Analysis
-
max time kernel
92s -
max time network
101s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-07-2024 05:18
Behavioral task
behavioral1
Sample
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral2
Sample
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Resource
win11-20240704-en
General
-
Target
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
-
Size
320KB
-
MD5
86108d3bcc19fe774cc81b71494d31f9
-
SHA1
d936ce0c2f3ddc35f972c3a87fcaeb036412e009
-
SHA256
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
-
SHA512
151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0
-
SSDEEP
6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5956-1-0x0000000000280000-0x00000000002D6000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key opened \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key opened \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process File created C:\ProgramData\INJUIINI\FileGrabber\Pictures\Camera Roll\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File created C:\ProgramData\INJUIINI\FileGrabber\Desktop\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File created C:\ProgramData\INJUIINI\FileGrabber\Downloads\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File created C:\ProgramData\INJUIINI\FileGrabber\Pictures\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File created C:\ProgramData\INJUIINI\FileGrabber\Pictures\Saved Pictures\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 api.ipify.org 2 freegeoip.app 2 api.ipify.org 5 freegeoip.app 9 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exepid process 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription pid process Token: SeDebugPrivilege 5956 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
outlook_office_path 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
outlook_win_path 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\INJUIINI\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\ProgramData\INJUIINI\FileGrabber\Desktop\ConfirmInitialize.pptFilesize
765KB
MD5bd616c72598cd85d2dbf65ba80a1700f
SHA17e2e448f411782159e9b0e34bedcd96601da280a
SHA2566b2fdd3552df16b8e8567226dda7cd498d566202ae56875a443116674601bc0e
SHA512b5c0164d42f2120ba234a8ac04e8a9259fbb9a903dedd3763a60ba855db9ef99455754527db569bf4a2a743a4701aa42d96feb55e600b040077d3603623705a0
-
C:\ProgramData\INJUIINI\FileGrabber\Desktop\ExpandPop.cssFilesize
332KB
MD552e3c83b45bbfd4c74c1d6636beef038
SHA1f795ce5c50a23855bd950d1a67fd3e2fd3e78674
SHA2560f49e22e3499ef920abe6401ba9586209a003b1d8f392e323a4c01753fa33fad
SHA51258790540d90aae0ccb927230f09c2be68f49eee5724c037a64b5df1fa9ec53b8d45789220cd7585d92423218d0e804ace832594c84643063f2edba9969221086
-
C:\ProgramData\INJUIINI\FileGrabber\Desktop\MergeNew.docxFilesize
865KB
MD5b20babe6b303b35f9f2af30fab3ea7b7
SHA1b8800a8d585eb7c709515c38eaf9015a468c6196
SHA256be997c752df66857ea0a3e4f939b61f468bab716a47d9d7e251b3aaad72c88ff
SHA512a22b305dca3e1ef82890d9c71c3a1c72ec18818076ae9c642b411201806ec00db39e66978dd8087c6426dc584eab09f10d657014d6f61d65f829b425bd087bee
-
C:\ProgramData\INJUIINI\FileGrabber\Documents\AddUnprotect.xlsFilesize
1.4MB
MD598d7cfce856060ec188cf0461339149f
SHA139c01cd2fd4d094d0f537b2761860a2d2d5d21d5
SHA256bccfd2eb5f02937aed250b281332d4cc36a84501db14f88a0e162d2c4029163c
SHA512b5eab5c324ac58f1da7a2633038d187085180f99445d4193b0d52a0737c395b6f91d6211c7f1110fa2dabdf03c7856fcb534253627ee8e5576a29590de67348c
-
C:\ProgramData\INJUIINI\FileGrabber\Downloads\EnableUnregister.rtfFilesize
286KB
MD54a5410a9ad0d5263dac7002735adb2d6
SHA1f32f98dbf5c74972281843448e753af97cb1df1e
SHA256f94ae53e9cd44c0bdd9d10fda86baf28d2f1cee1bb4f9ba23209b1a68a558db0
SHA512f008d350ea8e8a402fe2b7625cda4ce1daec87ca060328f4379af47fb2e5353e0d5ceaec61ff14cafaee640426b18912f1e3652ca2f020e3b842b41b314e983c
-
C:\ProgramData\INJUIINI\FileGrabber\Downloads\SplitBlock.pptxFilesize
505KB
MD50fc9e6ef65cd7aead3a0cef8cfba60d1
SHA1541ef79a4e70a7185adb79da4e63e548b81e7f2d
SHA2562d1fc6704282755257d74317233aa463a9b7e1270fd7abc0dec0e0d6c747f7c6
SHA512894b29b4e708c642bdd43e57f97715da9c07be353087040670bae701c9276bf9bf0d9c8181c69ce1e1d26e8c496f72067bbd55cb233dc5460a6e1268e936ae0e
-
C:\ProgramData\INJUIINI\FileGrabber\Pictures\UnprotectSave.bmpFilesize
626KB
MD58f50713d9d13e92d0566fde0dbb627b3
SHA11f2f29fe77ba369cb0c800d505b07ec68c495804
SHA2569c3fd1df77f897e9446d7f7491d5da27f48f653865d34d2a70e5858a04f2a2b0
SHA512dff47f1803bb5a0ede51ebdb8697995dcfa23284639dc81a9c974b336f5576e64e7342b7242c59ebc76f08e0c4cedae3b147f91d217995f05fb08a2efb7fcb57
-
C:\ProgramData\INJUIINI\Process.txtFilesize
4KB
MD5cd344d314260993be7310632e7906f7e
SHA1a61a1b824be45fb4c2071cadfbd1312227094cd2
SHA2561dfc20d5c09ac1129860c5c3080f6c17f2e06aa8dcab9eb826c2122efa063918
SHA51233d450e147fd1b51c5eb084842b27173d7d2ea84fdd4424930664bfc7918ce70b8296e001c982701d9b5b593be9a932c0d67a88896181aa8a33eca4bc3ffac34
-
memory/5956-35-0x00000000064A0000-0x0000000006506000-memory.dmpFilesize
408KB
-
memory/5956-30-0x00000000066E0000-0x0000000006C86000-memory.dmpFilesize
5.6MB
-
memory/5956-24-0x0000000006090000-0x0000000006122000-memory.dmpFilesize
584KB
-
memory/5956-2-0x0000000074650000-0x0000000074E01000-memory.dmpFilesize
7.7MB
-
memory/5956-1-0x0000000000280000-0x00000000002D6000-memory.dmpFilesize
344KB
-
memory/5956-0-0x000000007465E000-0x000000007465F000-memory.dmpFilesize
4KB
-
memory/5956-222-0x000000007465E000-0x000000007465F000-memory.dmpFilesize
4KB
-
memory/5956-223-0x0000000074650000-0x0000000074E01000-memory.dmpFilesize
7.7MB
-
memory/5956-247-0x0000000074650000-0x0000000074E01000-memory.dmpFilesize
7.7MB