Analysis
-
max time kernel
194s -
max time network
210s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-04-2024 19:21
General
-
Target
ess.exe
-
Size
38KB
-
MD5
a657e08819360c2d09a02900c1340cc1
-
SHA1
009c944d9182e96a4d1a67f09dbe2edd0864b068
-
SHA256
f66d125ed2d2267ac2de3b7290b0abfa9a1b4265d04ed872a4d96888888d5296
-
SHA512
0ef5ddc58e4d30d4df2200b18ac66671fb223924011854242e0702b89b75c9d1fa54ef88d9a133309f0c20e021ebe1d39a6626172f6e37c73b356f349d4405d9
-
SSDEEP
768:P5fQwpevonRaGqwhXARyrjJj9HNy6B6SE7NL:P5pa1whXA4x9tJop7NL
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5556-20-0x000000001C9D0000-0x000000001C9FA000-memory.dmp family_stormkitty -
Async RAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif family_asyncrat behavioral1/memory/5556-16-0x0000000001830000-0x0000000001840000-memory.dmp family_asyncrat -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3400 attrib.exe 2208 attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
$77woah.pifpid process 5556 $77woah.pif -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4544 timeout.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
ess.exepid process 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe 640 ess.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
$77woah.pifpid process 5556 $77woah.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ess.exe$77woah.pifdescription pid process Token: SeDebugPrivilege 640 ess.exe Token: SeDebugPrivilege 5556 $77woah.pif -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ess.execmd.exedescription pid process target process PID 640 wrote to memory of 3400 640 ess.exe attrib.exe PID 640 wrote to memory of 3400 640 ess.exe attrib.exe PID 640 wrote to memory of 2208 640 ess.exe attrib.exe PID 640 wrote to memory of 2208 640 ess.exe attrib.exe PID 640 wrote to memory of 5116 640 ess.exe cmd.exe PID 640 wrote to memory of 5116 640 ess.exe cmd.exe PID 5116 wrote to memory of 4544 5116 cmd.exe timeout.exe PID 5116 wrote to memory of 4544 5116 cmd.exe timeout.exe PID 5116 wrote to memory of 5556 5116 cmd.exe $77woah.pif PID 5116 wrote to memory of 5556 5116 cmd.exe $77woah.pif -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3400 attrib.exe 2208 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ess.exe"C:\Users\Admin\AppData\Local\Temp\ess.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB21A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp34D1.tmp.datFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmp34D2.tmp.datFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\tmpB21A.tmp.batFilesize
184B
MD5d0e49bce1b17ec0f634be98b1cb99a69
SHA1617625f98f08174038d72b459dde6adb3d6a59b4
SHA256cd8689f3241ea19125da6e3b99f2a6865abc677c6fa8e71b08dec0aea495ae27
SHA5129fca0d14e2efc8c5cc7310ef3f9fc5c4f39c135fb8d2d5a0f6362aed20bc6b348bee57bb409fa1a097f52e542a4d79a9cd05f2e2c97be4e53e26b3be056d0595
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pifFilesize
38KB
MD5a657e08819360c2d09a02900c1340cc1
SHA1009c944d9182e96a4d1a67f09dbe2edd0864b068
SHA256f66d125ed2d2267ac2de3b7290b0abfa9a1b4265d04ed872a4d96888888d5296
SHA5120ef5ddc58e4d30d4df2200b18ac66671fb223924011854242e0702b89b75c9d1fa54ef88d9a133309f0c20e021ebe1d39a6626172f6e37c73b356f349d4405d9
-
memory/640-1-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmpFilesize
10.8MB
-
memory/640-2-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmpFilesize
10.8MB
-
memory/640-8-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmpFilesize
10.8MB
-
memory/640-0-0x0000000000AF0000-0x0000000000B00000-memory.dmpFilesize
64KB
-
memory/5556-12-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmpFilesize
10.8MB
-
memory/5556-15-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmpFilesize
10.8MB
-
memory/5556-16-0x0000000001830000-0x0000000001840000-memory.dmpFilesize
64KB
-
memory/5556-17-0x0000000001820000-0x000000000182E000-memory.dmpFilesize
56KB
-
memory/5556-20-0x000000001C9D0000-0x000000001C9FA000-memory.dmpFilesize
168KB
-
memory/5556-14-0x000000001CDD0000-0x000000001CDE0000-memory.dmpFilesize
64KB
-
memory/5556-13-0x0000000001830000-0x0000000001840000-memory.dmpFilesize
64KB