Malware Analysis Report

2024-09-23 02:53

Sample ID 240707-fy82eavbpq
Target 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
SHA256 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
Tags
stormkitty collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b

Threat Level: Known bad

The file 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b was found to be: Known bad.

Malicious Activity Summary

stormkitty collection discovery spyware stealer

StormKitty

Stormkitty family

StormKitty payload

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops desktop.ini file(s)

Checks installed software on the system

Accesses Microsoft Outlook profiles

Unsigned PE

outlook_win_path

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-07 05:18

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-07 05:18

Reported

2024-07-07 05:20

Platform

win10v2004-20240704-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
US 172.67.160.84:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 84.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 189.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4500-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

memory/4500-1-0x0000000000FA0000-0x0000000000FF6000-memory.dmp

memory/4500-2-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4500-29-0x0000000006B80000-0x0000000006C12000-memory.dmp

memory/4500-34-0x00000000071D0000-0x0000000007774000-memory.dmp

memory/4500-36-0x00000000070D0000-0x0000000007136000-memory.dmp

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\Process.txt

MD5 cf7a1376bd7e38ffcac63227dec45b00
SHA1 2af6b55561264efb894e45481797b02dc69bd480
SHA256 dc4ba730d335f620f8300eddfd006b6750f5ee6074c19de0d9a86b41c43f945d
SHA512 f932b7c010b24481b32a7bc1b6f7d738accfb06aba94260fdd3b9276ddff086975fb4b5bd7027c4e573acf32bf32a888490cea87d60e82801aa7c4dca8e410ea

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Desktop\ConvertFromMove.jpeg

MD5 d824c89d902f958f5e793abc5f3761a5
SHA1 140f19a084d9280428a18a8d305a0f28ac86edb2
SHA256 0896c9d880de34df835ae49d3b195b710a7b85f89c34ca1e3f8c863fb0fb14b4
SHA512 20011e57662e5804815e60904bdfc8d3ef712254acd2adf0d71661de4feec2ccf4e87e48b9c4f7b9ac5b3cbbba98e81e220bcd2218fdd8213d57d5c63d820313

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Desktop\CopyInvoke.jpeg

MD5 ff7ec59cd06848bd223b515924217417
SHA1 45242c14162f4cf5129191c0d6e9d0a4ea625223
SHA256 e92f09c90bc02bde393edeb27987a9e6f57dd87586831b11969fa778e92e564a
SHA512 484df9703148e192140afdd3cb40f1ba0209826ed1962351a7462633d3b7a0521ef5bd6c250531d18fc387f48a98aa91c6aa1852fed2d2c04dceec2906d4af70

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Desktop\GetOpen.ppt

MD5 21f5efd3d5cb121b50a863b5911777ca
SHA1 0dae349f165fc4d79e694884337dce6d31dbc9d1
SHA256 d6186cbf85e380bdf131865b4c40a31aaf61f6bb5477478a186835ce97903831
SHA512 ef8d62c2ec9f01e75f95f70e00f2378f948707cefc647d053386438a63b03a29e770f59e90b7037125fc0ee8e3a9769dddee4245226372d773145ae6cbe66497

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Documents\ResolveUnblock.html

MD5 0314e0f44243952ee8ee7999adf6c69a
SHA1 0c97594904f9b9c2a94c9d0957d0c49fa37c4d63
SHA256 f8971f8bd129205644dda236f433acdc6437248935cab1117b2dffa1ce05112d
SHA512 5e314494b81c12925b718d58ee5b1519373f24cd0a109dcbb81aa13b1ee2fc9cafbf2279817bb50811da9efbc2a2dfd6f3ae373775609137f3fd5a9f7b7d863b

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Documents\SelectConvertTo.txt

MD5 0add8cdb6ad14ead8ab807440899c858
SHA1 cf42e839d873ec58fae9c42b4cb4e3a756232a5b
SHA256 2b355a2adb5e0ac41c312fb6c735cf60d452ab4556e0b726611d702a89d863cb
SHA512 09d7238026d70edc2dff9b24a36e63becc26464277979d51d101af054f475111c5ed8804251b5170c9e4bf22a69d282064fff4f842598b8852625526b0b1a763

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Documents\TestUpdate.txt

MD5 cef8077a00718dde5c55b036642c4a26
SHA1 0b3e9c256bb77f42f387ac965ab7310a20fe7731
SHA256 e835dd0957b7d2c6a8befad61b2c7c4db1b9dfd5aa49eba99fd19bc1995e947b
SHA512 38c997a244b7a2d291a34b067b72a7073bc789b7ebb64d346e311eb79295489f02b6a5d7f10017d019986d2d2682a716d3ad7866bb9b598c6bf12f7c7e20e76c

