Analysis
-
max time kernel
169s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe
Resource
win10v2004-20240412-en
General
-
Target
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe
-
Size
980KB
-
MD5
f5314596dce7444d09432a391bf7f669
-
SHA1
b1186e0501078a510ad0a4af1bbefc2f7f9dee5c
-
SHA256
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be
-
SHA512
0b45253fcaafbd9b5d4d10e8f7a313a46ea99cff8b9455e884db5f378e41578faab769beaddfb8fee81d72c46131cb7e967fe5e421053902ba190dff800e97f8
-
SSDEEP
24576:3TbBv5rUEFP5eAsXpp3q1BGa6mXcqIAXiAZfzI6u:RBfP5vCAKLAXiAZs
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4916-73-0x0000000000D70000-0x0000000001D70000-memory.dmp family_stormkitty behavioral2/memory/4916-74-0x0000000000D70000-0x0000000000DA0000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
swbglvlssx.bmppid process 3096 swbglvlssx.bmp -
Drops desktop.ini file(s) 8 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Users\Admin\AppData\Local\b9bc7084975ee05e71a887511fd8e822\Admin@GYXYZBUQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Local\b9bc7084975ee05e71a887511fd8e822\Admin@GYXYZBUQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Local\b9bc7084975ee05e71a887511fd8e822\Admin@GYXYZBUQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\b9bc7084975ee05e71a887511fd8e822\Admin@GYXYZBUQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\b9bc7084975ee05e71a887511fd8e822\Admin@GYXYZBUQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\b9bc7084975ee05e71a887511fd8e822\Admin@GYXYZBUQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\b9bc7084975ee05e71a887511fd8e822\Admin@GYXYZBUQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\b9bc7084975ee05e71a887511fd8e822\Admin@GYXYZBUQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 42 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
swbglvlssx.bmpdescription pid process target process PID 3096 set thread context of 4916 3096 swbglvlssx.bmp RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RegSvcs.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 2492 ipconfig.exe 4852 ipconfig.exe -
Modifies registry class 1 IoCs
Processes:
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000_Classes\Local Settings c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
swbglvlssx.bmpRegSvcs.exepid process 3096 swbglvlssx.bmp 3096 swbglvlssx.bmp 3096 swbglvlssx.bmp 3096 swbglvlssx.bmp 3096 swbglvlssx.bmp 3096 swbglvlssx.bmp 3096 swbglvlssx.bmp 3096 swbglvlssx.bmp 3096 swbglvlssx.bmp 3096 swbglvlssx.bmp 3096 swbglvlssx.bmp 3096 swbglvlssx.bmp 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe 4916 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4916 RegSvcs.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exeWScript.execmd.execmd.exeswbglvlssx.bmpcmd.exeRegSvcs.execmd.execmd.exedescription pid process target process PID 3252 wrote to memory of 3712 3252 c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe WScript.exe PID 3252 wrote to memory of 3712 3252 c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe WScript.exe PID 3252 wrote to memory of 3712 3252 c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe WScript.exe PID 3712 