Analysis Overview
SHA256
3d629bec9197f53962123b063c1e77eec7f9a7360bd25aff32e3e36b8a49790d
Threat Level: Known bad
The file NETFLIX CHECKER 2024.rar was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
StormKitty payload
AsyncRat
StormKitty
Stormkitty family
Async RAT payload
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Looks up geolocation information via web service
Drops desktop.ini file(s)
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Detects Pyinstaller
Enumerates physical storage devices
Runs net.exe
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 20:04
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stormkitty family
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 20:04
Reported
2024-06-20 20:06
Platform
win10-20240404-en
Max time kernel
22s
Max time network
19s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe
"C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
Files
memory/4228-0-0x0000000073E4E000-0x0000000073E4F000-memory.dmp
memory/4228-1-0x0000000000B30000-0x0000000000B70000-memory.dmp
memory/4228-2-0x00000000053B0000-0x0000000005416000-memory.dmp
memory/4228-3-0x0000000073E40000-0x000000007452E000-memory.dmp
memory/4228-4-0x00000000060A0000-0x000000000659E000-memory.dmp
memory/4228-5-0x0000000005C40000-0x0000000005CD2000-memory.dmp
C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\System\Process.txt
| MD5 | 64704f321f1a411937c7c1c8aa3a9967 |
| SHA1 | 88b0d52b0978cd9fc05466b315a4fcef550e7766 |
| SHA256 | b0438117c19c38988b6ad7f4497c4cf36a016bbc5d02025aaa5e6bbecfe6bc18 |
| SHA512 | 3f220dec8fc79d7dd963296dbca1260eda842b8dba2a7a24755b17d54d1e60e890f0017bc4173bd822941a2bd636d994e56fe7c054160a13b086ad29c02fc1e8 |
memory/4228-121-0x0000000073E40000-0x000000007452E000-memory.dmp
memory/4228-125-0x0000000006080000-0x000000000608A000-memory.dmp
C:\Users\Admin\AppData\Local\fc0fc587d9be559b26d1a0354bfed02a\msgid.dat
| MD5 | d04863f100d59b3eb688a11f95b0ae60 |
| SHA1 | 161b3433de41cf002e6ec4360a6393793ee80ff1 |
| SHA256 | 858a794b9a1df6e2fa1e6258cafa1f3df7f31ff877c887107e245163fa52fbdc |
| SHA512 | e698cbd129061b1b01844ce5901069af1eb849450f470a6075ab7406d8ca689a328696ebc6e090f8c7db465f27579030ee280ac518ef344af097a764d83b8813 |
memory/4228-131-0x0000000007000000-0x0000000007012000-memory.dmp
memory/4228-155-0x0000000007BF0000-0x0000000007BFA000-memory.dmp
memory/4228-156-0x0000000073E4E000-0x0000000073E4F000-memory.dmp
memory/4228-157-0x0000000073E40000-0x000000007452E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 20:04
Reported
2024-06-20 20:06
Platform
win10-20240404-en
Max time kernel
16s
Max time network
18s
Command Line
Signatures
Loads dropped DLL
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Runs net.exe
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4740 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe |
| PID 4740 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe |
| PID 2976 wrote to memory of 564 | N/A | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe | C:\Windows\system32\cmd.exe |
| PID 2976 wrote to memory of 564 | N/A | C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe | C:\Windows\system32\cmd.exe |
| PID 564 wrote to memory of 32 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\net.exe |
| PID 564 wrote to memory of 32 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\net.exe |
| PID 32 wrote to memory of 2792 | N/A | C:\Windows\system32\net.exe | C:\Windows\system32\net1.exe |
| PID 32 wrote to memory of 2792 | N/A | C:\Windows\system32\net.exe | C:\Windows\system32\net1.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe
"C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe"
C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe
"C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user %username% @virusbug1
C:\Windows\system32\net.exe
net user Admin @virusbug1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Admin @virusbug1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI47402\python312.dll
| MD5 | 550288a078dffc3430c08da888e70810 |
| SHA1 | 01b1d31f37fb3fd81d893cc5e4a258e976f5884f |
| SHA256 | 789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d |
| SHA512 | 7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\base_library.zip
| MD5 | 630153ac2b37b16b8c5b0dbb69a3b9d6 |
| SHA1 | f901cd701fe081489b45d18157b4a15c83943d9d |
| SHA256 | ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2 |
| SHA512 | 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\_ctypes.pyd
| MD5 | 2a834c3738742d45c0a06d40221cc588 |
| SHA1 | 606705a593631d6767467fb38f9300d7cd04ab3e |
| SHA256 | f20dfa748b878751ea1c4fe77a230d65212720652b99c4e5577bce461bbd9089 |
| SHA512 | 924235a506ce4d635fa7c2b34e5d8e77eff73f963e58e29c6ef89db157bf7bab587678bb2120d09da70594926d82d87dbaa5d247e861e331cf591d45ea19a117 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\libcrypto-3.dll
| MD5 | e547cf6d296a88f5b1c352c116df7c0c |
| SHA1 | cafa14e0367f7c13ad140fd556f10f320a039783 |
| SHA256 | 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de |
| SHA512 | 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\libssl-3.dll
| MD5 | 19a2aba25456181d5fb572d88ac0e73e |
| SHA1 | 656ca8cdfc9c3a6379536e2027e93408851483db |
| SHA256 | 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006 |
| SHA512 | df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\pyexpat.pyd
| MD5 | f179c9bdd86a2a218a5bf9f0f1cf6cd9 |
| SHA1 | 4544fb23d56cc76338e7f71f12f58c5fe89d0d76 |
| SHA256 | c42874e2cf034fb5034f0be35f7592b8a96e8903218da42e6650c504a85b37cc |
| SHA512 | 3464ece5c6a0e95ef6136897b70a96c69e552d28bfedd266f13eec840e36ec2286a1fb8973b212317de6fe3e93d7d7cc782eb6fc3d6a2a8f006b34f6443498de |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\_wmi.pyd
| MD5 | c1654ebebfeeda425eade8b77ca96de5 |
| SHA1 | a4a150f1c810077b6e762f689c657227cc4fd257 |
| SHA256 | aa1443a715fbf84a84f39bd89707271fc11a77b597d7324ce86fc5cfa56a63a9 |
| SHA512 | 21705b991e75efd5e59b8431a3b19ae5fcc38a3e7f137a9d52acd24e7f67d61758e48abc1c9c0d4314fa02010a1886c15ead5bca8dca1b1d4ccbfc3c589d342e |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\_ssl.pyd
| MD5 | ddb21bd1acde4264754c49842de7ebc9 |
| SHA1 | 80252d0e35568e68ded68242d76f2a5d7e00001e |
| SHA256 | 72bb15cd8c14ba008a52d23cdcfc851a9a4bde13deee302a5667c8ad60f94a57 |
| SHA512 | 464520ecd1587f5cede6219faac2c903ee41d0e920bf3c9c270a544b040169dcd17a4e27f6826f480d4021077ab39a6cbbd35ebb3d71672ebb412023bc9e182a |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\_socket.pyd
| MD5 | 9c6283cc17f9d86106b706ec4ea77356 |
| SHA1 | af4f2f52ce6122f340e5ea1f021f98b1ffd6d5b6 |
| SHA256 | 5cc62aac52edf87916deb4ebbad9abb58a6a3565b32e7544f672aca305c38027 |
| SHA512 | 11fd6f570dd78f8ff00be645e47472a96daffa3253e8bd29183bccde3f0746f7e436a106e9a68c57cc05b80a112365441d06cc719d51c906703b428a32c93124 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\_queue.pyd
| MD5 | f3eca4f0b2c6c17ace348e06042981a4 |
| SHA1 | eb694dda8ff2fe4ccae876dc0515a8efec40e20e |
| SHA256 | fb57ee6adf6e7b11451b6920ddd2fb943dcd9561c9eae64fdda27c7ed0bc1b04 |
| SHA512 | 604593460666045ca48f63d4b14fa250f9c4b9e5c7e228cc9202e7692c125aacb0018b89faa562a4197692a9bc3d2382f9e085b305272ee0a39264a2a0f53b75 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\_lzma.pyd
| MD5 | b71dbe0f137ffbda6c3a89d5bcbf1017 |
| SHA1 | a2e2bdc40fdb83cc625c5b5e8a336ca3f0c29c5f |
| SHA256 | 6216173194b29875e84963cd4dc4752f7ca9493f5b1fd7e4130ca0e411c8ac6a |
| SHA512 | 9a5c7b1e25d8e1b5738f01aedfd468c1837f1ac8dd4a5b1d24ce86dcae0db1c5b20f2ff4280960bc523aee70b71db54fd515047cdaf10d21a8bec3ebd6663358 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\_hashlib.pyd
| MD5 | b0262bd89a59a3699bfa75c4dcc3ee06 |
| SHA1 | eb658849c646a26572dea7f6bfc042cb62fb49dc |
| SHA256 | 4adfbbd6366d9b55d902fc54d2b42e7c8c989a83016ed707bd7a302fc3fc7b67 |
| SHA512 | 2e4b214de3b306e3a16124af434ff8f5ab832aa3eeb1aa0aa9b49b0ada0928dcbb05c57909292fbe3b01126f4cd3fe0dac9cc15eaea5f3844d6e267865b9f7b1 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\_decimal.pyd
| MD5 | f930b7550574446a015bc602d59b0948 |
| SHA1 | 4ee6ff8019c6c540525bdd2790fc76385cdd6186 |
| SHA256 | 3b9ad1d2bc9ec03d37da86135853dac73b3fe851b164fe52265564a81eb8c544 |
| SHA512 | 10b864975945d6504433554f9ff11b47218caa00f809c6bce00f9e4089b862190a4219f659697a4ba5e5c21edbe1d8d325950921e09371acc4410469bd9189ee |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\_bz2.pyd
| MD5 | 59d60a559c23202beb622021af29e8a9 |
| SHA1 | a405f23916833f1b882f37bdbba2dd799f93ea32 |
| SHA256 | 706d4a0c26dd454538926cbb2ff6c64257c3d9bd48c956f7cabd6def36ffd13e |
| SHA512 | 2f60e79603cf456b2a14b8254cec75ce8be0a28d55a874d4fb23d92d63bbe781ed823ab0f4d13a23dc60c4df505cbf1dbe1a0a2049b02e4bdec8d374898002b1 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\unicodedata.pyd
| MD5 | 04f35d7eec1f6b72bab9daf330fd0d6b |
| SHA1 | ecf0c25ba7adf7624109e2720f2b5930cd2dba65 |
| SHA256 | be942308d99cc954931fe6f48ed8cc7a57891ccbe99aae728121bcda1fd929ab |
| SHA512 | 3da405e4c1371f4b265e744229dcc149491a112a2b7ea8e518d5945f8c259cad15583f25592b35ec8a344e43007ae00da9673822635ee734d32664f65c9c8d9b |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\select.pyd
| MD5 | 8a273f518973801f3c63d92ad726ec03 |
| SHA1 | 069fc26b9bd0f6ea3f9b3821ad7c812fd94b021f |
| SHA256 | af358285a7450de6e2e5e7ff074f964d6a257fb41d9eb750146e03c7dda503ca |
| SHA512 | 7fedae0573ecb3946ede7d0b809a98acad3d4c95d6c531a40e51a31bdb035badc9f416d8aaa26463784ff2c5e7a0cc2c793d62b5fdb2b8e9fad357f93d3a65f8 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\charset_normalizer\md.cp312-win_amd64.pyd
| MD5 | d9e0217a89d9b9d1d778f7e197e0c191 |
| SHA1 | ec692661fcc0b89e0c3bde1773a6168d285b4f0d |
| SHA256 | ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0 |
| SHA512 | 3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\charset_normalizer\md__mypyc.cp312-win_amd64.pyd
| MD5 | bf9a9da1cf3c98346002648c3eae6dcf |
| SHA1 | db16c09fdc1722631a7a9c465bfe173d94eb5d8b |
| SHA256 | 4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637 |
