Analysis

  • max time kernel
    137s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2024 16:24

General

  • Target

    9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe

  • Size

    320KB

  • MD5

    86108d3bcc19fe774cc81b71494d31f9

  • SHA1

    d936ce0c2f3ddc35f972c3a87fcaeb036412e009

  • SHA256

    9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b

  • SHA512

    151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0

  • SSDEEP

    6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
    "C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\DJVPRFTV\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\CheckpointEnable.rtf
    Filesize

    256KB

    MD5

    c0b854aaa1481ebed201bb28984e10f6

    SHA1

    393d259622c3d6ce7d7165cc146e3169c43df8df

    SHA256

    b3f4fafb3f335b2ddc978e4adb5f04d94506834d3ef5a9622b181a0c19217f9a

    SHA512

    79cbba2e21c5dcb067ffea967da936dac3f7aea56b0f17301f4c93de978743a8602a339e20f43ce0a80f62263c09b6132beab7372db02e04ff547dc6c513b14e

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\CompareCheckpoint.jpeg
    Filesize

    179KB

    MD5

    deaad2210966073a544ce701c90ae5d3

    SHA1

    59ebc204aff3c24c49ce7a40c45062d4ffe37cca

    SHA256

    ed84d2fbcf63d75bd8d28df61a6aaa9fbfb83dbe8f4a6bae691bd09c01285744

    SHA512

    fe9702e9e2a7d292e41e95500212c3143b342a0cd081cfd3e0e82d957b903222399057f3e659a954969d0f5c0dbce1d6059ccf5096551cd3964005cb0348bec0

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\DisableCompare.html
    Filesize

    151KB

    MD5

    25f9f6f15e749534f3db0a2079c445f5

    SHA1

    be3133681b6092af03e2325afdb3bcf48adedecd

    SHA256

    1cb37e5c6220adcd2c72b549711da43b0dd262c39a59a6d8b0b95e49a5b9d9c3

    SHA512

    131795cd52916ecbdde65f536e2fae694c911912ea8033f1c2808e114cbfdfcbd3996fa7a2bada628ade3aeeac19e99564d854c3178b4e15d2a4761e1b6ddb26

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\InvokeImport.css
    Filesize

    214KB

    MD5

    02e561d03b5b4186020c27724f3787a4

    SHA1

    4ec35fb7e0089858d5596c2f5da2ff10489b1e9d

    SHA256

    788853b48028c4c0cd0135fe3e6adca6f882937fb0790e566c76042c72e8aca1

    SHA512

    f4196fa1c341a2d24831667017b2fb03c340ebed05abddd846ca8e0c7964ddbb4fe60f0ca67859332d31e3cdb83cad6272ebb0c1243a8172f796bf4bb71f0bc0

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\JoinDisable.pdf
    Filesize

    172KB

    MD5

    e50d86070194763e9090846288e50222

    SHA1

    2f233b106fa9fd56e8f0be54eba4f6e5f41e6672

    SHA256

    f1564091585eebf8e511b951afd089c1c7f4a215862f2b7861cafec524ef05f2

    SHA512

    b965e05e9a3e47e4e34a526044b8ec43007cd5044301565110416559939c19d2c8ed86d5df7ce97d53a28c87176469431e80ded1fcd1323e8b1bf6471848c1da

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\TraceRepair.docx
    Filesize

    193KB

    MD5

    863ea08e9bef0345d6c6e17af62b26b2

    SHA1

    9247e80576c722988ce7668ba3e927d93f6f958c

    SHA256

    f3c5e5352e72236094a5befa91ddd1f9655ee37d090c89b7bf4ec96a7ab29d4d

    SHA512

    00aba907113b19fee4e4b28743ddece81b09ff88c6bbb7aea4401aad5cdbcc2103555d7e896d7524e654bf9265424dbaf23e44f83aaa7c399e67dfbff5e2b2aa

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\WriteUnregister.php
    Filesize

    228KB

    MD5

    83c9566df27c6a8a30c6b80bac1020da

    SHA1

    debb7ce6b9d33de6f63ac1d5c928e1f5b0fddc93

    SHA256

    847ed08519daaa0764c6fb8c051f7a1dd867d8b9bf0c6f528e614b6093ad7ec7

    SHA512

    6f9a44bf32bfeaef77e83de1609a4f9cd84bcf2b2362653885ec7651416e964f070adb913d40ca7d5aae4b527f8e83b30c47ba15b599d4e19921eb96610f1e18

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Documents\BackupBlock.docx
    Filesize

    1.1MB

    MD5

    3300d712438e903e25efa2d47bb83baf

    SHA1

    15bdbb6d3d92de33ded4b5639eabe03ab042bfa3

    SHA256

    ca254c9c0603678c1504347cd0c142aa7e4aff393f95b45b3e40958828a3196e

    SHA512

    f7557ed2b4dbda08d3fc46088abac284bf4f1cfe0577b81a1b74759314ec977a53db95d49ef7400e139794618671dca425e97b2f24a60d423a87c00895adee99

