Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 01:18

General

  • Target

    9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe

  • Size

    320KB

  • MD5

    86108d3bcc19fe774cc81b71494d31f9

  • SHA1

    d936ce0c2f3ddc35f972c3a87fcaeb036412e009

  • SHA256

    9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b

  • SHA512

    151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0

  • SSDEEP

    6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 1 IoCs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
    "C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\HKULBIBU\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Desktop\CheckpointComplete.jpeg
    Filesize

    797KB

    MD5

    38fec54d790c17bdc0df1b373a6de809

    SHA1

    2b0e747fcf52760804338063bcbffcde004e12f5

    SHA256

    a17bf0031af7db7309129113518fad430b3dc6d8c9afbcfc1ffa819450c772a7

    SHA512

    2cd72acd6681138109bdd29f9d42f9c8d7181e2d6fa9f9a37e8abe643cb2db991c9d3e1666ef1631b0a9964f612534e14901ecf23f7a82f1f82eca1011dcd8fc

  • C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Desktop\CompressConvertFrom.doc
    Filesize

    605KB

    MD5

    7323eb4f3677c45a9d6802c8f847d27c

    SHA1

    05baf7db783a294f0f681ea2eb8a8b1de986cd27

    SHA256

    4bc9dd9c0864a87877a351b7bf01aa3e49bc5a08ced61f22fb0a3da27bdc4afe

    SHA512

    4e0bcf1be6fb855788fbf52c40efa365e0cb8768aeb437ac168a7ccf6c45e7d1cd4020e116b0d7bde3c09614f38c5830998a0c28d370ce91e298798400db0622

  • C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Documents\UnprotectSplit.pdf
    Filesize

    939KB

    MD5

    1837b2533c09056bc51fe1dd2d4bfe0b

    SHA1

    9b159a02a6f32eb4db40421ab7cde2f275a22aaa

    SHA256

    1ad83d28256c9dffccfa928b8f898d191076a4696dbcb2155aeb12a7207059e8

    SHA512

    7c55a7182b19f190b9a54893db3b711aa7997d5535b4fbf08d885586ab0dbade176f20bf86297792258d26c29db322ed687b3afde36f4fdb678760023a155841

  • C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Downloads\BlockEdit.txt
    Filesize

    820KB

    MD5

    745c411b9ea5f1d0f3d190c24d45a97f

    SHA1

    3d32973e7d487a984756f84dd1cc3bd67cf7ed62

    SHA256

    10c3b994f9773b69cb48ad8e7159e3c917f78c7375565bacdcd6abe1d8fb87f2

    SHA512

    7b16fa25ea088b186372a02345a57ae3a5c236ec2150b75c3ce43054203186e2ee96a62850206f3c45cf17e79f9bee54d8129d47ef02d95b1a72a5aeea647342

  • C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Downloads\ClearNew.xlsx
    Filesize

    688KB

    MD5

    b8103d71fa50988948c74ed5e6da432a

    SHA1

    0658fdecdc66ab2bbf28f22365843530461ee290

    SHA256

    02fc673fcaf14e8571d07e103896b2f128357f67f2d4f8fbdfb3e4d8f037c097

    SHA512

    a9173306e0683746c391f2d81a29f496462713a7fe57ae6fd44c7937876b8c43375aa8427c9e99d9af972e89335c56156cb66f32f6b66df13bd7bdaf0fd45b34

  • C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Pictures\ConfirmStop.jpg
    Filesize

    504KB

    MD5

    703bfe9d34aeda78a7c9fff9fd3cd6cf

    SHA1

    69d09b131f675de53deea685af6577e5f5db2007

    SHA256

    89b52da95cd71bec000cd94b5d16c7fb17436a3a52f7946dfa988829db2a6498

    SHA512

    a0d2855051e2fc1e9a66ce75a775b0b21063382fa37d21db7438999fc0b94a2de3addc704419016d3496022bbf72ed0cd458dc402f540e493322c7aa55b53d90

  • C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Pictures\DenyMeasure.jpg
    Filesize

    252KB

    MD5

    a548add6936a57fd865fc414d33ced4c

    SHA1

    e08d57516e17dd1c56169af7191f4e7bab2d603f

    SHA256

    2341c8df20da12510ec848631d3df91bb91ffdb3b4695f6d20eb8a877d6b3098

    SHA512

    dadc59763bd8b9f6087f12275d1e93bb0c77eef0769f371c0619957bd2ffa0f1f9b3c2e011ff7cf6339ff2401a712488d30eb392852504f66b445e5fa7e96274

  • C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Pictures\DenyUse.svg
    Filesize

    602KB

    MD5

    b35a334858a994f9ba106d88b5f00f60

    SHA1

    861b79eabeab7ad508ba4261475f40bc70adf900

    SHA256

    fe22bf5182b642241bc319817ca9803531ceddd9edce213e81b018a37e62efda

    SHA512

    441321be48294b2af867b500702839a7cbf7b388f176c23677071120e7351af6455bb0a5c366a10c15b26476213ace17a8b1f633f47a4c8fe96ffdc786aebc3f

  • memory/1796-2-0x00000000740C0000-0x00000000747AE000-memory.dmp
    Filesize

    6.9MB

  • memory/1796-1-0x0000000000B90000-0x0000000000BE6000-memory.dmp
    Filesize

    344KB

  • memory/1796-0-0x00000000740CE000-0x00000000740CF000-memory.dmp
    Filesize

    4KB

  • memory/1796-146-0x00000000740CE000-0x00000000740CF000-memory.dmp
    Filesize

    4KB

  • memory/1796-147-0x00000000740C0000-0x00000000747AE000-memory.dmp
    Filesize

    6.9MB

  • memory/1796-169-0x00000000740C0000-0x00000000747AE000-memory.dmp
    Filesize

    6.9MB