Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 01:18
Behavioral task
behavioral1
Sample
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Resource
win10v2004-20240704-en
General
-
Target
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
-
Size
320KB
-
MD5
86108d3bcc19fe774cc81b71494d31f9
-
SHA1
d936ce0c2f3ddc35f972c3a87fcaeb036412e009
-
SHA256
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
-
SHA512
151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0
-
SSDEEP
6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1796-1-0x0000000000B90000-0x0000000000BE6000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process File created C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Documents\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 api.ipify.org 19 api.ipify.org 20 ip-api.com 22 api.ipify.org 23 api.ipify.org 4 freegeoip.app 8 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exepid process 1796 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 1796 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 1796 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 1796 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 1796 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 1796 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription pid process Token: SeDebugPrivilege 1796 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
outlook_office_path 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
outlook_win_path 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\HKULBIBU\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Desktop\CheckpointComplete.jpegFilesize
797KB
MD538fec54d790c17bdc0df1b373a6de809
SHA12b0e747fcf52760804338063bcbffcde004e12f5
SHA256a17bf0031af7db7309129113518fad430b3dc6d8c9afbcfc1ffa819450c772a7
SHA5122cd72acd6681138109bdd29f9d42f9c8d7181e2d6fa9f9a37e8abe643cb2db991c9d3e1666ef1631b0a9964f612534e14901ecf23f7a82f1f82eca1011dcd8fc
-
C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Desktop\CompressConvertFrom.docFilesize
605KB
MD57323eb4f3677c45a9d6802c8f847d27c
SHA105baf7db783a294f0f681ea2eb8a8b1de986cd27
SHA2564bc9dd9c0864a87877a351b7bf01aa3e49bc5a08ced61f22fb0a3da27bdc4afe
SHA5124e0bcf1be6fb855788fbf52c40efa365e0cb8768aeb437ac168a7ccf6c45e7d1cd4020e116b0d7bde3c09614f38c5830998a0c28d370ce91e298798400db0622
-
C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Documents\UnprotectSplit.pdfFilesize
939KB
MD51837b2533c09056bc51fe1dd2d4bfe0b
SHA19b159a02a6f32eb4db40421ab7cde2f275a22aaa
SHA2561ad83d28256c9dffccfa928b8f898d191076a4696dbcb2155aeb12a7207059e8
SHA5127c55a7182b19f190b9a54893db3b711aa7997d5535b4fbf08d885586ab0dbade176f20bf86297792258d26c29db322ed687b3afde36f4fdb678760023a155841
-
C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Downloads\BlockEdit.txtFilesize
820KB
MD5745c411b9ea5f1d0f3d190c24d45a97f
SHA13d32973e7d487a984756f84dd1cc3bd67cf7ed62
SHA25610c3b994f9773b69cb48ad8e7159e3c917f78c7375565bacdcd6abe1d8fb87f2
SHA5127b16fa25ea088b186372a02345a57ae3a5c236ec2150b75c3ce43054203186e2ee96a62850206f3c45cf17e79f9bee54d8129d47ef02d95b1a72a5aeea647342
-
C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Downloads\ClearNew.xlsxFilesize
688KB
MD5b8103d71fa50988948c74ed5e6da432a
SHA10658fdecdc66ab2bbf28f22365843530461ee290
SHA25602fc673fcaf14e8571d07e103896b2f128357f67f2d4f8fbdfb3e4d8f037c097
SHA512a9173306e0683746c391f2d81a29f496462713a7fe57ae6fd44c7937876b8c43375aa8427c9e99d9af972e89335c56156cb66f32f6b66df13bd7bdaf0fd45b34
-
C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Pictures\ConfirmStop.jpgFilesize
504KB
MD5703bfe9d34aeda78a7c9fff9fd3cd6cf
SHA169d09b131f675de53deea685af6577e5f5db2007
SHA25689b52da95cd71bec000cd94b5d16c7fb17436a3a52f7946dfa988829db2a6498
SHA512a0d2855051e2fc1e9a66ce75a775b0b21063382fa37d21db7438999fc0b94a2de3addc704419016d3496022bbf72ed0cd458dc402f540e493322c7aa55b53d90
-
C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Pictures\DenyMeasure.jpgFilesize
252KB
MD5a548add6936a57fd865fc414d33ced4c
SHA1e08d57516e17dd1c56169af7191f4e7bab2d603f
SHA2562341c8df20da12510ec848631d3df91bb91ffdb3b4695f6d20eb8a877d6b3098
SHA512dadc59763bd8b9f6087f12275d1e93bb0c77eef0769f371c0619957bd2ffa0f1f9b3c2e011ff7cf6339ff2401a712488d30eb392852504f66b445e5fa7e96274
-
C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Pictures\DenyUse.svgFilesize
602KB
MD5b35a334858a994f9ba106d88b5f00f60
SHA1861b79eabeab7ad508ba4261475f40bc70adf900
SHA256fe22bf5182b642241bc319817ca9803531ceddd9edce213e81b018a37e62efda
SHA512441321be48294b2af867b500702839a7cbf7b388f176c23677071120e7351af6455bb0a5c366a10c15b26476213ace17a8b1f633f47a4c8fe96ffdc786aebc3f
-
memory/1796-2-0x00000000740C0000-0x00000000747AE000-memory.dmpFilesize
6.9MB
-
memory/1796-1-0x0000000000B90000-0x0000000000BE6000-memory.dmpFilesize
344KB
-
memory/1796-0-0x00000000740CE000-0x00000000740CF000-memory.dmpFilesize
4KB
-
memory/1796-146-0x00000000740CE000-0x00000000740CF000-memory.dmpFilesize
4KB
-
memory/1796-147-0x00000000740C0000-0x00000000747AE000-memory.dmpFilesize
6.9MB
-
memory/1796-169-0x00000000740C0000-0x00000000747AE000-memory.dmpFilesize
6.9MB