Analysis
-
max time kernel
146s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
Resource
win10v2004-20240412-en
General
-
Target
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
-
Size
990KB
-
MD5
3183ce80b52497d71f3f036141413c53
-
SHA1
079ea02e9ef218b2cbc4e4f99d1d904e739f8f59
-
SHA256
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213
-
SHA512
d943eeba0795e38cf1a6951a2ff412e690dae8fd3f02718497797584e8e87936743fee129e5b6ac7bc0cf17ad7f3807147a28882e0b91552e2273aa2a5022d87
-
SSDEEP
24576:mTbBv5rUSvFpiZA9fuBGa6mXcqIAXiAZfzI6q:YBVNpyAFLAXiAZw
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1036-67-0x0000000000BB0000-0x0000000001BB0000-memory.dmp family_stormkitty behavioral2/memory/1036-68-0x0000000000BB0000-0x0000000000BE0000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation 8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
bexoqmp.mscpid process 1056 bexoqmp.msc -
Drops desktop.ini file(s) 8 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini RegSvcs.exe File created C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
bexoqmp.mscdescription pid process target process PID 1056 set thread context of 1036 1056 bexoqmp.msc RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RegSvcs.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 1400 ipconfig.exe 2256 ipconfig.exe -
Modifies registry class 1 IoCs
Processes:
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings 8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
bexoqmp.mscRegSvcs.exepid process 1056 bexoqmp.msc 1056 bexoqmp.msc 1056 bexoqmp.msc 1056 bexoqmp.msc 1056 bexoqmp.msc 1056 bexoqmp.msc 1056 bexoqmp.msc 1056 bexoqmp.msc 1056 bexoqmp.msc 1056 bexoqmp.msc 1056 bexoqmp.msc 1056 bexoqmp.msc 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe 1036 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1036 RegSvcs.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exeWScript.execmd.execmd.exebexoqmp.msccmd.exeRegSvcs.execmd.execmd.exedescription pid process target process PID 1792 wrote to memory of 2916 1792 8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe WScript.exe PID 1792 wrote to memory of 2916 1792 8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe WScript.exe PID 1792 wrote to memory of 2916 1792 8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe WScript.exe PID 2916 wrote to memory of 1444 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 1444 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 1444 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 3908 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 3908 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 3908 2916 WScript.exe cmd.exe PID 1444 wrote to memory of 1400 1444 cmd.exe ipconfig.exe PID 1444 wrote to memory of 1400 1444 cmd.exe ipconfig.exe PID 1444 wrote to memory of 1400 1444 cmd.exe ipconfig.exe PID 3908 wrote to memory of 1056 3908 cmd.exe bexoqmp.msc PID 3908 wrote to memory of 1056 3908 cmd.exe bexoqmp.msc PID 3908 wrote to memory of 1056 3908 cmd.exe bexoqmp.msc PID 1056 wrote to memory of 1036 1056 bexoqmp.msc RegSvcs.exe PID 1056 wrote to memory of 1036 1056 bexoqmp.msc RegSvcs.exe PID 1056 wrote to memory of 1036 1056 bexoqmp.msc RegSvcs.exe PID 1056 wrote to memory of 1036 1056 bexoqmp.msc RegSvcs.exe PID 1056 wrote to memory of 1036 1056 bexoqmp.msc RegSvcs.exe PID 2916 wrote to memory of 800 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 800 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 800 2916 WScript.exe cmd.exe PID 800 wrote to memory of 2256 800 cmd.exe ipconfig.exe PID 800 wrote to memory of 2256 800 cmd.exe ipconfig.exe PID 800 wrote to memory of 2256 800 cmd.exe ipconfig.exe PID 1036 wrote to memory of 1788 1036 RegSvcs.exe cmd.exe PID 1036 wrote to memory of 1788 1036 RegSvcs.exe cmd.exe PID 1036 wrote to memory of 1788 1036 RegSvcs.exe cmd.exe PID 1788 wrote to memory of 3476 1788 cmd.exe chcp.com PID 1788 wrote to memory of 3476 1788 cmd.exe chcp.com PID 1788 wrote to memory of 3476 1788 cmd.exe chcp.com PID 1788 wrote to memory of 2632 1788 cmd.exe netsh.exe PID 1788 wrote to memory of 2632 1788 cmd.exe netsh.exe PID 1788 wrote to memory of 2632 1788 cmd.exe netsh.exe PID 1788 wrote to memory of 4848 1788 cmd.exe findstr.exe PID 1788 wrote to memory of 4848 1788 cmd.exe