wrote to memory of 3896 3712 WScript.exe cmd.exe PID 3712 wrote to memory of 3896 3712 WScript.exe cmd.exe PID 3712 wrote to memory of 3896 3712 WScript.exe cmd.exe PID 3712 wrote to memory of 1520 3712 WScript.exe cmd.exe PID 3712 wrote to memory of 1520 3712 WScript.exe cmd.exe PID 3712 wrote to memory of 1520 3712 WScript.exe cmd.exe PID 3896 wrote to memory of 2492 3896 cmd.exe ipconfig.exe PID 3896 wrote to memory of 2492 3896 cmd.exe ipconfig.exe PID 3896 wrote to memory of 2492 3896 cmd.exe ipconfig.exe PID 1520 wrote to memory of 3096 1520 cmd.exe swbglvlssx.bmp PID 1520 wrote to memory of 3096 1520 cmd.exe swbglvlssx.bmp PID 1520 wrote to memory of 3096 1520 cmd.exe swbglvlssx.bmp PID 3712 wrote to memory of 4620 3712 WScript.exe cmd.exe PID 3712 wrote to memory of 4620 3712 WScript.exe cmd.exe PID 3712 wrote to memory of 4620 3712 WScript.exe cmd.exe PID 3096 wrote to memory of 4916 3096 swbglvlssx.bmp RegSvcs.exe PID 3096 wrote to memory of 4916 3096 swbglvlssx.bmp RegSvcs.exe PID 3096 wrote to memory of 4916 3096 swbglvlssx.bmp RegSvcs.exe PID 4620 wrote to memory of 4852 4620 cmd.exe ipconfig.exe PID 4620 wrote to memory of 4852 4620 cmd.exe ipconfig.exe PID 4620 wrote to memory of 4852 4620 cmd.exe ipconfig.exe PID 3096 wrote to memory of 4916 3096 swbglvlssx.bmp RegSvcs.exe PID 3096 wrote to memory of 4916 3096 swbglvlssx.bmp RegSvcs.exe PID 4916 wrote to memory of 3508 4916 RegSvcs.exe cmd.exe PID 4916 wrote to memory of 3508 4916 RegSvcs.exe cmd.exe PID 4916 wrote to memory of 3508 4916 RegSvcs.exe cmd.exe PID 3508 wrote to memory of 3660 3508 cmd.exe chcp.com PID 3508 wrote to memory of 3660 3508 cmd.exe chcp.com PID 3508 wrote to memory of 3660 3508 cmd.exe chcp.com PID 3508 wrote to memory of 4516 3508 cmd.exe netsh.exe PID 3508 wrote to memory of 4516 3508 cmd.exe netsh.exe PID 3508 wrote to memory of 4516 3508 cmd.exe netsh.exe PID 3508 wrote to memory of 2412 3508 cmd.exe findstr.exe PID 3508 wrote to memory of 2412 3508 cmd.exe findstr.exe PID 3508 wrote to memory of 2412 3508 cmd.exe findstr.exe PID 4916 wrote to memory of 3744 4916 RegSvcs.exe cmd.exe PID 4916 wrote to memory of 3744 4916 RegSvcs.exe cmd.exe PID 4916 wrote to memory of 3744 4916 RegSvcs.exe cmd.exe PID 3744 wrote to memory of 1252 3744 cmd.exe chcp.com PID 3744 wrote to memory of 1252 3744 cmd.exe chcp.com PID 3744 wrote to memory of 1252 3744 cmd.exe chcp.com PID 3744 wrote to memory of 1004 3744 cmd.exe netsh.exe PID 3744 wrote to memory of 1004 3744 cmd.exe netsh.exe PID 3744 wrote to memory of 1004 3744 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe"C:\Users\Admin\AppData\Local\Temp\c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xikg.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c swbglvlssx.bmp vcpadlxuao.dat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\swbglvlssx.bmpswbglvlssx.bmp vcpadlxuao.dat4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile7⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All7⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\03c164f6b151f39fecacc790fef4edc5\msgid.datFilesize
4B
MD57c4ede33a62160a19586f6e26eaefacf
SHA1db8770342fdf063d3128150901ea357f68bb9001
