Analysis
-
max time kernel
137s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 16:24
Behavioral task
behavioral1
Sample
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Resource
win10v2004-20240704-en
General
-
Target
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
-
Size
320KB
-
MD5
86108d3bcc19fe774cc81b71494d31f9
-
SHA1
d936ce0c2f3ddc35f972c3a87fcaeb036412e009
-
SHA256
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
-
SHA512
151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0
-
SSDEEP
6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4536-1-0x0000000000770000-0x00000000007C6000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process File created C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Pictures\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe File created C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\desktop.ini 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 api.ipify.org 28 ip-api.com 1 freegeoip.app 4 freegeoip.app 20 api.ipify.org -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exepid process 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription pid process Token: SeDebugPrivilege 4536 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
outlook_office_path 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe -
outlook_win_path 1 IoCs
Processes:
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\DJVPRFTV\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\CheckpointEnable.rtfFilesize
256KB
MD5c0b854aaa1481ebed201bb28984e10f6
SHA1393d259622c3d6ce7d7165cc146e3169c43df8df
SHA256b3f4fafb3f335b2ddc978e4adb5f04d94506834d3ef5a9622b181a0c19217f9a
SHA51279cbba2e21c5dcb067ffea967da936dac3f7aea56b0f17301f4c93de978743a8602a339e20f43ce0a80f62263c09b6132beab7372db02e04ff547dc6c513b14e
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\CompareCheckpoint.jpegFilesize
179KB
MD5deaad2210966073a544ce701c90ae5d3
SHA159ebc204aff3c24c49ce7a40c45062d4ffe37cca
SHA256ed84d2fbcf63d75bd8d28df61a6aaa9fbfb83dbe8f4a6bae691bd09c01285744
SHA512fe9702e9e2a7d292e41e95500212c3143b342a0cd081cfd3e0e82d957b903222399057f3e659a954969d0f5c0dbce1d6059ccf5096551cd3964005cb0348bec0
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\DisableCompare.htmlFilesize
151KB
MD525f9f6f15e749534f3db0a2079c445f5
SHA1be3133681b6092af03e2325afdb3bcf48adedecd
SHA2561cb37e5c6220adcd2c72b549711da43b0dd262c39a59a6d8b0b95e49a5b9d9c3
SHA512131795cd52916ecbdde65f536e2fae694c911912ea8033f1c2808e114cbfdfcbd3996fa7a2bada628ade3aeeac19e99564d854c3178b4e15d2a4761e1b6ddb26
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\InvokeImport.cssFilesize
214KB
MD502e561d03b5b4186020c27724f3787a4
SHA14ec35fb7e0089858d5596c2f5da2ff10489b1e9d
SHA256788853b48028c4c0cd0135fe3e6adca6f882937fb0790e566c76042c72e8aca1
SHA512f4196fa1c341a2d24831667017b2fb03c340ebed05abddd846ca8e0c7964ddbb4fe60f0ca67859332d31e3cdb83cad6272ebb0c1243a8172f796bf4bb71f0bc0
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\JoinDisable.pdfFilesize
172KB
MD5e50d86070194763e9090846288e50222
SHA12f233b106fa9fd56e8f0be54eba4f6e5f41e6672
SHA256f1564091585eebf8e511b951afd089c1c7f4a215862f2b7861cafec524ef05f2
SHA512b965e05e9a3e47e4e34a526044b8ec43007cd5044301565110416559939c19d2c8ed86d5df7ce97d53a28c87176469431e80ded1fcd1323e8b1bf6471848c1da
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\TraceRepair.docxFilesize
193KB
MD5863ea08e9bef0345d6c6e17af62b26b2
SHA19247e80576c722988ce7668ba3e927d93f6f958c
SHA256f3c5e5352e72236094a5befa91ddd1f9655ee37d090c89b7bf4ec96a7ab29d4d
SHA51200aba907113b19fee4e4b28743ddece81b09ff88c6bbb7aea4401aad5cdbcc2103555d7e896d7524e654bf9265424dbaf23e44f83aaa7c399e67dfbff5e2b2aa