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Documents\CompressSearch.xls
    Filesize

    595KB

    MD5

    524395022f41ef99c20087c20fc0a5f3

    SHA1

    2ed6f05554ad82805a5841972e49cd8914df44d3

    SHA256

    c33db37c70d780292df8092335d062458146ab783043fc2d942f20ac6cb6d356

    SHA512

    7c2bd305a046abd7c53729db3e4b36d70d2b01fdb753a13401267b488268d77e2a031a9f9f034195245aebf3a464fbd66d997e699a31bed0f7dd16352e2d6394

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Downloads\CloseShow.doc
    Filesize

    425KB

    MD5

    aec151fc8ca93acf18e2d64ec0b5bda3

    SHA1

    57050101b10895124369247dcc47dbc2a90505eb

    SHA256

    e2d6b18be33692d6e0d4a6a75fc53077b4ed5267fdb6d6b65807ed54cde60ba7

    SHA512

    c05fc5480bd3aeab978597073aea93fdb2873337955fc11b45cbd08eb567a82a539f8a54e3fdce0d437cf5f285563ca07836d9634ba69221e0780d0026dd1a94

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Downloads\CompareGrant.txt
    Filesize

    816KB

    MD5

    b8e75a98480ab9e9354eb1efc69ee12f

    SHA1

    29c64c634dd1453cb29f0b50c9a05e66fd02e149

    SHA256

    2526a081d6f69a98601a7fe549ae5d0157fdf56fb7a3b2f414bbf005564b55a5

    SHA512

    e144de984f6c090e47bc356d525fd6c963d82a9cf5f24c52c23b8bbce6697e106aa435254a78c42e64ef926d105b77e73f5e47e1bedb484c54d3ad56f8e5c8bd

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Pictures\CheckpointRedo.png
    Filesize

    533KB

    MD5

    5faa6c524082d8001ee81dcaad51c75e

    SHA1

    f25a772832ee9b3785a9602a3e41dad81c0da45d

    SHA256

    61c05aa604aef4f32613f323b38c729bf43cd2ddae0ac838f92a6fe5d1cee60f

    SHA512

    bb02788a0e4bf3570b304233e961f92839d6bcbb338c5f413f6e169ec24516511cd75544fbcbdbd389d27fad7fcabb00086c968ce027a341e030d3439efe8cd3

  • C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Pictures\UnregisterSwitch.svg
    Filesize

    1.0MB

    MD5

    0c53a4859f2ab65d344be1426aa9a9fb

    SHA1

    0080aa3eb394ba196300116911ccdaa30eafd112

    SHA256

    14e215a0509e3a41283ce6574f37ebf83a3a3e4ad5854aa60304354986817f23

    SHA512

    20768038c47f96c7d85261a3b0135e9227ecb0a071159d3ba11a90c18358458789c3f1adb78a6d03156ac4631f4ba9abd7b7f5281dedbffc5d6cf65c45c3fdf9

  • C:\Users\Admin\AppData\Local\DJVPRFTV\Process.txt
    Filesize

    4KB

    MD5

    8ffdc0a1156b079ae04f4b52b28fb3b2

    SHA1

    35b53f7c9769c711a61199453f911a18384256da

    SHA256

    f41130d097512f5d8959a1d2e429d45f4e343325f2d83e4469d02479b9d0f36d

    SHA512

    f0c02adc4f28ea5ff8d49ca60d797f5d241b4efbc0f8164d4474a10d42dc5f798d4cd0db6fa3a679fbbdc251c9028b617dc1bd6273a09b62040b5564414c2c05

  • memory/4536-41-0x00000000069D0000-0x0000000006A36000-memory.dmp
    Filesize

    408KB

  • memory/4536-37-0x0000000006B10000-0x00000000070B4000-memory.dmp
    Filesize

    5.6MB

  • memory/4536-36-0x00000000064C0000-0x0000000006552000-memory.dmp
    Filesize

    584KB

  • memory/4536-2-0x0000000074550000-0x0000000074D00000-memory.dmp
    Filesize

    7.7MB

  • memory/4536-1-0x0000000000770000-0x00000000007C6000-memory.dmp
    Filesize

    344KB

  • memory/4536-0-0x000000007455E000-0x000000007455F000-memory.dmp
    Filesize

    4KB

  • memory/4536-242-0x000000007455E000-0x000000007455F000-memory.dmp
    Filesize

    4KB

  • memory/4536-243-0x0000000074550000-0x0000000074D00000-memory.dmp
    Filesize

    7.7MB

  • memory/4536-270-0x0000000074550000-0x0000000074D00000-memory.dmp
    Filesize

    7.7MB