000000000D20000-0x0000000000D60000-memory.dmpFilesize
256KB