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Documents\WatchConvert.docx

MD5 80ba8848917ae054ac65f5a88a9e3400
SHA1 3237356a24be22e7e9ba50e98181274314e214eb
SHA256 a965abafb7d2c2e1603478e75dcaed92a885e77ce7133479515914a9bb4e4dbc
SHA512 d37c310933207208b5d07ad3f4328aa2adcd7f46423e771a38bf71284f2fd76bf633d39cc8a20f01b6d1ab8568f5070149c31e045eaa79cd2977b3b7de70bd8a

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Downloads\EnterRequest.ini

MD5 c1a6d0fc0058bf9a9747ad27de16bade
SHA1 e6925db25cc2f43b2b66c9262dd84ab624be8f41
SHA256 c1eb665fc1691b9a7fbbeabfe74ec79dbc08f2729bc16bab71903610128f2677
SHA512 5b8974cf267ef8bb5f878a59a847c78739539b8fd83685948dc7ad5f6b5b6fd222221b2f1c454cf9ab564fd7d3e367ff38a62d7a2d87b747f9e8a2ba40fbd621

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Downloads\LockRegister.docx

MD5 a7b12047b19ac4709e81a067b375e8b9
SHA1 7fdcbaef47d69280db73125b4334ac7b6c51760c
SHA256 760df112a3b3c6687ff73657c77eb6c95a4e6c51060a4d8a008362063d370ea0
SHA512 89c1642373c76f4e1104a574e0aaa7797fc94645b5c528614625ddff42d0c07ffddfba013795498d3a9f1e05c48b4faf9437a68d4927553f3b6a1889b3262a07

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Pictures\ExportAssert.jpeg

MD5 48af4a19c2d89b80dfef21dbd4ea1b91
SHA1 364981e3bf71f484fdaf68e39243223d3c137d08
SHA256 214ab024649cd5b11bde3cae7ef2356a0f261d13645fe0d5ab4ecf3c34395c8a
SHA512 c98b7d2afdca8ec0a909505e66e0e02c5aaa1ec5788d92918eec383407b33d044ca0b16d49ebedb744fe28683ebc1141ea3e40a33943f13dce75f8560fa139cd

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Pictures\InstallPublish.bmp

MD5 527a9df30e9d1a6d0b68f59c669d1f10
SHA1 2872ab33c08eb6a41761a879199b8698b0526063
SHA256 50452ffac02f9d80a6ee58f5e03586f8cb14c4ffc4083910cf82d3504aacb8df
SHA512 371cb91c971f1ba7c7e1fea486246c844274de990d67d79d2bd167a9332e7bdec82de1f682c233eeb5b8bd2fe6abf576e55f3201d15a97ac00de0a2626c3a4ed

C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Pictures\RenameConvert.png

MD5 da8ded1465a1873f5333100f74905f15
SHA1 01a800145aa8d12554414bb618dcd3f54b1919ec
SHA256 70db105350de0c5464c545eca76059ee53bae9f4073bc1b9a8dc4657e669eb91
SHA512 2a9ecdb058d27774e5d420b00715e3020a41fa371bf3ffe962cd68b7706b5667e79470308d00d5331bd064be52c2fa412293f87ea2fd407079f06c679dfd9069

memory/4500-245-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

memory/4500-246-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/4500-274-0x0000000074A70000-0x0000000075220000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-07 05:18

Reported

2024-07-07 05:20

Platform

win11-20240704-en

Max time kernel

92s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\INJUIINI\FileGrabber\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\ProgramData\INJUIINI\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\ProgramData\INJUIINI\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\ProgramData\INJUIINI\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\ProgramData\INJUIINI\FileGrabber\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A
N/A ip-api.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 172.67.160.84:443 freegeoip.app tcp
US 104.21.85.189:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 189.85.21.104.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 104.26.13.205:443 api.ipify.org tcp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 52.111.243.31:443 tcp

Files

memory/5956-0-0x000000007465E000-0x000000007465F000-memory.dmp

memory/5956-1-0x0000000000280000-0x00000000002D6000-memory.dmp

memory/5956-2-0x0000000074650000-0x0000000074E01000-memory.dmp

memory/5956-24-0x0000000006090000-0x0000000006122000-memory.dmp

memory/5956-30-0x00000000066E0000-0x0000000006C86000-memory.dmp

memory/5956-35-0x00000000064A0000-0x0000000006506000-memory.dmp

C:\ProgramData\INJUIINI\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\ProgramData\INJUIINI\Process.txt

