Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
ser.exe
Resource
win7-20240419-en
General
-
Target
ser.exe
-
Size
477KB
-
MD5
3fecaea34d8bfd0c53d453ba377f5515
-
SHA1
a8909056a93d5c01d5b4f7079603559ef33ee199
-
SHA256
fb5035e26f908cf1de308fdac8db6fb751ac69357b9ab2445fdaf1765c86b366
-
SHA512
e92f474d4a7a6afa20ce5995cabe14c3442cf9a868269e528fb041dff712eeaa6eda56806126bd3efbb9d1f0719f18b50610bec2eae869d70e8186736f1aeeaf
-
SSDEEP
6144:1fkZ3FM+Z6Q/8CqyRr/b0AxouMu3JQ04+S6JutalHVDvG1FhNoX9w:1fkZVfD/LUAoutIUJPHxv2rNY
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6792184664:AAGxPEwztsvs2oQ0e1vEY9lLZzPUDNJZYS8/sendMessage?chat_id=5918227737
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2864-3-0x000001EFA81C0000-0x000001EFA81F2000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2864-3-0x000001EFA81C0000-0x000001EFA81F2000-memory.dmp family_asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
Processes:
ser.exedescription ioc process File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini ser.exe File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini ser.exe File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini ser.exe File opened for modification C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini ser.exe File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini ser.exe File opened for modification C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini ser.exe File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini ser.exe File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini ser.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ser.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 ser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ser.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
ser.exepid process 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe 2864 ser.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ser.exedescription pid process Token: SeDebugPrivilege 2864 ser.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
ser.execmd.execmd.exedescription pid process target process PID 2864 wrote to memory of 4900 2864 ser.exe notepad.exe PID 2864 wrote to memory of 4900 2864 ser.exe notepad.exe PID 2864 wrote to memory of 2036 2864 ser.exe cmd.exe PID 2864 wrote to memory of 2036 2864 ser.exe cmd.exe PID 2036 wrote to memory of 3496 2036 cmd.exe chcp.com PID 2036 wrote to memory of 3496 2036 cmd.exe chcp.com PID 2036 wrote to memory of 1864 2036 cmd.exe netsh.exe PID 2036 wrote to memory of 1864 2036 cmd.exe netsh.exe PID 2036 wrote to memory of 1816 2036 cmd.exe findstr.exe PID 2036 wrote to memory of 1816 2036 cmd.exe findstr.exe PID 2864 wrote to memory of 4684 2864 ser.exe cmd.exe PID 2864 wrote to memory of 4684 2864 ser.exe cmd.exe PID 4684 wrote to memory of 8 4684 cmd.exe chcp.com PID 4684 wrote to memory of 8 4684 cmd.exe chcp.com PID 4684 wrote to memory of 1576 4684 cmd.exe netsh.exe PID 4684 wrote to memory of 1576 4684 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ser.exe"C:\Users\Admin\AppData\Local\Temp\ser.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\notepad.exenotepad.exe2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\system32\findstr.exefindstr All3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txtFilesize
2KB
MD58367a76ebcc00955f36276f0856024a8
SHA1b06a9b64a6b31ce7aa87e10a7ca438322311e08d
SHA2566c016cc75bb60da1ec5f81bde5d0560bacf924bad8c26c6ded10bab3cb9dfc7a
SHA512bfd8b81718354585145983855ca0e4d706f0c3ddf32cb578464cfcb6c8c5c8f111dbe1f2cf302c3a62bce938be127c7680d9496717519a9f645d2abbf6adbc49
-
C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txtFilesize
4KB
MD5b613b2356a8b1d1c4f1dd8088f40f273
SHA1cfe35e7d4d09ff154f36999ee0cbeecb54aad928
SHA2564e24935f9b2ae85c7db2951150c68adfaffbaccee15f5190ebb56fef5e65ffce
SHA512273ca8fc76ea066f16a0961e6a3b763215ea96c4077bd132e22a96edc40947fcb886ca376f7ed0fe7da567b3425e522593a8c06b08f380d1b897865076a1d701
-
C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txtFilesize
527B
MD5bd21a164e49e285d5af348e3ccf1e938
SHA11d11a25ed613c74a03c0a0a793d324a0c6e225d4
SHA256ca43e5d89e4dc66d04682df25fb031f823c8ce070d20151f75e908385ca119d1
SHA512b7a90dfb806de54110b25c08f0fa76d9de9e937cdbcc95ccb2dcc5e574ec4319b7b2e62bc18eddba089758b4b2e74f228a79d8d509fe5e3fdbdfd7f3025181e0
-
C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txtFilesize
1KB
MD5f928e0e7081b55f0196ae4543ebdca88
SHA1575462c688a66c890ee0508a36ec433928c6a1ff
SHA25645630f91493a51e37db10f3a85ba188199bb7fb67298867c34075bcdd60e1e08
SHA5126ff5801736fc5ac91af0eacc51666b6008b68f3bc2cc437db19ab13bfd65cc5d7b7c1f56553f33178e6b9c74eb24cf325958fdf18520aed5c393867df1cdb3ac
-
C:\Users\Admin\AppData\Local\655a0eca073de928e8f00fce0a3f3d95\msgid.datFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
memory/2864-6-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmpFilesize
64KB
-
memory/2864-161-0x000001EFC1FE0000-0x000001EFC1FEA000-memory.dmpFilesize
40KB
-
memory/2864-2-0x000001EFA8020000-0x000001EFA8056000-memory.dmpFilesize
216KB
-
memory/2864-4-0x00007FFE308D0000-0x00007FFE31391000-memory.dmpFilesize
10.8MB
-
memory/2864-3-0x000001EFA81C0000-0x000001EFA81F2000-memory.dmpFilesize
200KB
-
memory/2864-156-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmpFilesize
64KB
-
memory/2864-157-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmpFilesize
64KB
-
memory/2864-5-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmpFilesize
64KB
-
memory/2864-0-0x00007FFE4EC50000-0x00007FFE4EE45000-memory.dmpFilesize
2.0MB
-
memory/2864-167-0x000001EFC2010000-0x000001EFC2022000-memory.dmpFilesize
72KB
-
memory/2864-190-0x00007FFE308D0000-0x00007FFE31391000-memory.dmpFilesize
10.8MB
-
memory/2864-193-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmpFilesize
64KB
-
memory/2864-194-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmpFilesize
64KB
-
memory/2864-195-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmpFilesize
64KB