findstr.exe PID 1788 wrote to memory of 4848 1788 cmd.exe findstr.exe PID 1036 wrote to memory of 1372 1036 RegSvcs.exe cmd.exe PID 1036 wrote to memory of 1372 1036 RegSvcs.exe cmd.exe PID 1036 wrote to memory of 1372 1036 RegSvcs.exe cmd.exe PID 1372 wrote to memory of 1864 1372 cmd.exe chcp.com PID 1372 wrote to memory of 1864 1372 cmd.exe chcp.com PID 1372 wrote to memory of 1864 1372 cmd.exe chcp.com PID 1372 wrote to memory of 712 1372 cmd.exe netsh.exe PID 1372 wrote to memory of 712 1372 cmd.exe netsh.exe PID 1372 wrote to memory of 712 1372 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe"C:\Users\Admin\AppData\Local\Temp\8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\drcb.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bexoqmp.msc upowiq.pdf3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bexoqmp.mscbexoqmp.msc upowiq.pdf4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile7⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All7⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\System\Process.txtFilesize
4KB
MD5ec49c0e413361db687eb39937dcb7cb8
SHA1467f4b59b820567c1d70eaa5ba0d3d9dd8440744
SHA2561f750037120f248cc27ae29db9a1b15762ca93f56f4782728eb0daa1662de741
SHA51299ec16e13402a1b07bdeb39d858b29dcbfce32f22a153b4b724f07133495a5407623d6873811125fb28f07a13ac197df7255d1d1ceed3e5c580215033fac58ac
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MKBSLO~1.KXNFilesize
292KB
MD5042b73b18e96dd8e5848507d7ac60ddc
SHA1cc789c7fca70c7a2cb3666a4c691cfafa74f3cb2
SHA256d5f12fabd9bab67d33cf3e26a325c7f720dc9d58b505605c5b17a2e26b7b7437
SHA5128c9bd44c14960f587abc387fe817be479e02c2b7c503b849d441101f2f248460d0452040f646c1832b19a5690db47b43687250e295835abe7cee4900f0768969
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bexoqmp.mscFilesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\drcb.vbeFilesize
90KB
MD56a617caaf126d1fc7fc4bdf3e8ec468d
SHA1d7ee54ed66d134f30047679cf8cb7a99d53a8b28
SHA2566684b536afdfdae359cc0dedd597430b55c647803ac2485d3897f1000414925e
SHA5124a1823a53dd23df0cabb144e4acc2c4b0b8510999af43900ef3ef80c1521a81bd55578bb730d53170e5b69c396ecdc33caea4181e078127c84e6fd1650a3377e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rvci.mp2Filesize
40KB
MD52041cdd68756274146293b51ec9bd2f6
SHA1778868d05718d5fbb9626de0d297aea970ef931d
SHA256a3070e606fc55fb4d38aa827e94c81ea7d557a1fc4569d26dd10f83664a655ca
SHA512e56b2bf6dc55fabf9c3b978abcee43491ad3b4270d4d9baec39b0ee1f39fa3aee19b688aafb375741e455a501284464ce6734bb399f6e8b812c3994b64c6bc97
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\upowiq.pdfFilesize
73.4MB
MD507928a871521cd820875966bbaeb1fe9
SHA1b9c1586bdc3fde0d3d04d89677ec77ebf82b529b
SHA256592653e529707ee392aeb412f50920fe62575fc41875039d9cd15de45dfe9623
SHA512fc2bb009a275640484a2198560a78382df35b0841b3ad86c5fecf211078dd8e4abbe3a5d3ac636dc4c6630f130ba83d61647c1e801679f5ed2e32e31d416e383
-
C:\Users\Admin\AppData\Local\c6940476c219e6add8b8f1f718134d01\msgid.datFilesize
4B
MD55d79099fcdf499f12b79770834c0164a
SHA1a0a82ebdd4a855c999b56ce855a244a672dcafff
SHA256c2f61742e5f0ef0a74c5fcbeff7ff659def91bf4b5f1e175943a0b075c82058b
SHA51206cfa49342a41a510897626740a154bf5fb3afdad66cc778c619a15326905de12f0c945d8ba58d00e696b9860ce54952ef0768823a6ef4a1804fe1f035086fa9
-
memory/1036-67-0x0000000000BB0000-0x0000000001BB0000-memory.dmpFilesize
16.0MB
-
memory/1036-70-0x0000000011740000-0x0000000011750000-memory.dmpFilesize
64KB
-
memory/1036-71-0x0000000011900000-0x0000000011966000-memory.dmpFilesize
408KB
-
memory/1036-68-0x0000000000BB0000-0x0000000000BE0000-memory.dmpFilesize
192KB
-
memory/1036-242-0x0000000011740000-0x0000000011750000-memory.dmpFilesize
64KB
-
memory/1036-244-0x0000000012260000-0x00000000122F2000-memory.dmpFilesize
584KB
-
memory/1036-245-0x00000000128B0000-0x0000000012E54000-memory.dmpFilesize
5.6MB
-
memory/1036-249-0x0000000012380000-0x000000001238A000-memory.dmpFilesize
40KB
-
memory/1036-250-0x0000000072610000-0x0000000072DC0000-memory.dmpFilesize
7.7MB
-
memory/1036-69-0x0000000072610000-0x0000000072DC0000-memory.dmpFilesize
7.7MB
-
memory/1036-256-0x00000000123D0000-0x00000000123E2000-memory.dmpFilesize
72KB
-
memory/1036-279-0x0000000011740000-0x0000000011750000-memory.dmpFilesize
64KB
-
memory/1036-281-0x0000000011740000-0x0000000011750000-memory.dmpFilesize
64KB