Analysis Overview
SHA256
fb5035e26f908cf1de308fdac8db6fb751ac69357b9ab2445fdaf1765c86b366
Threat Level: Known bad
The file ser.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
StormKitty
AsyncRat
Async RAT payload
Reads user/profile data of web browsers
Looks up external IP address via web service
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-29 12:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-29 12:08
Reported
2024-04-29 12:11
Platform
win7-20240419-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1860 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\ser.exe | C:\Windows\system32\notepad.exe |
| PID 1860 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\ser.exe | C:\Windows\system32\notepad.exe |
| PID 1860 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\ser.exe | C:\Windows\system32\notepad.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ser.exe
"C:\Users\Admin\AppData\Local\Temp\ser.exe"
C:\Windows\system32\notepad.exe
notepad.exe
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-29 12:08
Reported
2024-04-29 12:11
Platform
win10v2004-20240419-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ser.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ser.exe
"C:\Users\Admin\AppData\Local\Temp\ser.exe"
C:\Windows\SYSTEM32\notepad.exe
notepad.exe
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 165.191.110.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/2864-2-0x000001EFA8020000-0x000001EFA8056000-memory.dmp
memory/2864-0-0x00007FFE4EC50000-0x00007FFE4EE45000-memory.dmp
memory/2864-3-0x000001EFA81C0000-0x000001EFA81F2000-memory.dmp
memory/2864-4-0x00007FFE308D0000-0x00007FFE31391000-memory.dmp
memory/2864-6-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp
memory/2864-5-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp
C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txt
| MD5 | bd21a164e49e285d5af348e3ccf1e938 |
| SHA1 | 1d11a25ed613c74a03c0a0a793d324a0c6e225d4 |
| SHA256 | ca43e5d89e4dc66d04682df25fb031f823c8ce070d20151f75e908385ca119d1 |
| SHA512 | b7a90dfb806de54110b25c08f0fa76d9de9e937cdbcc95ccb2dcc5e574ec4319b7b2e62bc18eddba089758b4b2e74f228a79d8d509fe5e3fdbdfd7f3025181e0 |
C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txt
| MD5 | f928e0e7081b55f0196ae4543ebdca88 |
| SHA1 | 575462c688a66c890ee0508a36ec433928c6a1ff |
| SHA256 | 45630f91493a51e37db10f3a85ba188199bb7fb67298867c34075bcdd60e1e08 |
| SHA512 | 6ff5801736fc5ac91af0eacc51666b6008b68f3bc2cc437db19ab13bfd65cc5d7b7c1f56553f33178e6b9c74eb24cf325958fdf18520aed5c393867df1cdb3ac |
C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txt
| MD5 | 8367a76ebcc00955f36276f0856024a8 |
| SHA1 | b06a9b64a6b31ce7aa87e10a7ca438322311e08d |
| SHA256 | 6c016cc75bb60da1ec5f81bde5d0560bacf924bad8c26c6ded10bab3cb9dfc7a |
| SHA512 | bfd8b81718354585145983855ca0e4d706f0c3ddf32cb578464cfcb6c8c5c8f111dbe1f2cf302c3a62bce938be127c7680d9496717519a9f645d2abbf6adbc49 |
C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txt
| MD5 | b613b2356a8b1d1c4f1dd8088f40f273 |
| SHA1 | cfe35e7d4d09ff154f36999ee0cbeecb54aad928 |
| SHA256 | 4e24935f9b2ae85c7db2951150c68adfaffbaccee15f5190ebb56fef5e65ffce |
| SHA512 | 273ca8fc76ea066f16a0961e6a3b763215ea96c4077bd132e22a96edc40947fcb886ca376f7ed0fe7da567b3425e522593a8c06b08f380d1b897865076a1d701 |
memory/2864-156-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp
memory/2864-157-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp
memory/2864-161-0x000001EFC1FE0000-0x000001EFC1FEA000-memory.dmp
C:\Users\Admin\AppData\Local\655a0eca073de928e8f00fce0a3f3d95\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2864-167-0x000001EFC2010000-0x000001EFC2022000-memory.dmp
memory/2864-190-0x00007FFE308D0000-0x00007FFE31391000-memory.dmp
memory/2864-193-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp
memory/2864-194-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp
memory/2864-195-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp