Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
Resource
win10v2004-20240412-en
General
-
Target
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
-
Size
990KB
-
MD5
3183ce80b52497d71f3f036141413c53
-
SHA1
079ea02e9ef218b2cbc4e4f99d1d904e739f8f59
-
SHA256
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213
-
SHA512
d943eeba0795e38cf1a6951a2ff412e690dae8fd3f02718497797584e8e87936743fee129e5b6ac7bc0cf17ad7f3807147a28882e0b91552e2273aa2a5022d87
-
SSDEEP
24576:mTbBv5rUSvFpiZA9fuBGa6mXcqIAXiAZfzI6q:YBVNpyAFLAXiAZw
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2424-70-0x00000000013A0000-0x00000000023A0000-memory.dmp family_stormkitty behavioral1/memory/2424-72-0x00000000013A0000-0x00000000023A0000-memory.dmp family_stormkitty behavioral1/memory/2424-74-0x00000000013A0000-0x00000000023A0000-memory.dmp family_stormkitty behavioral1/memory/2424-75-0x00000000013A0000-0x00000000013D0000-memory.dmp family_stormkitty behavioral1/memory/2424-77-0x000000000FB10000-0x000000000FB50000-memory.dmp family_stormkitty -
Executes dropped EXE 1 IoCs
Processes:
bexoqmp.mscpid process 1852 bexoqmp.msc -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2816 cmd.exe -
Drops desktop.ini file(s) 5 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Users\Admin\AppData\Local\2315534462a64d82d5b19a8f42ac53e5\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\2315534462a64d82d5b19a8f42ac53e5\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\2315534462a64d82d5b19a8f42ac53e5\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Local\2315534462a64d82d5b19a8f42ac53e5\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\2315534462a64d82d5b19a8f42ac53e5\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
bexoqmp.mscdescription pid process target process PID 1852 set thread context of 2424 1852 bexoqmp.msc RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RegSvcs.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 1688 ipconfig.exe 1516 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
bexoqmp.mscRegSvcs.exepid process 1852 bexoqmp.msc 1852 bexoqmp.msc 1852 bexoqmp.msc 1852 bexoqmp.msc 1852 bexoqmp.msc 1852 bexoqmp.msc 2424 RegSvcs.exe 2424 RegSvcs.exe 2424 RegSvcs.exe 2424 RegSvcs.exe 2424 RegSvcs.exe 2424 RegSvcs.exe 2424 RegSvcs.exe 2424 RegSvcs.exe 2424 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2424 RegSvcs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exeWScript.execmd.execmd.exebexoqmp.msccmd.exeRegSvcs.execmd.execmd.exedescription pid process target process PID 1640 wrote to memory of 2504 1640 8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe WScript.exe PID 1640 wrote to memory of 2504 1640 8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe WScript.exe PID 1640 wrote to memory of 2504 1640 8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe WScript.exe PID 1640 wrote to memory of 2504 1640 8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe WScript.exe PID 2504 wrote to memory of 2800 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2800 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2800 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2800 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2816 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2816 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2816 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2816 2504 WScript.exe cmd.exe PID 2800 wrote to memory of 1688 2800 cmd.exe ipconfig.exe PID 2800 wrote to memory of 1688 2800 cmd.exe ipconfig.exe PID 2800 wrote to memory of 1688 2800 cmd.exe ipconfig.exe PID 2800 wrote to memory of 1688 2800 cmd.exe ipconfig.exe PID 2816 wrote to memory of 1852 2816 cmd.exe bexoqmp.msc PID 2816 wrote to memory of 1852 2816 cmd.exe bexoqmp.msc PID 2816 wrote to memory of 1852 2816 cmd.exe bexoqmp.msc PID 2816 wrote to memory of 1852 2816 cmd.exe bexoqmp.msc PID 1852 wrote to memory of 2424 1852 bexoqmp.msc RegSvcs.exe PID 1852 wrote to memory of 2424 1852 bexoqmp.msc RegSvcs.exe PID 1852 wrote to memory of 2424 1852 bexoqmp.msc RegSvcs.exe PID 1852 wrote to memory of 2424 1852 bexoqmp.msc RegSvcs.exe PID 1852 wrote to memory of 2424 1852 bexoqmp.msc RegSvcs.exe PID 1852 wrote to memory of 2424 1852 bexoqmp.msc RegSvcs.exe PID 1852 wrote to memory of 2424 1852 bexoqmp.msc RegSvcs.exe PID 1852 wrote to memory of 2424 1852 bexoqmp.msc RegSvcs.exe PID 1852 wrote to memory of 2424 1852 bexoqmp.msc RegSvcs.exe PID 2504 wrote to memory of 2116 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2116 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2116 2504 WScript.exe cmd.exe PID 2504 wrote to memory of 2116 2504 WScript.exe cmd.exe PID 2116 wrote to memory of 1516 2116 cmd.exe ipconfig.exe PID 2116 wrote to memory of 1516 2116 cmd.exe ipconfig.exe PID 2116 