Analysis Overview
SHA256
f66d125ed2d2267ac2de3b7290b0abfa9a1b4265d04ed872a4d96888888d5296
Threat Level: Known bad
The file ess.pif was found to be: Known bad.
Malicious Activity Summary
StormKitty
Asyncrat family
Async RAT payload
AsyncRat
StormKitty payload
Async RAT payload
Sets file to hidden
Reads user/profile data of web browsers
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Views/modifies file attributes
Suspicious behavior: GetForegroundWindowSpam
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-17 19:21
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 19:21
Reported
2024-04-17 19:25
Platform
win11-20240412-en
Max time kernel
194s
Max time network
210s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ess.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ess.exe
"C:\Users\Admin\AppData\Local\Temp\ess.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB21A.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 162.212.154.8:41090 | us1.localto.net | tcp |
| US | 162.212.154.8:41090 | us1.localto.net | tcp |
| US | 162.212.154.8:41090 | us1.localto.net | tcp |
| US | 162.212.154.8:41090 | us1.localto.net | tcp |
| US | 162.212.154.8:41090 | us1.localto.net | tcp |
Files
memory/640-0-0x0000000000AF0000-0x0000000000B00000-memory.dmp
memory/640-1-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp
memory/640-2-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB21A.tmp.bat
| MD5 | d0e49bce1b17ec0f634be98b1cb99a69 |
| SHA1 | 617625f98f08174038d72b459dde6adb3d6a59b4 |
| SHA256 | cd8689f3241ea19125da6e3b99f2a6865abc677c6fa8e71b08dec0aea495ae27 |
| SHA512 | 9fca0d14e2efc8c5cc7310ef3f9fc5c4f39c135fb8d2d5a0f6362aed20bc6b348bee57bb409fa1a097f52e542a4d79a9cd05f2e2c97be4e53e26b3be056d0595 |
memory/640-8-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif
| MD5 | a657e08819360c2d09a02900c1340cc1 |
| SHA1 | 009c944d9182e96a4d1a67f09dbe2edd0864b068 |
| SHA256 | f66d125ed2d2267ac2de3b7290b0abfa9a1b4265d04ed872a4d96888888d5296 |
| SHA512 | 0ef5ddc58e4d30d4df2200b18ac66671fb223924011854242e0702b89b75c9d1fa54ef88d9a133309f0c20e021ebe1d39a6626172f6e37c73b356f349d4405d9 |
memory/5556-12-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp
memory/5556-13-0x0000000001830000-0x0000000001840000-memory.dmp
memory/5556-14-0x000000001CDD0000-0x000000001CDE0000-memory.dmp
memory/5556-15-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp
memory/5556-16-0x0000000001830000-0x0000000001840000-memory.dmp
memory/5556-17-0x0000000001820000-0x000000000182E000-memory.dmp
memory/5556-20-0x000000001C9D0000-0x000000001C9FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp34D1.tmp.dat
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\tmp34D2.tmp.dat
| MD5 | 14ccc9293153deacbb9a20ee8f6ff1b7 |
| SHA1 | 46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3 |
| SHA256 | 3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511 |
| SHA512 | 916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765 |