Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 19:53

General

  • Target

    Client.exe

  • Size

    320KB

  • MD5

    ce8f79dccd060e39d1190c7bf8410022

  • SHA1

    2818e61500ce5d04734d0748b6a6692a252094cd

  • SHA256

    2977e0b05594746088bff548f75d614c92c1f0ba9ecc321f5350388271deec4c

  • SHA512

    3ae28874016865ae1de333706e714f6f5b97aee5fd212cdd3cb93b199c47b73f6e25e174de0c3dd8554dd7b5d89ad4c362cb2be64200ed96c6ba13263cd1b2a5

  • SSDEEP

    6144:bv/Q1Q5Ng68j/svKZIYrFUygWK0tWrcBOvm:bv/Q6P8j/svKPtZB

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 5 IoCs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\IZKCKOTP\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\RegisterDisable.docx
    Filesize

    309KB

    MD5

    29cf334cabb5f105c0d4abeac4507b61

    SHA1

    cf46f9e572436e6e59db8b3deb03f488a0bb0648

    SHA256

    b7e37e718395f43486bf33ef945f1e83549fa0cc5df7705dbed43fc10f073e55

    SHA512

    b068921abd2e04cc3f38b57f556232b8534d1cd635cb5e9ba87b47bd385a40d23a5e34034410b5d8ee0b79209020dde1607c82f040b6c03bd876ebe14933aaf9

  • C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\RepairWait.docx
    Filesize

    236KB

    MD5

    9840b8f362f66b4c9eddcdd642223383

    SHA1

    2ac2f8389bbd3ec2857b985fece8ebb6991ee42e

    SHA256

    f44d3ec573dedb4da4c44664f99435b5ff9d0c0dc5a5f716f55cee215d0c01f9

    SHA512

    b53522ef02bbac5817d6f9f010a653ea19bf6a96d6da8e3b9ae704dca4ef740241697014a0ef6d8ca560a2e8e13682133ac0067841336e081a7a0759c66781b1

  • C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\SkipUndo.xls
    Filesize

    272KB

    MD5

    476f0b542a2bc62381aab59c1a4edf82

    SHA1

    2f8138347e4af234e329332ef8b3fc8e5531b21b

    SHA256

    02b3575871061734d6b8c61f69ad35423e1150fc4e8a4eed588e32f04e5a67cb

    SHA512

    477eb5c96fafbfc535d1489c019b1444e4ef704603cfa34acd3e7cbd8d25e679ae88cf4de4882df6c69b8eabfd577a62ddae8ee630b012e256ff914ab7ee236a

  • C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Documents\StepUninstall.rtf
    Filesize

    2.8MB

    MD5

    47ed7393f4d0e04983474eeac905c4a5

    SHA1

    09881e90a4636b18e917e3176a8c2ac2aad45212

    SHA256

    f6e4c21006a2b3fdd5c14b2a3e0fd6390d4481bad7a24d5bed5aea1cd00d6207

    SHA512

    03375de8d9c915015f04e0a673c82f7097912f8d169e7240f3bd561de27db63c32fc4e7da21b2012f44fac114393b2c92cdf759b7617fa89dbb05e45cfe2a5af

  • C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\ImportDismount.svg
    Filesize

    268KB

    MD5

    a04cdb0c3f9de5a30e64a10522acd98e

    SHA1

    caba55395fed4baa76c3edae5ba342096096f276

    SHA256

    455147fff36279df31f9e8397a74a6e8fe22446411690e9875006a68bd6f6c64

    SHA512

    c9288401029588cf3a007e27b98c4d6b376ed805b643abacf13f63846714be02c4b593fda51f4414582455b9d993e489d7d29c10cdf5afc8f7682e520bb07804

  • C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\InstallRepair.sql
    Filesize

    280KB

    MD5

    b1c27499ccf7b1f24461bb43a67a90d3

    SHA1

    776c274e38d00e507faf543cbf7f474f81e15abe

    SHA256

    4357c7e84ae174883b9e4c891559850c5f50e51e45a3c82afa4969b027e10ce6

    SHA512

    98840ec2248e53ef0dfab7df4bed36448ec5a38f0779eeb8ed4a53a6d28ed838395ef06c2c6215240c1247978d648b250807ea0e56442cc5f2dd58af5fb3252c

  • C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\InvokeRepair.xlsx
    Filesize

    497KB

    MD5

    7f31a5545b2aae8d9f14972261cf6320

    SHA1

    90626d9850fe8f8d33ecdba2eb74cb3acdebd4b4

    SHA256

    0ce6de551926ceab3912ca06df8ddce9de2120631c34f0af10f5c644a5e3f46c

    SHA512

    febf36c131c4af4f67799b4bdb284c2990311224275dcef43ae903097a952a702116b1d0c85fd064c40108b1d68b4da3162f47c3f8a16971d7b9e32398c97279

  • C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\OpenRepair.docx
    Filesize

    421KB

    MD5

    05c7541a2798121f303a7815e06dcec3

    SHA1

    01488c70247a35835f67dd6405796e84d1fd0c00

    SHA256

    23c115a65cc3dbaa7673f32afc38e4ebd190195c64317011adf7cae0b8105efa

    SHA512

    dc34fe7ac09a4c5f4e4938b0203b6c3a60037ed91c97e3795dff30b41ae3ff4fe785e8651d5dc5d4a2a94a7ac11671993078c496a50e691a9a1f3364618ce8f5

  • C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Pictures\DenyMount.png
    Filesize

    1.0MB

    MD5

    97a922a1658950903eead6955c314cc7

    SHA1

    ea1caecabd131a1d9b17ee1bc1addfbe04e40a48

    SHA256

    a4f840bf3b13d5271e1d54943b500a6564a366ac8bd73ff9e1973699a3ce9a78

    SHA512

    a02ba7a9d21f6d18bac4e9886bcb47285723c39d85db9b41f5fd21bd64fa00e4cccab482c5961372fb2bc94da8b59152c0bbf1b3a9cf322f710efd79872d956c

  • memory/2212-2-0x0000000005120000-0x0000000005160000-memory.dmp
    Filesize

    256KB

  • memory/2212-1-0x00000000745D0000-0x0000000074CBE000-memory.dmp
    Filesize

    6.9MB

  • memory/2212-0-0x0000000000BE0000-0x0000000000C36000-memory.dmp
    Filesize

    344KB

  • memory/2212-164-0x00000000745D0000-0x0000000074CBE000-memory.dmp
    Filesize

    6.9MB

  • memory/2212-190-0x00000000745D0000-0x0000000074CBE000-memory.dmp
    Filesize

    6.9MB