Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07-07-2024 05:05
Behavioral task
behavioral1
Sample
86108d3bcc19fe774cc81b71494d31f9.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
86108d3bcc19fe774cc81b71494d31f9.exe
Resource
win10v2004-20240704-en
General
-
Target
86108d3bcc19fe774cc81b71494d31f9.exe
-
Size
320KB
-
MD5
86108d3bcc19fe774cc81b71494d31f9
-
SHA1
d936ce0c2f3ddc35f972c3a87fcaeb036412e009
-
SHA256
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
-
SHA512
151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0
-
SSDEEP
6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3276-1-0x0000000000890000-0x00000000008E6000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
86108d3bcc19fe774cc81b71494d31f9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 86108d3bcc19fe774cc81b71494d31f9.exe Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 86108d3bcc19fe774cc81b71494d31f9.exe Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 86108d3bcc19fe774cc81b71494d31f9.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
Processes:
86108d3bcc19fe774cc81b71494d31f9.exedescription ioc process File created C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Desktop\desktop.ini 86108d3bcc19fe774cc81b71494d31f9.exe File created C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Downloads\desktop.ini 86108d3bcc19fe774cc81b71494d31f9.exe File created C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Pictures\desktop.ini 86108d3bcc19fe774cc81b71494d31f9.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 freegeoip.app 3 freegeoip.app 35 api.ipify.org 36 api.ipify.org 37 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
86108d3bcc19fe774cc81b71494d31f9.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 86108d3bcc19fe774cc81b71494d31f9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 86108d3bcc19fe774cc81b71494d31f9.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
86108d3bcc19fe774cc81b71494d31f9.exepid process 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe 3276 86108d3bcc19fe774cc81b71494d31f9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
86108d3bcc19fe774cc81b71494d31f9.exedescription pid process Token: SeDebugPrivilege 3276 86108d3bcc19fe774cc81b71494d31f9.exe -
outlook_office_path 1 IoCs
Processes:
86108d3bcc19fe774cc81b71494d31f9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 86108d3bcc19fe774cc81b71494d31f9.exe -
outlook_win_path 1 IoCs
Processes:
86108d3bcc19fe774cc81b71494d31f9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 86108d3bcc19fe774cc81b71494d31f9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe"C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Desktop\CompressApprove.cssFilesize
341KB
MD530b161b4a22a4402c370e1ac56da0a1f
SHA18491b8d0dea4caef03526a3b2c9dce54f81fcc3c
SHA25634c98848d2275b7e4db2638ae8570b6680a256b6c99ad0958dba67c8b620d61b
SHA5129cad69a1d8eff490eaf9daf63c96394ecc4801c274aa8167e3d3669b98be5143c091bc139b1f8c5589a3383577628531d8f1502f0ae7752fa07544a3908ddcdf
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Desktop\ConnectMount.rtfFilesize
243KB
MD5921e49776bc45da8d1aa5aa21ed0683a
SHA109174473a649588fb9d790a26377b6e2bc47d27a
SHA256388f63191373a829110adf804439976a0882ad00aee1894e385cd2262c228bea
SHA512779b91b0b1e8d7c72307e503faafe46ac1a3f38bfecc4e97ea38a663695557b011dc14a1c7d7c803382c25591fa66beba2ee4cf9708b587ae77d3010cc18bf5f
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Desktop\LimitPublish.xlsFilesize
202KB
MD5e69eb6e935e2cafa54db42b833e340e6
SHA120731b56371d2aeaa08d984159abaa0caf1cbe23
SHA256f5d9a575efda59e8cad109df6890d3cbd51d4ac7d7790a35c44d315687cb4315
SHA512b72375c0b6c6103f20261e6214ee8583ca5cf58370294a499eef01d097b6294368e2e78b5ada7d16992dd5af45ea719053cddd14aec41ee35a46af8aa18f20cf
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Desktop\OptimizeConvertTo.htmlFilesize
327KB
MD52b3dba08583f739a24d2c87606d5c744
SHA17745fa9de46645a2c65c081676992a96ebb7948b
SHA256a8e9b4106a4c14e7897fb5ff49393a4debce4eb9cbf3f796d3f703be9994729f
SHA5124d866e1bf9beb4943a5f417aa6aa1a6ec96e959ed9ff879b5a95186567d892a76e6bc933194dbed38d5712cb9afbd9c5c1a7bd84ccbfedaf7cd2e3cc712ac737
