Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2024 01:18

General

  • Target

    9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe

  • Size

    320KB

  • MD5

    86108d3bcc19fe774cc81b71494d31f9

  • SHA1

    d936ce0c2f3ddc35f972c3a87fcaeb036412e009

  • SHA256

    9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b

  • SHA512

    151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0

  • SSDEEP

    6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 4 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
    "C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\OMYOWHZW\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\ProgramData\OMYOWHZW\FileGrabber\Desktop\ConvertToTrace.jpeg
    Filesize

    785KB

    MD5

    d2f4ea36d8fd4716d6fd6820cbddb3e6

    SHA1

    b05ae5274fed9a29285960e5be157c55cbda13d9

    SHA256

    00bc48ab0e0132bc2d8ca8823ff7c25a534acbe899b8f9ceac464c20b472c35a

    SHA512

    f4e283ac85bee409d0e229c44051ebdc70e302746a4884d8e4a6d0d29f3e02f73139042cbc8304d5c9d960aceaa21dfaae8c4983b51564261086df6cb8a2581e

  • C:\ProgramData\OMYOWHZW\FileGrabber\Desktop\DismountPush.xlsx
    Filesize

    392KB

    MD5

    4a35445a625358afb991b19eeae30030

    SHA1

    c234a6f50e2ce249b53342ac71217b0b0ca5ddaa

    SHA256

    880ef633b5b29bd0e04efb34d75499029335ee4db8b9a0769c7ae58c121327cb

    SHA512

    bf459d4b84ffa74bdb62ffbee303c14095b688a82e5e3a199a96321d45574531aa1f0737026c40d752fee294fbb4cfa04f19705c54eb940ac67aab423a899020

  • C:\ProgramData\OMYOWHZW\FileGrabber\Documents\CloseReset.html
    Filesize

    557KB

    MD5

    37eb6cf1a0194cff092a97d0ead9e384

    SHA1

    183ce622fd56dce9d4fbee02d80707aba68256bc

    SHA256

    90b44f2f27b82d672a254e17855608779234d7fc6e2d4505557535ff1f0d9bfb

    SHA512

    8971bfdc60307e6779641c454a372a026a737a363ce4de9385184e806c5fe4afcc2fc7274d6ae0699a3d9ff49dd49b508b93ccd712b29bea698d4af9a78be398

  • C:\ProgramData\OMYOWHZW\FileGrabber\Documents\EditComplete.pdf
    Filesize

    692KB

    MD5

    b443cc49c2c2e40a4f4ad2db0bb5ec2e

    SHA1

    4086b629a7c521a62854008d466492b21ea87cc2

    SHA256

    5c55a20c0ec8d9669f64a065efc82c5dc04e2b9598b0cdd40f133bcbae602bb1

    SHA512

    6748cc1ae5cdc226f0686164dcee543f077007f3675c0f5cde0e905e5a028073a939c2ebc159af5a1ee09044d71a149b7df6282f6edaf0714389ddfa9ed4f0af

  • C:\ProgramData\OMYOWHZW\FileGrabber\Downloads\CheckpointClose.rtf
    Filesize

    656KB

    MD5

    9faf1d994caab14f4273981b41a6a787

    SHA1

    d4ce5e567b7a1a15f2e23f8c0e86221cad86adb0

    SHA256

    a075c1fcfbf798d473dfa09f74fccb0f525dc80c6c7a4928cf1c3c31f1275bdc

    SHA512

    dbc999b8914462f0ea55f6559856946bce5bfd31903cbbb369c627ab8623b65820aac1da59ceaa21e86a16de30ec36189ef516280e86ab123b29caa3292a32df

  • C:\ProgramData\OMYOWHZW\FileGrabber\Downloads\ExitFind.rtf
    Filesize

    592KB

    MD5

    caf0286e07cb58f8f93c052975192f3a

    SHA1

    0caecc1e356fe23831248f2a585e465f08333754

    SHA256

    f2e6b7f3f6e536bf62faa6828b2c8e13f08c1ab18abbbfd4bc733937bc301338

    SHA512

    bf172ef45a5bf714a3c1ef5976fb5402c8267e2ae1881d20c01e2b360358f8cd58f1dde12a2afc178be6606e057ae9ea5ac4a225af16e06dd53feab50a11458a

  • C:\ProgramData\OMYOWHZW\FileGrabber\Pictures\CompressPing.jpg
    Filesize

    992KB

    MD5

    661e072de77306ed328f0aae0ad8e697

    SHA1

    8b39e61df6072da2a8598d37ca8ad12d61a9e11a

    SHA256

    2d8a4222091da28e441ea5c238d283bb0317d160338a261255742621a5708088

    SHA512

    4c78b78d1a84979646e48546af53d358160c54c676c1fb965cc8d42394e3e354cdc32276722fc5dfaa7782d50b9f935ddcf60ebb74cf3a6d38f95cf73b0a1a35

  • C:\ProgramData\OMYOWHZW\FileGrabber\Pictures\InstallSubmit.svg
    Filesize

    1.2MB

    MD5

    914d947cb8ddd4678471b47a924c8027

    SHA1

    72b489bee8656b2d72e21af435792b1d84d34dff

    SHA256

    86e302dcf86881d319fe0a38ce3fd17d1f2dcd9251bf9062c782a57788ced246

    SHA512

    b0d5291d9c66a9d521d8b1eff95b79e7fad6552eb106c71c7126c80152f593a91382e63ff1b2ad17deeade854d17ed4cfec2cd9cc1ae005123bb2409af47b720

  • C:\ProgramData\OMYOWHZW\Process.txt
    Filesize

    4KB

    MD5

    effa9740d01f6a099c9d241990cddaa8

    SHA1

    acb86f9b149c81554b38ca8a0ea9ee75fefd2ff2

    SHA256

    2cf0a6e88df64f73e3a28027688119457f0801aec0dff7c6efee9d3a19609d24

    SHA512

    d5bd6b1cd6d1d9ebee6a28e6ee88ac7084e87fe36eaf2479250f45f60facd5ec8574d5f627fbc206704901e0f1148e91db14c14391c0b4c4883e8a528dee43fb

  • memory/2840-32-0x00000000069C0000-0x0000000006A52000-memory.dmp
    Filesize

    584KB

  • memory/2840-1-0x0000000000C70000-0x0000000000CC6000-memory.dmp
    Filesize

    344KB

  • memory/2840-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmp
    Filesize

    4KB

  • memory/2840-2-0x0000000074FA0000-0x0000000075750000-memory.dmp
    Filesize

    7.7MB

  • memory/2840-53-0x0000000006D90000-0x0000000006DF6000-memory.dmp
    Filesize

    408KB

  • memory/2840-39-0x0000000007010000-0x00000000075B4000-memory.dmp
    Filesize

    5.6MB

  • memory/2840-237-0x0000000074FAE000-0x0000000074FAF000-memory.dmp
    Filesize

    4KB

  • memory/2840-238-0x0000000074FA0000-0x0000000075750000-memory.dmp
    Filesize

    7.7MB

  • memory/2840-265-0x0000000074FA0000-0x0000000075750000-memory.dmp
    Filesize

    7.7MB