Analysis

  • max time kernel
    92s
  • max time network
    101s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-07-2024 05:18

General

  • Target

    9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe

  • Size

    320KB

  • MD5

    86108d3bcc19fe774cc81b71494d31f9

  • SHA1

    d936ce0c2f3ddc35f972c3a87fcaeb036412e009

  • SHA256

    9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b

  • SHA512

    151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0

  • SSDEEP

    6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 5 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
    "C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:5956

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\INJUIINI\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\ProgramData\INJUIINI\FileGrabber\Desktop\ConfirmInitialize.ppt
    Filesize

    765KB

    MD5

    bd616c72598cd85d2dbf65ba80a1700f

    SHA1

    7e2e448f411782159e9b0e34bedcd96601da280a

    SHA256

    6b2fdd3552df16b8e8567226dda7cd498d566202ae56875a443116674601bc0e

    SHA512

    b5c0164d42f2120ba234a8ac04e8a9259fbb9a903dedd3763a60ba855db9ef99455754527db569bf4a2a743a4701aa42d96feb55e600b040077d3603623705a0

  • C:\ProgramData\INJUIINI\FileGrabber\Desktop\ExpandPop.css
    Filesize

    332KB

    MD5

    52e3c83b45bbfd4c74c1d6636beef038

    SHA1

    f795ce5c50a23855bd950d1a67fd3e2fd3e78674

    SHA256

    0f49e22e3499ef920abe6401ba9586209a003b1d8f392e323a4c01753fa33fad

    SHA512

    58790540d90aae0ccb927230f09c2be68f49eee5724c037a64b5df1fa9ec53b8d45789220cd7585d92423218d0e804ace832594c84643063f2edba9969221086

  • C:\ProgramData\INJUIINI\FileGrabber\Desktop\MergeNew.docx
    Filesize

    865KB

    MD5

    b20babe6b303b35f9f2af30fab3ea7b7

    SHA1

    b8800a8d585eb7c709515c38eaf9015a468c6196

    SHA256

    be997c752df66857ea0a3e4f939b61f468bab716a47d9d7e251b3aaad72c88ff

    SHA512

    a22b305dca3e1ef82890d9c71c3a1c72ec18818076ae9c642b411201806ec00db39e66978dd8087c6426dc584eab09f10d657014d6f61d65f829b425bd087bee

  • C:\ProgramData\INJUIINI\FileGrabber\Documents\AddUnprotect.xls
    Filesize

    1.4MB

    MD5

    98d7cfce856060ec188cf0461339149f

    SHA1

    39c01cd2fd4d094d0f537b2761860a2d2d5d21d5

    SHA256

    bccfd2eb5f02937aed250b281332d4cc36a84501db14f88a0e162d2c4029163c

    SHA512

    b5eab5c324ac58f1da7a2633038d187085180f99445d4193b0d52a0737c395b6f91d6211c7f1110fa2dabdf03c7856fcb534253627ee8e5576a29590de67348c

  • C:\ProgramData\INJUIINI\FileGrabber\Downloads\EnableUnregister.rtf
    Filesize

    286KB

    MD5

    4a5410a9ad0d5263dac7002735adb2d6

    SHA1

    f32f98dbf5c74972281843448e753af97cb1df1e

    SHA256

    f94ae53e9cd44c0bdd9d10fda86baf28d2f1cee1bb4f9ba23209b1a68a558db0

    SHA512

    f008d350ea8e8a402fe2b7625cda4ce1daec87ca060328f4379af47fb2e5353e0d5ceaec61ff14cafaee640426b18912f1e3652ca2f020e3b842b41b314e983c

  • C:\ProgramData\INJUIINI\FileGrabber\Downloads\SplitBlock.pptx
    Filesize

    505KB

    MD5

    0fc9e6ef65cd7aead3a0cef8cfba60d1

    SHA1

    541ef79a4e70a7185adb79da4e63e548b81e7f2d

    SHA256

    2d1fc6704282755257d74317233aa463a9b7e1270fd7abc0dec0e0d6c747f7c6

    SHA512

    894b29b4e708c642bdd43e57f97715da9c07be353087040670bae701c9276bf9bf0d9c8181c69ce1e1d26e8c496f72067bbd55cb233dc5460a6e1268e936ae0e

  • C:\ProgramData\INJUIINI\FileGrabber\Pictures\UnprotectSave.bmp
    Filesize

    626KB

    MD5

    8f50713d9d13e92d0566fde0dbb627b3

    SHA1

    1f2f29fe77ba369cb0c800d505b07ec68c495804

    SHA256

    9c3fd1df77f897e9446d7f7491d5da27f48f653865d34d2a70e5858a04f2a2b0

    SHA512

    dff47f1803bb5a0ede51ebdb8697995dcfa23284639dc81a9c974b336f5576e64e7342b7242c59ebc76f08e0c4cedae3b147f91d217995f05fb08a2efb7fcb57

  • C:\ProgramData\INJUIINI\Process.txt
    Filesize

    4KB

    MD5

    cd344d314260993be7310632e7906f7e

    SHA1

    a61a1b824be45fb4c2071cadfbd1312227094cd2

    SHA256

    1dfc20d5c09ac1129860c5c3080f6c17f2e06aa8dcab9eb826c2122efa063918

    SHA512

    33d450e147fd1b51c5eb084842b27173d7d2ea84fdd4424930664bfc7918ce70b8296e001c982701d9b5b593be9a932c0d67a88896181aa8a33eca4bc3ffac34

  • memory/5956-35-0x00000000064A0000-0x0000000006506000-memory.dmp
    Filesize

    408KB

  • memory/5956-30-0x00000000066E0000-0x0000000006C86000-memory.dmp
    Filesize

    5.6MB

  • memory/5956-24-0x0000000006090000-0x0000000006122000-memory.dmp
    Filesize

    584KB

  • memory/5956-2-0x0000000074650000-0x0000000074E01000-memory.dmp
    Filesize

    7.7MB

  • memory/5956-1-0x0000000000280000-0x00000000002D6000-memory.dmp
    Filesize

    344KB

  • memory/5956-0-0x000000007465E000-0x000000007465F000-memory.dmp
    Filesize

    4KB

  • memory/5956-222-0x000000007465E000-0x000000007465F000-memory.dmp
    Filesize

    4KB

  • memory/5956-223-0x0000000074650000-0x0000000074E01000-memory.dmp
    Filesize

    7.7MB

  • memory/5956-247-0x0000000074650000-0x0000000074E01000-memory.dmp
    Filesize

    7.7MB