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\WriteUnregister.phpFilesize
228KB
MD583c9566df27c6a8a30c6b80bac1020da
SHA1debb7ce6b9d33de6f63ac1d5c928e1f5b0fddc93
SHA256847ed08519daaa0764c6fb8c051f7a1dd867d8b9bf0c6f528e614b6093ad7ec7
SHA5126f9a44bf32bfeaef77e83de1609a4f9cd84bcf2b2362653885ec7651416e964f070adb913d40ca7d5aae4b527f8e83b30c47ba15b599d4e19921eb96610f1e18
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Documents\BackupBlock.docxFilesize
1.1MB
MD53300d712438e903e25efa2d47bb83baf
SHA115bdbb6d3d92de33ded4b5639eabe03ab042bfa3
SHA256ca254c9c0603678c1504347cd0c142aa7e4aff393f95b45b3e40958828a3196e
SHA512f7557ed2b4dbda08d3fc46088abac284bf4f1cfe0577b81a1b74759314ec977a53db95d49ef7400e139794618671dca425e97b2f24a60d423a87c00895adee99
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Documents\CompressSearch.xlsFilesize
595KB
MD5524395022f41ef99c20087c20fc0a5f3
SHA12ed6f05554ad82805a5841972e49cd8914df44d3
SHA256c33db37c70d780292df8092335d062458146ab783043fc2d942f20ac6cb6d356
SHA5127c2bd305a046abd7c53729db3e4b36d70d2b01fdb753a13401267b488268d77e2a031a9f9f034195245aebf3a464fbd66d997e699a31bed0f7dd16352e2d6394
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Downloads\CloseShow.docFilesize
425KB
MD5aec151fc8ca93acf18e2d64ec0b5bda3
SHA157050101b10895124369247dcc47dbc2a90505eb
SHA256e2d6b18be33692d6e0d4a6a75fc53077b4ed5267fdb6d6b65807ed54cde60ba7
SHA512c05fc5480bd3aeab978597073aea93fdb2873337955fc11b45cbd08eb567a82a539f8a54e3fdce0d437cf5f285563ca07836d9634ba69221e0780d0026dd1a94
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Downloads\CompareGrant.txtFilesize
816KB
MD5b8e75a98480ab9e9354eb1efc69ee12f
SHA129c64c634dd1453cb29f0b50c9a05e66fd02e149
SHA2562526a081d6f69a98601a7fe549ae5d0157fdf56fb7a3b2f414bbf005564b55a5
SHA512e144de984f6c090e47bc356d525fd6c963d82a9cf5f24c52c23b8bbce6697e106aa435254a78c42e64ef926d105b77e73f5e47e1bedb484c54d3ad56f8e5c8bd
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Pictures\CheckpointRedo.pngFilesize
533KB
MD55faa6c524082d8001ee81dcaad51c75e
SHA1f25a772832ee9b3785a9602a3e41dad81c0da45d
SHA25661c05aa604aef4f32613f323b38c729bf43cd2ddae0ac838f92a6fe5d1cee60f
SHA512bb02788a0e4bf3570b304233e961f92839d6bcbb338c5f413f6e169ec24516511cd75544fbcbdbd389d27fad7fcabb00086c968ce027a341e030d3439efe8cd3
-
C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Pictures\UnregisterSwitch.svgFilesize
1.0MB
MD50c53a4859f2ab65d344be1426aa9a9fb
SHA10080aa3eb394ba196300116911ccdaa30eafd112
SHA25614e215a0509e3a41283ce6574f37ebf83a3a3e4ad5854aa60304354986817f23
SHA51220768038c47f96c7d85261a3b0135e9227ecb0a071159d3ba11a90c18358458789c3f1adb78a6d03156ac4631f4ba9abd7b7f5281dedbffc5d6cf65c45c3fdf9
-
C:\Users\Admin\AppData\Local\DJVPRFTV\Process.txtFilesize
4KB
MD58ffdc0a1156b079ae04f4b52b28fb3b2
SHA135b53f7c9769c711a61199453f911a18384256da
SHA256f41130d097512f5d8959a1d2e429d45f4e343325f2d83e4469d02479b9d0f36d
SHA512f0c02adc4f28ea5ff8d49ca60d797f5d241b4efbc0f8164d4474a10d42dc5f798d4cd0db6fa3a679fbbdc251c9028b617dc1bd6273a09b62040b5564414c2c05
-
memory/4536-41-0x00000000069D0000-0x0000000006A36000-memory.dmpFilesize
408KB
-
memory/4536-37-0x0000000006B10000-0x00000000070B4000-memory.dmpFilesize
5.6MB
-
memory/4536-36-0x00000000064C0000-0x0000000006552000-memory.dmpFilesize
584KB
-
memory/4536-2-0x0000000074550000-0x0000000074D00000-memory.dmpFilesize
7.7MB
-
memory/4536-1-0x0000000000770000-0x00000000007C6000-memory.dmpFilesize
344KB
-
memory/4536-0-0x000000007455E000-0x000000007455F000-memory.dmpFilesize
4KB
-
memory/4536-242-0x000000007455E000-0x000000007455F000-memory.dmpFilesize
4KB
-
memory/4536-243-0x0000000074550000-0x0000000074D00000-memory.dmpFilesize
7.7MB
-
memory/4536-270-0x0000000074550000-0x0000000074D00000-memory.dmpFilesize
7.7MB