Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 16:24
Behavioral task
behavioral1
Sample
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Resource
win10v2004-20240704-en
General
-
Target
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
-
Size
320KB
-
MD5
86108d3bcc19fe774cc81b71494d31f9
-
SHA1
d936ce0c2f3ddc35f972c3a87fcaeb036412e009
-
SHA256
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
-
SHA512
151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0
-
SSDEEP
6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2516-1-0x0000000000050000-0x00000000000A6000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process File created C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File opened for modification C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File created C:\ProgramData\ELZYPTFV\FileGrabber\Documents\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File created C:\ProgramData\ELZYPTFV\FileGrabber\Downloads\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File created C:\ProgramData\ELZYPTFV\FileGrabber\Pictures\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 api.ipify.org 18 ip-api.com 20 api.ipify.org 21 api.ipify.org 3 freegeoip.app 7 freegeoip.app 16 api.ipify.org -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exepid process 2516 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2516 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2516 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2516 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2516 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 2516 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription pid process Token: SeDebugPrivilege 2516 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
outlook_office_path 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
outlook_win_path 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ELZYPTFV\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\EditExport.htmlFilesize
219KB
MD56b039cf336a0cd8b24b139a6c4dff317
SHA145d3aa1744ba4fed4dc996626c5165729dfdef0d
SHA256ba4e2edd40173a23b9b5332966a4fdd48076757ce9bc3b213e61933cd085c0c3
SHA512881d0f6f00aae504bc67c14ab5b2231fe0e887adffeb549bcba95bc6712c9f9221eed436741c6b3fad0eb5ff424fa03d77b8cfd7099402e38ca49b6d1fd1cc12
-
C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\JoinImport.txtFilesize
417KB
MD5b8c2f91120f953b49ad802e78a05025d
SHA19ef7166044fed8e1a7ee4e2f5dea48ae2fbbccb6
SHA2560a40da271080c92888ade8a3f1cee009f13555409fe81309f336dd5fade27313
SHA512a6df2cf8a673ecc06d73478c1c4bcc06dc4c1013afac4b879c7ba7e97fff02dcb60da7185880a97078fb2d6dc7ae7e94667d5def5a2b62fbe668c1237588eeb6
-
C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\LockUnprotect.svgFilesize
407KB
MD53afc8b45553dfd8fcf9328c396a33e65
SHA109ff9a38f3e155407d7f7e2861764c22cae69604
SHA2560837802d720b2e3874b950b0f924496d820984f40430c56c8d2a6a9e3063c144
SHA512a998651748818b94c8d037eaa1db39351566cc7e6534cd901fc352ecae9a671047bdc5aab68bcdf092a573529c53512c08d3bdace26a5896b503c1243edf7b87
-
C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\RegisterAssert.iniFilesize
156KB
MD5b67cd8e6dd8e3ad739267d43863adfeb
SHA19d11edf1b139d2369ed5e8beaed78897396f1239
SHA256f84064307d8bed87686e9cc0b66c9c228bdc647fd9c21b7c0ba7a5c6716c5c5b
SHA51285ee943dc50025b9a1550a02067bf6642602b42cf83fdd710c6dedf8f8052c464806889301457a23f2f836fdd4364a6b744ccb07f1315cd692d8589ad88997e8
-
C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\RestartWait.xlsxFilesize
10KB
MD5f6ef91b3d26e1b4fe7e269405d516084
SHA1d0b1a6652de6c43685e9d97bb8ef511b1afef896
SHA256c7013ce1b5533762a8f62f2253d17c2a6d2677a7cff921bc8d877d8126c176e2
SHA51275820bc95816b43005af48d4a1b257724b9c2a038cfe617770e59873d397d590939ac1d02d5c2cdc0dc5780e247746a154a056702582981f5cfa20e98ce6a6f5
-
C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\SelectDebug.jpegFilesize
334KB
MD513b4adf9c7fa5702a72c577fe005b649
SHA1dbbf674bb72758aafa85763ef474603d672ab001
SHA25617ec4b4293092d7acb44bd3ea00856afde302d94417a6186ff0880cae52eec76
SHA512ebc3d22cf512c8aad16076eecc2cef80fa2ea2bb2c360623de86acbe55d161bddd4e03eeecc6f500e24f5164bb3f0537f90429e7931f0c0a714dac3b235dc2b1
-
C:\ProgramData\ELZYPTFV\FileGrabber\Documents\ConnectRemove.rtfFilesize
884KB
MD57afe5bf6fe9ed26d6839df83d062e907
SHA1dba99d3c302b852c966b7e6c66d1ce91590d0391
SHA256abaee788fd723ac8cb1189001888f5b39d08aab5cefe610cdf18d4749578d3c1
SHA512f9a2cac420a012911c5a2d7301ce7b76d8e9d749a4cf1df07132e1ebc99f4e30a65245ee498568360881dfbb52cd9680f961ebcdb5d9f2c18d663cded9d6389d
-
C:\ProgramData\ELZYPTFV\FileGrabber\Documents\SkipWait.xlsFilesize
1.8MB
MD525d4c0907dc14909b1dadbd188316edc
SHA13d560f0f90f02155bbe211243b4a6caf88399624
SHA256390f55f8449f0ad7835180b34c10eed053b0aae4dda4a2b5e7d836646c1add66
SHA51255ac2e54f94998601b454869c882be3b1055ada7a33d8675d6a04a1ca014ea45ed9026c8a655f78ff55919abe8e8ea7cf06d4c4a64d705332a9fcfef884d173e
-
C:\ProgramData\ELZYPTFV\FileGrabber\Downloads\ConnectGrant.htmlFilesize
476KB
MD59424e699a71ac27543a91cfee5cca073
SHA153907f2fd2f6e73cbaf4064f4ea5afb609dc48b6
SHA2567eee9a6fdd039ad4d90330ea3d76f2f7567a1de8839203afb9b9bcd979adca91
SHA512cc60fdd556b8398f1dbfd9c908bf4c9913ebefb5018a51591f099d10b596c74cadac8e68e9b31252c0c3f2cda6c8f88a9d7b7dc46b0e7ca378cf116f813d0ce5
-
C:\ProgramData\ELZYPTFV\FileGrabber\Downloads\DenyConvert.jpegFilesize
442KB
MD5bfe48b0e2ad52856b814572672b01d31
SHA12d0f452ae70d8abb6040f53416e1d83fc35c96b9
SHA256945b9c9998abc142fd6706b79e44ea7455e3e0d8869553f0ade42bd3f4cc5053
SHA51201cc5339b9a6477d773658d3bb9fcb6ec9f523b49991da388167f32cb7ad2dfc9bc4496dfd5c203d2c7f1f06beeb30d2e0c09f22fd4dc0b33142eabdd5bf15d4
-
C:\ProgramData\ELZYPTFV\FileGrabber\Downloads\FormatReset.jpgFilesize
391KB
MD584424e80ac817b2d92d6814adeff6f2b
SHA13101cd9714716dc7cf1cf12432f5bb9e47b58814
SHA2562304ab7691ad9873e22376ae614cb147a5de1fc55f7be34e9bceff11f2f08f19
SHA5129cc082b944d690250f9014bdc9645d5469dec0b64df22313a91f9032913c1c41b379500bde98ce38913dbdbefb8e22d059080005244f52d120f0d6b41b411e5c
-
C:\ProgramData\ELZYPTFV\FileGrabber\Pictures\NewSubmit.pngFilesize
1.1MB
MD57c097e3e9f320f0c2e7e9447e386c8bf
SHA1e79eb66548b938baeeae938248f9de82e5063c6d
SHA256a365fec82693652b925ffe1941e12a97e660255090987e9027334de8075c8934
SHA51201441b5d329d06546c7ac288aa3eb19d81c4023214c5e6747701dd01d4453c2f8e6327df3140ed9aabde163cd2e066e590197367707341ff9ebf3a55b3f74a48
-
C:\ProgramData\ELZYPTFV\FileGrabber\Pictures\RedoEnter.svgFilesize
748KB
MD53006834b8421663a661af48c9e7b3dfb
SHA1e80c9a7b04b414d7fbdc373b9e3eac085356765b
SHA2562cb48bb7dfa0d9286f48c7b0c8d303f5e2989aad94ef6b67d6ef70f2c0149b4c
SHA51285fbdb2269446b3a9ad2fa68c1ee51eea830ea6a21852469afc063f35be71b9692d18ba71ba4019877501b4197b367d280cbe835959882016309d5063c0eb902
-
memory/2516-86-0x0000000074240000-0x000000007492E000-memory.dmpFilesize
6.9MB
-
memory/2516-85-0x000000007424E000-0x000000007424F000-memory.dmpFilesize
4KB
-
memory/2516-2-0x0000000074240000-0x000000007492E000-memory.dmpFilesize
6.9MB
-
memory/2516-1-0x0000000000050000-0x00000000000A6000-memory.dmpFilesize
344KB
-
memory/2516-0-0x000000007424E000-0x000000007424F000-memory.dmpFilesize
4KB
-
memory/2516-211-0x0000000074240000-0x000000007492E000-memory.dmpFilesize
6.9MB