SHA25641e32284df1a73272655a26bfe6d4919ed6504972cc47461330a26e90cd9ddc3
SHA5126d7f64fcddff389eb6251671e1c53d761e0d21b0e7a4fe4c872ed60f80f11fa97f18b5799435da306820cbf33dc88d94f0e6a707bcc834051101230f752be974
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\anrpi.3gpFilesize
36KB
MD5406db994bb11c5320a6d2780c8af9419
SHA110503f33ae662a8eb92dc3198ffc074cc736b24c
SHA256ee4366252ab52d6c079246c14d9407457a91a64065816ac2c26acc2582c41fd2
SHA5121a5e66f74f7112e2e0cdec4d5e997c02656efb0182b1c1aa292437eb711046c3b110a8adb548d603f17d67c764b1aa5f189408050cc6478ad38bcfe238342e72
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwjwmi.lscFilesize
292KB
MD5042b73b18e96dd8e5848507d7ac60ddc
SHA1cc789c7fca70c7a2cb3666a4c691cfafa74f3cb2
SHA256d5f12fabd9bab67d33cf3e26a325c7f720dc9d58b505605c5b17a2e26b7b7437
SHA5128c9bd44c14960f587abc387fe817be479e02c2b7c503b849d441101f2f248460d0452040f646c1832b19a5690db47b43687250e295835abe7cee4900f0768969
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\swbglvlssx.bmpFilesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcpadlxuao.datFilesize
93.6MB
MD5aa1915f975679c2099d0a9fdacabfd85
SHA16fa5f8a05ad8b06b4a4464560c669c1067cb8f4a
SHA25648842b595e9dfa512f008c6d77520c4cfdea84c16336a2f1c5003f1964b0d8da
SHA51267b016129ec10111c81f25f922369eaae486437ad6614f5cfb0339e260d29f2e27010f0ec14addd2d7aa8212bfa783740f9989284ee175524da349a1b198ad9b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xikg.vbeFilesize
71KB
MD55ae9f9fdd5c7d683b7f9f2ea276b2fb7
SHA1a71eed0968de9caf7636a1c81322f27588af0546
SHA256b1b3fd9a4ae874afe1ac1af617d6e7210dfe831a9057bbebdf74f3086f5af8b1
SHA51249343720b71d35fd28d0567b751a01e0d504204845930caa0cec3879f95c056703894e0579fd4d7f75c763f382323b66f259c6a3c1959b26b7a0a44316f50f2b
-
C:\Users\Admin\AppData\Local\b9bc7084975ee05e71a887511fd8e822\Admin@GYXYZBUQ_en-US\System\Process.txtFilesize
4KB
MD5e36752f1bb132552c7b7d08eb5b6ff18
SHA1a6a8e2719d5ec3c4d803c369a3cedb301323b1a8
SHA2564d6c7d7f0a60ee48c38737ac83313cc5b0f6868db0f99b28c35d228a31fa737c
SHA5126c245771ee67ffbc8e411fb81a5f7e31c01a7931713e6014e51c3c6a8077d56b7a543ecb17cf48bee80883bf1a94b901475b7b4c4f40c291d157b335bbfa5703
-
memory/4916-171-0x00000000728B0000-0x0000000073060000-memory.dmpFilesize
7.7MB
-
memory/4916-76-0x000000000D0C0000-0x000000000D0D0000-memory.dmpFilesize
64KB
-
memory/4916-104-0x000000000D440000-0x000000000D4A6000-memory.dmpFilesize
408KB
-
memory/4916-75-0x00000000728B0000-0x0000000073060000-memory.dmpFilesize
7.7MB
-
memory/4916-205-0x000000000D0C0000-0x000000000D0D0000-memory.dmpFilesize
64KB
-
memory/4916-74-0x0000000000D70000-0x0000000000DA0000-memory.dmpFilesize
192KB
-
memory/4916-248-0x000000000D0C0000-0x000000000D0D0000-memory.dmpFilesize
64KB
-
memory/4916-250-0x000000000DFB0000-0x000000000E042000-memory.dmpFilesize
584KB
-
memory/4916-251-0x000000000E600000-0x000000000EBA4000-memory.dmpFilesize
5.6MB
-
memory/4916-255-0x000000000E0B0000-0x000000000E0BA000-memory.dmpFilesize
40KB
-
memory/4916-73-0x0000000000D70000-0x0000000001D70000-memory.dmpFilesize
16.0MB
-
memory/4916-261-0x000000000D870000-0x000000000D882000-memory.dmpFilesize
72KB
-
memory/4916-286-0x000000000D0C0000-0x000000000D0D0000-memory.dmpFilesize
64KB