Analysis Overview
SHA256
fb5035e26f908cf1de308fdac8db6fb751ac69357b9ab2445fdaf1765c86b366
Threat Level: Known bad
The file ser.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty
StormKitty payload
AsyncRat
Async RAT payload
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Looks up external IP address via web service
Drops desktop.ini file(s)
Unsigned PE
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-29 11:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-29 11:41
Reported
2024-04-29 11:44
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1460 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\ser.exe | C:\Windows\system32\notepad.exe |
| PID 1460 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\ser.exe | C:\Windows\system32\notepad.exe |
| PID 1460 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\ser.exe | C:\Windows\system32\notepad.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ser.exe
"C:\Users\Admin\AppData\Local\Temp\ser.exe"
C:\Windows\system32\notepad.exe
notepad.exe
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-29 11:41
Reported
2024-04-29 11:44
Platform
win10v2004-20240426-en
Max time kernel
144s
Max time network
118s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ser.exe
"C:\Users\Admin\AppData\Local\Temp\ser.exe"
C:\Windows\SYSTEM32\notepad.exe
notepad.exe
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
memory/4344-0-0x00007FFD4E8D0000-0x00007FFD4EAC5000-memory.dmp
memory/4344-2-0x0000029130330000-0x0000029130366000-memory.dmp
memory/4344-3-0x0000029130640000-0x0000029130672000-memory.dmp
memory/4344-4-0x00007FFD30850000-0x00007FFD31311000-memory.dmp
memory/4344-5-0x0000029130700000-0x0000029130710000-memory.dmp
memory/4344-6-0x0000029130700000-0x0000029130710000-memory.dmp
C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\System\Process.txt
| MD5 | a4854d3b3c736fcdddadb463ac8df5c9 |
| SHA1 | 7893544a1b4c1e2457fbaae7d45b9cb5ff216fe8 |
| SHA256 | 290baf6636ea41fc49829cbc481e0390af6c4f6d4e3a3e3617911aedf86bf4f3 |
| SHA512 | 41fd88c3f02056c418c23be273529fcc33eb3bb110a990c302d749cd86b5addf78e24cd588e9cc8ebd895214968e6131348acc470c05a417b92c56827af7402e |
C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\System\Process.txt
| MD5 | 741a60cd5e1f3816dfeaa8edca61df6a |
| SHA1 | 084f05b3c8cdf316ecc8498cb85aa17abf1497ab |
| SHA256 | 2847026181bed6041937cd172583b6e602faa1c43dcc8c068b652976dd2614c6 |
| SHA512 | 57e963dac48c65e68f4979048668015ae8dc7a9cff7d8cc667515afc304b5a9ba0743a563de72a11e02e4ef53634540433e29cd6db19ea0795b882449bf7a595 |
C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\System\Process.txt
| MD5 | 1929c52790f7df99fafcbbdc9969ade1 |
| SHA1 | 069e6ed73a450f784c5e27744da17ab04c59442f |
| SHA256 | dfbddc5dc819569ced0881af26fa52ee6507b5def6dbfc66ade7f67bc1bac2f4 |
| SHA512 | b31b83510d6dc229e9c8c172cb6a6508a2d660b4d97b3566cab2fd31313d024ac0cbef1aca9c1b424953d6ef562b512746c59d453a643f62a5deec212f7e5d75 |
C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\System\Process.txt
| MD5 | 7955b6f490fcb9def01bf1c08634e0da |
| SHA1 | 3e51eb8dfda557ff11f3fed9bb998c5b6e983de1 |
| SHA256 | 9b0a517c953735b3ba735971ee2eb83fa3caefa8dce3ac1b8980b688add90c77 |
| SHA512 | 74a03b055b979624b9ce6c4edf8379a4e8555a1e4b1a26db9f56766273058df54cee914eacc916b32f6fc2b511efab6ebac89b62f2b52de2b67a590a8c9af44f |
memory/4344-148-0x0000029130700000-0x0000029130710000-memory.dmp
memory/4344-150-0x0000029130700000-0x0000029130710000-memory.dmp
memory/4344-154-0x0000029130750000-0x000002913075A000-memory.dmp
C:\Users\Admin\AppData\Local\3748126a29ea084777d6eafa9295d890\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/4344-160-0x0000029149390000-0x00000291493A2000-memory.dmp
memory/4344-183-0x00007FFD30850000-0x00007FFD31311000-memory.dmp
memory/4344-186-0x0000029130700000-0x0000029130710000-memory.dmp
memory/4344-187-0x0000029130700000-0x0000029130710000-memory.dmp
memory/4344-188-0x0000029130700000-0x0000029130710000-memory.dmp
memory/4344-189-0x0000029130700000-0x0000029130710000-memory.dmp
memory/4344-190-0x0000029130700000-0x0000029130710000-memory.dmp