| SHA512 | 7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654 |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\PIL\_imaging.cp312-win_amd64.pyd
| MD5 | 0376776f076cd4f4ac15ec4d813c5470 |
| SHA1 | 381f84735a11ace4673d8be53138e652d4415413 |
| SHA256 | a7ddf4d7cab08676bb88a42059353c5374600901b3ab880e17ee1a0d0150c380 |
| SHA512 | 06d68b9e5daf90d05855bf2c57b6110bfc2f20f4731b023b5aaa39145fd3ab66525d39988b8516731045ad16a89eb0457487dd080aeb347ba24a2e47ece98bbd |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\certifi\cacert.pem
| MD5 | d3e74c9d33719c8ab162baa4ae743b27 |
| SHA1 | ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b |
| SHA256 | 7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92 |
| SHA512 | e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c |
C:\Users\Admin\AppData\Local\Temp\_MEI47402\PIL\_imagingmath.cp312-win_amd64.pyd
| MD5 | 8f67156ce61c7de23e19f9445c8ba504 |
| SHA1 | b9e344fe41b3fc77ce0012930b7ed9af47eb500c |
| SHA256 | 8287a2a551bd99b5d55e18e461fedb3704b74b0fb60f1e0881c792f90a18ce46 |
| SHA512 | f70f24cef7475547f5b29d1ae6db7bd1de6d1aa906e21705e40ed5c18f4f059ce9bb14dfd353776efc08b985881a102dea1948632edccacf76cc72d126651eb0 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 20:04
Reported
2024-06-20 20:06
Platform
win10-20240404-en
Max time kernel
15s
Max time network
18s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\rdp_via_virusbug1.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 20:04
Reported
2024-06-20 20:06
Platform
win10-20240404-en
Max time kernel
30s
Max time network
18s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe
"C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 241.184.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
Files
memory/1680-0-0x000000007387E000-0x000000007387F000-memory.dmp
memory/1680-1-0x0000000000040000-0x0000000000080000-memory.dmp
memory/1680-2-0x0000000004920000-0x0000000004986000-memory.dmp
memory/1680-3-0x0000000073870000-0x0000000073F5E000-memory.dmp
memory/1680-4-0x0000000005450000-0x000000000594E000-memory.dmp
memory/1680-5-0x0000000005030000-0x00000000050C2000-memory.dmp
C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\System\Process.txt
| MD5 | 545f775d19f32a17bd0b17618b218206 |
| SHA1 | 7e7b71036d7e308e96aea0c231ef448b77bba719 |
| SHA256 | fd148a0b604067c3c1e2ff063a1e8a7f459c48ff6ee6222050c6823c12c28d6c |
| SHA512 | 2cd425b35784dacdbe160f97b0c943aeef8b72d557e4181f3583cae6e2b6ebca7611f00ca3b3e557d6c278d428edc4e5e6e1b58cb5a2722d49b415eec74797f9 |
memory/1680-120-0x0000000073870000-0x0000000073F5E000-memory.dmp
memory/1680-124-0x0000000005E90000-0x0000000005E9A000-memory.dmp
C:\Users\Admin\AppData\Local\e996da5f4a06e2f64c84d2ec4c11e3d6\msgid.dat
| MD5 | 1a68e5f4ade56ed1d4bf273e55510750 |
| SHA1 | 2290997cf4140b73fb0faa6eee588bd0aa0403cf |
| SHA256 | 23cd823b961b630ed4052bcb4fde5247f69eb59433c00b541abe8bde8d0bdbeb |
| SHA512 | 1bc04cf1d34fd5e1ebdddd5fa341fd0655331d115dfcc411203125d8a48836f32dc824f7608b00105bb538a4f45b7bd3287a204c0a9f39b10ca423ac436a2680 |
memory/1680-130-0x0000000006500000-0x0000000006512000-memory.dmp
memory/1680-154-0x0000000007120000-0x000000000712A000-memory.dmp
memory/1680-155-0x000000007387E000-0x000000007387F000-memory.dmp
memory/1680-156-0x0000000073870000-0x0000000073F5E000-memory.dmp
memory/1680-157-0x0000000073870000-0x0000000073F5E000-memory.dmp