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Documents\BackupPush.xlsFilesize
852KB
MD5f7c1020e9db201f8e143ceb3f96debcb
SHA11fdda7650df9a5c2524528aea5086a4f058edb20
SHA2560abd25d6e25bd32cff360b799316ad8a5d04ed9b5cf66039ea668d0d9aeaff3b
SHA51288abdd9dafe9d616f0fd50f14c2e8852feb3f582de69f55429cc4929742d309ce5929e619c83e59aaea2641179bddd76359efad24577f9b32c79aa4c7daa9028
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Documents\BlockUpdate.docFilesize
691KB
MD5b4ace3609004fbf1f87240ae922fadc3
SHA1211160dc5d51af4cb0c6ed543e185b8a4d582541
SHA2564f9a2f0519d9c603c2406a944e39071417dd9259650a3dd0f3dc7af7b5b8b99b
SHA512e57e6503560f63bfef708245e407d8b1d90248a3936e6070f6fcbb58e5355e70c0ede4175dc1f5316184c6818d2fb3dbedfed2627ce75be5d1618ff294054bd6
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Downloads\GetEdit.cssFilesize
217KB
MD51273399b253f007dbbc3a190d089d977
SHA190a18a3492cc446254bb866b38dec7db84075554
SHA256e2885ada3eb0d6949afa0b200b240bf8ea12dc61927d58bd3901e96c661d8b06
SHA512aafcfbef5c38ac716da74129dcd8a6c1b1909344a4dc9c6a82909dcd2802f238cc70296e88146c450bc7ffebbff668d6d3f3e2d5a097b1201804c8428a843fe7
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Downloads\InvokeShow.rtfFilesize
493KB
MD5d13f94d94e24135b7adf6187313e2448
SHA13db291e644f280302cc418b0b90a63e62541c826
SHA2560bf8b1e3602df90dab60976c096987b1fd51aa08a74c964210feaac0528fe701
SHA512540580edb9f7e82ed535c1305feaba9c0919d04d1011c68ff672224cbcbedefc639bc57ee19abe5fcc209d53a883bccafa4a86d6009ac051c32f061cfe7ea6da
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Downloads\JoinSplit.pngFilesize
480KB
MD55feb86927fdda664331da647f7a8f414
SHA1a0f870af12d45819541a336d3b5c2f8637f6ddec
SHA256e4b1da17322f245126c4a940affc0bb910a8cfa75c7259b2584bbe769bb06208
SHA512ae4ad430859595f16bce16af5c6554d57e8492aea55de8a331ab3d07865fa8b8bbf5d175e04e5f1b67de8d65fbe53abe9ec2912a9276a2e3f77bfc616c8b16cf
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Downloads\ResizeHide.pptxFilesize
612KB
MD5ce4f4b17d1e4c053459effaeeca9a9ff
SHA196fb7eb60a8443efc749467c504abd00c9e95ed9
SHA256480a3e97b61a2c0a597568496fe59c89306472aa61b50b9851a55131dbb1d465
SHA5120353463e22b664440aeea86be8de53711cf5c9ad41a4742b71e972363202e734d5444cbc9afadd92248f6b2cae54ea399e181a14e0e792513d05ecafda808845
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Pictures\CloseExit.svgFilesize
558KB
MD5e8df53331318a49dee93c7ced4375933
SHA168876fd2b285b5b4bf0fd8b63bf5a4d896effa6c
SHA2568acde6e56919adf229b31ec07448c4f75bcda986118117035f29843c2a3f6af5
SHA512b9de1eb4015241f0d7c454752eeebe670876f8501ba4d8cbe0bd5f562e5446b975476b2580bf0b20b5314fad307f72ba919edc3021f6d36d20281905f5829a70
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Pictures\MergeSave.pngFilesize
642KB
MD5cf422aa99146365bf9abcdbe10333dc5
SHA1461d9cc4940f782afcfa76c489b1cc6711bf5129
SHA2562172bebbec5297370a3cbfdf31d66e9a081cf5b204c847e5605fdea83c8be3c6
SHA512f8ec03badc8a75ac62fd26d86956d74aede93e3a23912e9c952c7799c1768191ccb9e31818062930c252777471998ced6ac4b7bdce0eb6594717a82fe77f3af3
-
C:\Users\Admin\AppData\Local\KGOEYKGQ\Process.txtFilesize
4KB
MD542bc4fa843ff9aed2696d12f15303dc7
SHA15b64485807c233a9382341b2f32edf50cf9c9f28
SHA2565f099a5b5f773783c9ddb7aa810e0ab96c5872ff5d439652bd81926412926d2e
SHA512e86317df7be076bccfb852ef58c9281ed35b61000b5208f4ccabc4f4abd353846be44f3c1e32477408eac59b70246f5172157d206a7c273e1670660b5a6cec01
-
memory/3276-31-0x0000000006740000-0x00000000067D2000-memory.dmpFilesize
584KB
-
memory/3276-0-0x000000007450E000-0x000000007450F000-memory.dmpFilesize
4KB
-
memory/3276-1-0x0000000000890000-0x00000000008E6000-memory.dmpFilesize
344KB
-
memory/3276-2-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB
-
memory/3276-37-0x0000000006D90000-0x0000000007334000-memory.dmpFilesize
5.6MB
-
memory/3276-39-0x0000000006BD0000-0x0000000006C36000-memory.dmpFilesize
408KB
-
memory/3276-257-0x000000007450E000-0x000000007450F000-memory.dmpFilesize
4KB
-
memory/3276-258-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB
-
memory/3276-289-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB