Analysis
-
max time kernel
55s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 19:53
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240419-en
General
-
Target
Client.exe
-
Size
320KB
-
MD5
ce8f79dccd060e39d1190c7bf8410022
-
SHA1
2818e61500ce5d04734d0748b6a6692a252094cd
-
SHA256
2977e0b05594746088bff548f75d614c92c1f0ba9ecc321f5350388271deec4c
-
SHA512
3ae28874016865ae1de333706e714f6f5b97aee5fd212cdd3cb93b199c47b73f6e25e174de0c3dd8554dd7b5d89ad4c362cb2be64200ed96c6ba13263cd1b2a5
-
SSDEEP
6144:bv/Q1Q5Ng68j/svKZIYrFUygWK0tWrcBOvm:bv/Q6P8j/svKPtZB
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/660-0-0x00000000009F0000-0x0000000000A46000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Client.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
Client.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Documents\desktop.ini Client.exe File created C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Downloads\desktop.ini Client.exe File created C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Pictures\desktop.ini Client.exe File created C:\Users\Admin\AppData\Roaming\PYDWGGUE\FileGrabber\Desktop\desktop.ini Client.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 freegeoip.app 9 api.ipify.org -
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1140 660 WerFault.exe Client.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Client.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client.exe -
Modifies registry class 1 IoCs
Processes:
mspaint.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Client.exemspaint.exepid process 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 660 Client.exe 4008 mspaint.exe 4008 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client.exedescription pid process Token: SeDebugPrivilege 660 Client.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mspaint.exeOpenWith.exepid process 4008 mspaint.exe 2304 OpenWith.exe -
outlook_office_path 1 IoCs
Processes:
Client.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
outlook_win_path 1 IoCs
Processes:
Client.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 12042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 660 -ip 6601⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InitializeNew.png" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\PYDWGGUE\Process.txtFilesize
4KB
MD5fd81a473e0682a3f6d16613c710bd48f
SHA1a133204dd2a0f81afb10c79c96183600d0aff03c
SHA2565ba227a8e00023a1f711680437082a67d4a078bf1d8973e6e0200763fa072d42
SHA512144300702bf2a7ef17a3f22efbf63cca8e62ef85738f61317352eca4f4728f79987e32d64b85461928f2f0c25561b0edfaf4b32aadca7f8b57c4c3f1881558ff
-
memory/660-121-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/660-35-0x0000000006960000-0x00000000069C6000-memory.dmpFilesize
408KB
-
memory/660-156-0x0000000074800000-0x0000000074FB0000-memory.dmpFilesize
7.7MB
-
memory/660-33-0x0000000006AF0000-0x0000000007094000-memory.dmpFilesize
5.6MB
-
memory/660-0-0x00000000009F0000-0x0000000000A46000-memory.dmpFilesize
344KB
-
memory/660-1-0x0000000074800000-0x0000000074FB0000-memory.dmpFilesize
7.7MB
-
memory/660-120-0x0000000074800000-0x0000000074FB0000-memory.dmpFilesize
7.7MB
-
memory/660-2-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/660-32-0x00000000064A0000-0x0000000006532000-memory.dmpFilesize
584KB
-
memory/4388-168-0x000002482BF40000-0x000002482BF41000-memory.dmpFilesize
4KB
-
memory/4388-161-0x0000024823C60000-0x0000024823C70000-memory.dmpFilesize
64KB
-
memory/4388-170-0x000002482BFC0000-0x000002482BFC1000-memory.dmpFilesize
4KB
-
memory/4388-172-0x000002482BFC0000-0x000002482BFC1000-memory.dmpFilesize
4KB
-
memory/4388-173-0x000002482C050000-0x000002482C051000-memory.dmpFilesize
4KB
-
memory/4388-174-0x000002482C050000-0x000002482C051000-memory.dmpFilesize
4KB
-
memory/4388-175-0x000002482C060000-0x000002482C061000-memory.dmpFilesize
4KB
-
memory/4388-176-0x000002482C060000-0x000002482C061000-memory.dmpFilesize
4KB