wrote to memory of 1516 2116 cmd.exe ipconfig.exe PID 2116 wrote to memory of 1516 2116 cmd.exe ipconfig.exe PID 2424 wrote to memory of 2732 2424 RegSvcs.exe cmd.exe PID 2424 wrote to memory of 2732 2424 RegSvcs.exe cmd.exe PID 2424 wrote to memory of 2732 2424 RegSvcs.exe cmd.exe PID 2424 wrote to memory of 2732 2424 RegSvcs.exe cmd.exe PID 2732 wrote to memory of 2848 2732 cmd.exe chcp.com PID 2732 wrote to memory of 2848 2732 cmd.exe chcp.com PID 2732 wrote to memory of 2848 2732 cmd.exe chcp.com PID 2732 wrote to memory of 2848 2732 cmd.exe chcp.com PID 2732 wrote to memory of 712 2732 cmd.exe netsh.exe PID 2732 wrote to memory of 712 2732 cmd.exe netsh.exe PID 2732 wrote to memory of 712 2732 cmd.exe netsh.exe PID 2732 wrote to memory of 712 2732 cmd.exe netsh.exe PID 2732 wrote to memory of 1160 2732 cmd.exe findstr.exe PID 2732 wrote to memory of 1160 2732 cmd.exe findstr.exe PID 2732 wrote to memory of 1160 2732 cmd.exe findstr.exe PID 2732 wrote to memory of 1160 2732 cmd.exe findstr.exe PID 2424 wrote to memory of 2620 2424 RegSvcs.exe cmd.exe PID 2424 wrote to memory of 2620 2424 RegSvcs.exe cmd.exe PID 2424 wrote to memory of 2620 2424 RegSvcs.exe cmd.exe PID 2424 wrote to memory of 2620 2424 RegSvcs.exe cmd.exe PID 2620 wrote to memory of 356 2620 cmd.exe chcp.com PID 2620 wrote to memory of 356 2620 cmd.exe chcp.com PID 2620 wrote to memory of 356 2620 cmd.exe chcp.com PID 2620 wrote to memory of 356 2620 cmd.exe chcp.com PID 2620 wrote to memory of 832 2620 cmd.exe netsh.exe PID 2620 wrote to memory of 832 2620 cmd.exe netsh.exe PID 2620 wrote to memory of 832 2620 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe"C:\Users\Admin\AppData\Local\Temp\8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\drcb.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bexoqmp.msc upowiq.pdf3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bexoqmp.mscbexoqmp.msc upowiq.pdf4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile7⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All7⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\6d9b744fe16486be68128b365ceb222e\msgid.datFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Temp\Cab9009.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MKBSLO~1.KXNFilesize
292KB
MD5042b73b18e96dd8e5848507d7ac60ddc
SHA1cc789c7fca70c7a2cb3666a4c691cfafa74f3cb2
SHA256d5f12fabd9bab67d33cf3e26a325c7f720dc9d58b505605c5b17a2e26b7b7437
SHA5128c9bd44c14960f587abc387fe817be479e02c2b7c503b849d441101f2f248460d0452040f646c1832b19a5690db47b43687250e295835abe7cee4900f0768969
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\drcb.vbeFilesize
90KB
MD56a617caaf126d1fc7fc4bdf3e8ec468d
SHA1d7ee54ed66d134f30047679cf8cb7a99d53a8b28
SHA2566684b536afdfdae359cc0dedd597430b55c647803ac2485d3897f1000414925e
SHA5124a1823a53dd23df0cabb144e4acc2c4b0b8510999af43900ef3ef80c1521a81bd55578bb730d53170e5b69c396ecdc33caea4181e078127c84e6fd1650a3377e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rvci.mp2Filesize
40KB
MD52041cdd68756274146293b51ec9bd2f6
SHA1778868d05718d5fbb9626de0d297aea970ef931d
SHA256a3070e606fc55fb4d38aa827e94c81ea7d557a1fc4569d26dd10f83664a655ca
SHA512e56b2bf6dc55fabf9c3b978abcee43491ad3b4270d4d9baec39b0ee1f39fa3aee19b688aafb375741e455a501284464ce6734bb399f6e8b812c3994b64c6bc97
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\upowiq.pdfFilesize
73.4MB
MD507928a871521cd820875966bbaeb1fe9
SHA1b9c1586bdc3fde0d3d04d89677ec77ebf82b529b
SHA256592653e529707ee392aeb412f50920fe62575fc41875039d9cd15de45dfe9623
SHA512fc2bb009a275640484a2198560a78382df35b0841b3ad86c5fecf211078dd8e4abbe3a5d3ac636dc4c6630f130ba83d61647c1e801679f5ed2e32e31d416e383
-
C:\Users\Admin\AppData\Local\Temp\Tar9157.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
\Users\Admin\AppData\Local\Temp\RarSFX0\bexoqmp.mscFilesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
memory/2424-68-0x00000000013A0000-0x00000000023A0000-memory.dmpFilesize
16.0MB
-
memory/2424-75-0x00000000013A0000-0x00000000013D0000-memory.dmpFilesize
192KB
-
memory/2424-76-0x0000000073140000-0x000000007382E000-memory.dmpFilesize
6.9MB
-
memory/2424-77-0x000000000FB10000-0x000000000FB50000-memory.dmpFilesize
256KB
-
memory/2424-145-0x000000000FB10000-0x000000000FB50000-memory.dmpFilesize
256KB
-
memory/2424-74-0x00000000013A0000-0x00000000023A0000-memory.dmpFilesize
16.0MB
-
memory/2424-72-0x00000000013A0000-0x00000000023A0000-memory.dmpFilesize
16.0MB
-
memory/2424-70-0x00000000013A0000-0x00000000023A0000-memory.dmpFilesize
16.0MB
-
memory/2424-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2424-254-0x0000000073140000-0x000000007382E000-memory.dmpFilesize
6.9MB
-
memory/2424-255-0x000000000FB10000-0x000000000FB50000-memory.dmpFilesize
256KB
-
memory/2424-256-0x000000000FB10000-0x000000000FB50000-memory.dmpFilesize
256KB