Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 01:18
Behavioral task
behavioral1
Sample
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Resource
win10v2004-20240704-en
General
-
Target
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
-
Size
320KB
-
MD5
86108d3bcc19fe774cc81b71494d31f9
-
SHA1
d936ce0c2f3ddc35f972c3a87fcaeb036412e009
-
SHA256
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
-
SHA512
151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0
-
SSDEEP
6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2840-1-0x0000000000C70000-0x0000000000CC6000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process File created C:\ProgramData\OMYOWHZW\FileGrabber\Desktop\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File created C:\ProgramData\OMYOWHZW\FileGrabber\Documents\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File created C:\ProgramData\OMYOWHZW\FileGrabber\Downloads\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File created C:\ProgramData\OMYOWHZW\FileGrabber\Pictures\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 freegeoip.app 14 freegeoip.app 33 api.ipify.org 34 api.ipify.org 35 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exepid process 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription pid process Token: SeDebugPrivilege 2840 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
outlook_office_path 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
outlook_win_path 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\OMYOWHZW\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\ProgramData\OMYOWHZW\FileGrabber\Desktop\ConvertToTrace.jpegFilesize
785KB
MD5d2f4ea36d8fd4716d6fd6820cbddb3e6
SHA1b05ae5274fed9a29285960e5be157c55cbda13d9
SHA25600bc48ab0e0132bc2d8ca8823ff7c25a534acbe899b8f9ceac464c20b472c35a
SHA512f4e283ac85bee409d0e229c44051ebdc70e302746a4884d8e4a6d0d29f3e02f73139042cbc8304d5c9d960aceaa21dfaae8c4983b51564261086df6cb8a2581e
-
C:\ProgramData\OMYOWHZW\FileGrabber\Desktop\DismountPush.xlsxFilesize
392KB
MD54a35445a625358afb991b19eeae30030
SHA1c234a6f50e2ce249b53342ac71217b0b0ca5ddaa
SHA256880ef633b5b29bd0e04efb34d75499029335ee4db8b9a0769c7ae58c121327cb
SHA512bf459d4b84ffa74bdb62ffbee303c14095b688a82e5e3a199a96321d45574531aa1f0737026c40d752fee294fbb4cfa04f19705c54eb940ac67aab423a899020
-
C:\ProgramData\OMYOWHZW\FileGrabber\Documents\CloseReset.htmlFilesize
557KB
MD537eb6cf1a0194cff092a97d0ead9e384
SHA1183ce622fd56dce9d4fbee02d80707aba68256bc
SHA25690b44f2f27b82d672a254e17855608779234d7fc6e2d4505557535ff1f0d9bfb
SHA5128971bfdc60307e6779641c454a372a026a737a363ce4de9385184e806c5fe4afcc2fc7274d6ae0699a3d9ff49dd49b508b93ccd712b29bea698d4af9a78be398
-
C:\ProgramData\OMYOWHZW\FileGrabber\Documents\EditComplete.pdfFilesize
692KB
MD5b443cc49c2c2e40a4f4ad2db0bb5ec2e
SHA14086b629a7c521a62854008d466492b21ea87cc2
SHA2565c55a20c0ec8d9669f64a065efc82c5dc04e2b9598b0cdd40f133bcbae602bb1
SHA5126748cc1ae5cdc226f0686164dcee543f077007f3675c0f5cde0e905e5a028073a939c2ebc159af5a1ee09044d71a149b7df6282f6edaf0714389ddfa9ed4f0af
-
C:\ProgramData\OMYOWHZW\FileGrabber\Downloads\CheckpointClose.rtfFilesize
656KB
MD59faf1d994caab14f4273981b41a6a787
SHA1d4ce5e567b7a1a15f2e23f8c0e86221cad86adb0
SHA256a075c1fcfbf798d473dfa09f74fccb0f525dc80c6c7a4928cf1c3c31f1275bdc
SHA512dbc999b8914462f0ea55f6559856946bce5bfd31903cbbb369c627ab8623b65820aac1da59ceaa21e86a16de30ec36189ef516280e86ab123b29caa3292a32df
-
C:\ProgramData\OMYOWHZW\FileGrabber\Downloads\ExitFind.rtfFilesize
592KB
MD5caf0286e07cb58f8f93c052975192f3a
SHA10caecc1e356fe23831248f2a585e465f08333754
SHA256f2e6b7f3f6e536bf62faa6828b2c8e13f08c1ab18abbbfd4bc733937bc301338
SHA512bf172ef45a5bf714a3c1ef5976fb5402c8267e2ae1881d20c01e2b360358f8cd58f1dde12a2afc178be6606e057ae9ea5ac4a225af16e06dd53feab50a11458a
-
C:\ProgramData\OMYOWHZW\FileGrabber\Pictures\CompressPing.jpgFilesize
992KB
MD5661e072de77306ed328f0aae0ad8e697
SHA18b39e61df6072da2a8598d37ca8ad12d61a9e11a
SHA2562d8a4222091da28e441ea5c238d283bb0317d160338a261255742621a5708088
SHA5124c78b78d1a84979646e48546af53d358160c54c676c1fb965cc8d42394e3e354cdc32276722fc5dfaa7782d50b9f935ddcf60ebb74cf3a6d38f95cf73b0a1a35
-
C:\ProgramData\OMYOWHZW\FileGrabber\Pictures\InstallSubmit.svgFilesize
1.2MB
MD5914d947cb8ddd4678471b47a924c8027
SHA172b489bee8656b2d72e21af435792b1d84d34dff
SHA25686e302dcf86881d319fe0a38ce3fd17d1f2dcd9251bf9062c782a57788ced246
SHA512b0d5291d9c66a9d521d8b1eff95b79e7fad6552eb106c71c7126c80152f593a91382e63ff1b2ad17deeade854d17ed4cfec2cd9cc1ae005123bb2409af47b720
-
C:\ProgramData\OMYOWHZW\Process.txtFilesize
4KB
MD5effa9740d01f6a099c9d241990cddaa8
SHA1acb86f9b149c81554b38ca8a0ea9ee75fefd2ff2
SHA2562cf0a6e88df64f73e3a28027688119457f0801aec0dff7c6efee9d3a19609d24
SHA512d5bd6b1cd6d1d9ebee6a28e6ee88ac7084e87fe36eaf2479250f45f60facd5ec8574d5f627fbc206704901e0f1148e91db14c14391c0b4c4883e8a528dee43fb
-
memory/2840-32-0x00000000069C0000-0x0000000006A52000-memory.dmpFilesize
584KB
-
memory/2840-1-0x0000000000C70000-0x0000000000CC6000-memory.dmpFilesize
344KB
-
memory/2840-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmpFilesize
4KB
-
memory/2840-2-0x0000000074FA0000-0x0000000075750000-memory.dmpFilesize
7.7MB
-
memory/2840-53-0x0000000006D90000-0x0000000006DF6000-memory.dmpFilesize
408KB
-
memory/2840-39-0x0000000007010000-0x00000000075B4000-memory.dmpFilesize
5.6MB
-
memory/2840-237-0x0000000074FAE000-0x0000000074FAF000-memory.dmpFilesize
4KB
-
memory/2840-238-0x0000000074FA0000-0x0000000075750000-memory.dmpFilesize
7.7MB
-
memory/2840-265-0x0000000074FA0000-0x0000000075750000-memory.dmpFilesize
7.7MB