MD5 cd344d314260993be7310632e7906f7e
SHA1 a61a1b824be45fb4c2071cadfbd1312227094cd2
SHA256 1dfc20d5c09ac1129860c5c3080f6c17f2e06aa8dcab9eb826c2122efa063918
SHA512 33d450e147fd1b51c5eb084842b27173d7d2ea84fdd4424930664bfc7918ce70b8296e001c982701d9b5b593be9a932c0d67a88896181aa8a33eca4bc3ffac34

C:\ProgramData\INJUIINI\FileGrabber\Desktop\ConfirmInitialize.ppt

MD5 bd616c72598cd85d2dbf65ba80a1700f
SHA1 7e2e448f411782159e9b0e34bedcd96601da280a
SHA256 6b2fdd3552df16b8e8567226dda7cd498d566202ae56875a443116674601bc0e
SHA512 b5c0164d42f2120ba234a8ac04e8a9259fbb9a903dedd3763a60ba855db9ef99455754527db569bf4a2a743a4701aa42d96feb55e600b040077d3603623705a0

C:\ProgramData\INJUIINI\FileGrabber\Desktop\ExpandPop.css

MD5 52e3c83b45bbfd4c74c1d6636beef038
SHA1 f795ce5c50a23855bd950d1a67fd3e2fd3e78674
SHA256 0f49e22e3499ef920abe6401ba9586209a003b1d8f392e323a4c01753fa33fad
SHA512 58790540d90aae0ccb927230f09c2be68f49eee5724c037a64b5df1fa9ec53b8d45789220cd7585d92423218d0e804ace832594c84643063f2edba9969221086

C:\ProgramData\INJUIINI\FileGrabber\Desktop\MergeNew.docx

MD5 b20babe6b303b35f9f2af30fab3ea7b7
SHA1 b8800a8d585eb7c709515c38eaf9015a468c6196
SHA256 be997c752df66857ea0a3e4f939b61f468bab716a47d9d7e251b3aaad72c88ff
SHA512 a22b305dca3e1ef82890d9c71c3a1c72ec18818076ae9c642b411201806ec00db39e66978dd8087c6426dc584eab09f10d657014d6f61d65f829b425bd087bee

C:\ProgramData\INJUIINI\FileGrabber\Documents\AddUnprotect.xls

MD5 98d7cfce856060ec188cf0461339149f
SHA1 39c01cd2fd4d094d0f537b2761860a2d2d5d21d5
SHA256 bccfd2eb5f02937aed250b281332d4cc36a84501db14f88a0e162d2c4029163c
SHA512 b5eab5c324ac58f1da7a2633038d187085180f99445d4193b0d52a0737c395b6f91d6211c7f1110fa2dabdf03c7856fcb534253627ee8e5576a29590de67348c

C:\ProgramData\INJUIINI\FileGrabber\Downloads\EnableUnregister.rtf

MD5 4a5410a9ad0d5263dac7002735adb2d6
SHA1 f32f98dbf5c74972281843448e753af97cb1df1e
SHA256 f94ae53e9cd44c0bdd9d10fda86baf28d2f1cee1bb4f9ba23209b1a68a558db0
SHA512 f008d350ea8e8a402fe2b7625cda4ce1daec87ca060328f4379af47fb2e5353e0d5ceaec61ff14cafaee640426b18912f1e3652ca2f020e3b842b41b314e983c

C:\ProgramData\INJUIINI\FileGrabber\Downloads\SplitBlock.pptx

MD5 0fc9e6ef65cd7aead3a0cef8cfba60d1
SHA1 541ef79a4e70a7185adb79da4e63e548b81e7f2d
SHA256 2d1fc6704282755257d74317233aa463a9b7e1270fd7abc0dec0e0d6c747f7c6
SHA512 894b29b4e708c642bdd43e57f97715da9c07be353087040670bae701c9276bf9bf0d9c8181c69ce1e1d26e8c496f72067bbd55cb233dc5460a6e1268e936ae0e

C:\ProgramData\INJUIINI\FileGrabber\Pictures\UnprotectSave.bmp

MD5 8f50713d9d13e92d0566fde0dbb627b3
SHA1 1f2f29fe77ba369cb0c800d505b07ec68c495804
SHA256 9c3fd1df77f897e9446d7f7491d5da27f48f653865d34d2a70e5858a04f2a2b0
SHA512 dff47f1803bb5a0ede51ebdb8697995dcfa23284639dc81a9c974b336f5576e64e7342b7242c59ebc76f08e0c4cedae3b147f91d217995f05fb08a2efb7fcb57

memory/5956-222-0x000000007465E000-0x000000007465F000-memory.dmp

memory/5956-223-0x0000000074650000-0x0000000074E01000-memory.dmp

memory/5956-247-0x0000000074650000-0x0000000074E01000-memory.dmp