Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 19:53
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240419-en
General
-
Target
Client.exe
-
Size
320KB
-
MD5
ce8f79dccd060e39d1190c7bf8410022
-
SHA1
2818e61500ce5d04734d0748b6a6692a252094cd
-
SHA256
2977e0b05594746088bff548f75d614c92c1f0ba9ecc321f5350388271deec4c
-
SHA512
3ae28874016865ae1de333706e714f6f5b97aee5fd212cdd3cb93b199c47b73f6e25e174de0c3dd8554dd7b5d89ad4c362cb2be64200ed96c6ba13263cd1b2a5
-
SSDEEP
6144:bv/Q1Q5Ng68j/svKZIYrFUygWK0tWrcBOvm:bv/Q6P8j/svKPtZB
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2212-0-0x0000000000BE0000-0x0000000000C36000-memory.dmp family_stormkitty behavioral1/memory/2212-2-0x0000000005120000-0x0000000005160000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Client.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
Client.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Pictures\desktop.ini Client.exe File created C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\desktop.ini Client.exe File opened for modification C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\desktop.ini Client.exe File created C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Documents\desktop.ini Client.exe File created C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\desktop.ini Client.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 ip-api.com 22 api.ipify.org 23 api.ipify.org 4 freegeoip.app 7 freegeoip.app 18 api.ipify.org 19 api.ipify.org -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Client.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Client.exepid process 2212 Client.exe 2212 Client.exe 2212 Client.exe 2212 Client.exe 2212 Client.exe 2212 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client.exedescription pid process Token: SeDebugPrivilege 2212 Client.exe -
outlook_office_path 1 IoCs
Processes:
Client.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
outlook_win_path 1 IoCs
Processes:
Client.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\IZKCKOTP\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\RegisterDisable.docxFilesize
309KB
MD529cf334cabb5f105c0d4abeac4507b61
SHA1cf46f9e572436e6e59db8b3deb03f488a0bb0648
SHA256b7e37e718395f43486bf33ef945f1e83549fa0cc5df7705dbed43fc10f073e55
SHA512b068921abd2e04cc3f38b57f556232b8534d1cd635cb5e9ba87b47bd385a40d23a5e34034410b5d8ee0b79209020dde1607c82f040b6c03bd876ebe14933aaf9
-
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\RepairWait.docxFilesize
236KB
MD59840b8f362f66b4c9eddcdd642223383
SHA12ac2f8389bbd3ec2857b985fece8ebb6991ee42e
SHA256f44d3ec573dedb4da4c44664f99435b5ff9d0c0dc5a5f716f55cee215d0c01f9
SHA512b53522ef02bbac5817d6f9f010a653ea19bf6a96d6da8e3b9ae704dca4ef740241697014a0ef6d8ca560a2e8e13682133ac0067841336e081a7a0759c66781b1
-
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Desktop\SkipUndo.xlsFilesize
272KB
MD5476f0b542a2bc62381aab59c1a4edf82
SHA12f8138347e4af234e329332ef8b3fc8e5531b21b
SHA25602b3575871061734d6b8c61f69ad35423e1150fc4e8a4eed588e32f04e5a67cb
SHA512477eb5c96fafbfc535d1489c019b1444e4ef704603cfa34acd3e7cbd8d25e679ae88cf4de4882df6c69b8eabfd577a62ddae8ee630b012e256ff914ab7ee236a
-
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Documents\StepUninstall.rtfFilesize
2.8MB
MD547ed7393f4d0e04983474eeac905c4a5
SHA109881e90a4636b18e917e3176a8c2ac2aad45212
SHA256f6e4c21006a2b3fdd5c14b2a3e0fd6390d4481bad7a24d5bed5aea1cd00d6207
SHA51203375de8d9c915015f04e0a673c82f7097912f8d169e7240f3bd561de27db63c32fc4e7da21b2012f44fac114393b2c92cdf759b7617fa89dbb05e45cfe2a5af
-
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\ImportDismount.svgFilesize
268KB
MD5a04cdb0c3f9de5a30e64a10522acd98e
SHA1caba55395fed4baa76c3edae5ba342096096f276
SHA256455147fff36279df31f9e8397a74a6e8fe22446411690e9875006a68bd6f6c64
SHA512c9288401029588cf3a007e27b98c4d6b376ed805b643abacf13f63846714be02c4b593fda51f4414582455b9d993e489d7d29c10cdf5afc8f7682e520bb07804
-
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\InstallRepair.sqlFilesize
280KB
MD5b1c27499ccf7b1f24461bb43a67a90d3
SHA1776c274e38d00e507faf543cbf7f474f81e15abe
SHA2564357c7e84ae174883b9e4c891559850c5f50e51e45a3c82afa4969b027e10ce6
SHA51298840ec2248e53ef0dfab7df4bed36448ec5a38f0779eeb8ed4a53a6d28ed838395ef06c2c6215240c1247978d648b250807ea0e56442cc5f2dd58af5fb3252c
-
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\InvokeRepair.xlsxFilesize
497KB
MD57f31a5545b2aae8d9f14972261cf6320
SHA190626d9850fe8f8d33ecdba2eb74cb3acdebd4b4
SHA2560ce6de551926ceab3912ca06df8ddce9de2120631c34f0af10f5c644a5e3f46c
SHA512febf36c131c4af4f67799b4bdb284c2990311224275dcef43ae903097a952a702116b1d0c85fd064c40108b1d68b4da3162f47c3f8a16971d7b9e32398c97279
-
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Downloads\OpenRepair.docxFilesize
421KB
MD505c7541a2798121f303a7815e06dcec3
SHA101488c70247a35835f67dd6405796e84d1fd0c00
SHA25623c115a65cc3dbaa7673f32afc38e4ebd190195c64317011adf7cae0b8105efa
SHA512dc34fe7ac09a4c5f4e4938b0203b6c3a60037ed91c97e3795dff30b41ae3ff4fe785e8651d5dc5d4a2a94a7ac11671993078c496a50e691a9a1f3364618ce8f5
-
C:\Users\Admin\AppData\Roaming\IZKCKOTP\FileGrabber\Pictures\DenyMount.pngFilesize
1.0MB
MD597a922a1658950903eead6955c314cc7
SHA1ea1caecabd131a1d9b17ee1bc1addfbe04e40a48
SHA256a4f840bf3b13d5271e1d54943b500a6564a366ac8bd73ff9e1973699a3ce9a78
SHA512a02ba7a9d21f6d18bac4e9886bcb47285723c39d85db9b41f5fd21bd64fa00e4cccab482c5961372fb2bc94da8b59152c0bbf1b3a9cf322f710efd79872d956c
-
memory/2212-2-0x0000000005120000-0x0000000005160000-memory.dmpFilesize
256KB
-
memory/2212-1-0x00000000745D0000-0x0000000074CBE000-memory.dmpFilesize
6.9MB
-
memory/2212-0-0x0000000000BE0000-0x0000000000C36000-memory.dmpFilesize
344KB
-
memory/2212-164-0x00000000745D0000-0x0000000074CBE000-memory.dmpFilesize
6.9MB
-
memory/2212-190-0x00000000745D0000-0x0000000074CBE000-memory.dmpFilesize
6.9MB