Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 16:24

General

  • Target

    9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe

  • Size

    320KB

  • MD5

    86108d3bcc19fe774cc81b71494d31f9

  • SHA1

    d936ce0c2f3ddc35f972c3a87fcaeb036412e009

  • SHA256

    9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b

  • SHA512

    151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0

  • SSDEEP

    6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 5 IoCs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
    "C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ELZYPTFV\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\EditExport.html
    Filesize

    219KB

    MD5

    6b039cf336a0cd8b24b139a6c4dff317

    SHA1

    45d3aa1744ba4fed4dc996626c5165729dfdef0d

    SHA256

    ba4e2edd40173a23b9b5332966a4fdd48076757ce9bc3b213e61933cd085c0c3

    SHA512

    881d0f6f00aae504bc67c14ab5b2231fe0e887adffeb549bcba95bc6712c9f9221eed436741c6b3fad0eb5ff424fa03d77b8cfd7099402e38ca49b6d1fd1cc12

  • C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\JoinImport.txt
    Filesize

    417KB

    MD5

    b8c2f91120f953b49ad802e78a05025d

    SHA1

    9ef7166044fed8e1a7ee4e2f5dea48ae2fbbccb6

    SHA256

    0a40da271080c92888ade8a3f1cee009f13555409fe81309f336dd5fade27313

    SHA512

    a6df2cf8a673ecc06d73478c1c4bcc06dc4c1013afac4b879c7ba7e97fff02dcb60da7185880a97078fb2d6dc7ae7e94667d5def5a2b62fbe668c1237588eeb6

  • C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\LockUnprotect.svg
    Filesize

    407KB

    MD5

    3afc8b45553dfd8fcf9328c396a33e65

    SHA1

    09ff9a38f3e155407d7f7e2861764c22cae69604

    SHA256

    0837802d720b2e3874b950b0f924496d820984f40430c56c8d2a6a9e3063c144

    SHA512

    a998651748818b94c8d037eaa1db39351566cc7e6534cd901fc352ecae9a671047bdc5aab68bcdf092a573529c53512c08d3bdace26a5896b503c1243edf7b87

  • C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\RegisterAssert.ini
    Filesize

    156KB

    MD5

    b67cd8e6dd8e3ad739267d43863adfeb

    SHA1

    9d11edf1b139d2369ed5e8beaed78897396f1239

    SHA256

    f84064307d8bed87686e9cc0b66c9c228bdc647fd9c21b7c0ba7a5c6716c5c5b

    SHA512

    85ee943dc50025b9a1550a02067bf6642602b42cf83fdd710c6dedf8f8052c464806889301457a23f2f836fdd4364a6b744ccb07f1315cd692d8589ad88997e8

  • C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\RestartWait.xlsx
    Filesize

    10KB

    MD5

    f6ef91b3d26e1b4fe7e269405d516084

    SHA1

    d0b1a6652de6c43685e9d97bb8ef511b1afef896

    SHA256

    c7013ce1b5533762a8f62f2253d17c2a6d2677a7cff921bc8d877d8126c176e2

    SHA512

    75820bc95816b43005af48d4a1b257724b9c2a038cfe617770e59873d397d590939ac1d02d5c2cdc0dc5780e247746a154a056702582981f5cfa20e98ce6a6f5

  • C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\SelectDebug.jpeg
    Filesize

    334KB

    MD5

    13b4adf9c7fa5702a72c577fe005b649

    SHA1

    dbbf674bb72758aafa85763ef474603d672ab001

    SHA256

    17ec4b4293092d7acb44bd3ea00856afde302d94417a6186ff0880cae52eec76

    SHA512

    ebc3d22cf512c8aad16076eecc2cef80fa2ea2bb2c360623de86acbe55d161bddd4e03eeecc6f500e24f5164bb3f0537f90429e7931f0c0a714dac3b235dc2b1

  • C:\ProgramData\ELZYPTFV\FileGrabber\Documents\ConnectRemove.rtf
    Filesize

    884KB

    MD5

    7afe5bf6fe9ed26d6839df83d062e907

    SHA1

    dba99d3c302b852c966b7e6c66d1ce91590d0391

    SHA256

    abaee788fd723ac8cb1189001888f5b39d08aab5cefe610cdf18d4749578d3c1

    SHA512

    f9a2cac420a012911c5a2d7301ce7b76d8e9d749a4cf1df07132e1ebc99f4e30a65245ee498568360881dfbb52cd9680f961ebcdb5d9f2c18d663cded9d6389d

  • C:\ProgramData\ELZYPTFV\FileGrabber\Documents\SkipWait.xls
    Filesize

    1.8MB

    MD5

    25d4c0907dc14909b1dadbd188316edc

    SHA1

    3d560f0f90f02155bbe211243b4a6caf88399624

    SHA256

    390f55f8449f0ad7835180b34c10eed053b0aae4dda4a2b5e7d836646c1add66

    SHA512

    55ac2e54f94998601b454869c882be3b1055ada7a33d8675d6a04a1ca014ea45ed9026c8a655f78ff55919abe8e8ea7cf06d4c4a64d705332a9fcfef884d173e

  • C:\ProgramData\ELZYPTFV\FileGrabber\Downloads\ConnectGrant.html
    Filesize

    476KB

    MD5

    9424e699a71ac27543a91cfee5cca073

    SHA1

    53907f2fd2f6e73cbaf4064f4ea5afb609dc48b6

    SHA256

    7eee9a6fdd039ad4d90330ea3d76f2f7567a1de8839203afb9b9bcd979adca91

    SHA512

    cc60fdd556b8398f1dbfd9c908bf4c9913ebefb5018a51591f099d10b596c74cadac8e68e9b31252c0c3f2cda6c8f88a9d7b7dc46b0e7ca378cf116f813d0ce5

  • C:\ProgramData\ELZYPTFV\FileGrabber\Downloads\DenyConvert.jpeg
    Filesize

    442KB

    MD5

    bfe48b0e2ad52856b814572672b01d31

    SHA1

    2d0f452ae70d8abb6040f53416e1d83fc35c96b9

    SHA256

    945b9c9998abc142fd6706b79e44ea7455e3e0d8869553f0ade42bd3f4cc5053

    SHA512

    01cc5339b9a6477d773658d3bb9fcb6ec9f523b49991da388167f32cb7ad2dfc9bc4496dfd5c203d2c7f1f06beeb30d2e0c09f22fd4dc0b33142eabdd5bf15d4

  • C:\ProgramData\ELZYPTFV\FileGrabber\Downloads\FormatReset.jpg
    Filesize

    391KB

    MD5

    84424e80ac817b2d92d6814adeff6f2b

    SHA1

    3101cd9714716dc7cf1cf12432f5bb9e47b58814

    SHA256

    2304ab7691ad9873e22376ae614cb147a5de1fc55f7be34e9bceff11f2f08f19

    SHA512

    9cc082b944d690250f9014bdc9645d5469dec0b64df22313a91f9032913c1c41b379500bde98ce38913dbdbefb8e22d059080005244f52d120f0d6b41b411e5c

  • C:\ProgramData\ELZYPTFV\FileGrabber\Pictures\NewSubmit.png
    Filesize

    1.1MB

    MD5

    7c097e3e9f320f0c2e7e9447e386c8bf

    SHA1

    e79eb66548b938baeeae938248f9de82e5063c6d

    SHA256

    a365fec82693652b925ffe1941e12a97e660255090987e9027334de8075c8934

    SHA512

    01441b5d329d06546c7ac288aa3eb19d81c4023214c5e6747701dd01d4453c2f8e6327df3140ed9aabde163cd2e066e590197367707341ff9ebf3a55b3f74a48

  • C:\ProgramData\ELZYPTFV\FileGrabber\Pictures\RedoEnter.svg
    Filesize

    748KB

    MD5

    3006834b8421663a661af48c9e7b3dfb

    SHA1

    e80c9a7b04b414d7fbdc373b9e3eac085356765b

    SHA256

    2cb48bb7dfa0d9286f48c7b0c8d303f5e2989aad94ef6b67d6ef70f2c0149b4c

    SHA512

    85fbdb2269446b3a9ad2fa68c1ee51eea830ea6a21852469afc063f35be71b9692d18ba71ba4019877501b4197b367d280cbe835959882016309d5063c0eb902

  • memory/2516-86-0x0000000074240000-0x000000007492E000-memory.dmp
    Filesize

    6.9MB

  • memory/2516-85-0x000000007424E000-0x000000007424F000-memory.dmp
    Filesize

    4KB

  • memory/2516-2-0x0000000074240000-0x000000007492E000-memory.dmp
    Filesize

    6.9MB

  • memory/2516-1-0x0000000000050000-0x00000000000A6000-memory.dmp
    Filesize

    344KB

  • memory/2516-0-0x000000007424E000-0x000000007424F000-memory.dmp
    Filesize

    4KB

  • memory/2516-211-0x0000000074240000-0x000000007492E000-memory.dmp
    Filesize

    6.9MB