Malware Analysis Report

2024-09-23 02:50

Sample ID 240708-twtetsxerp
Target 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
SHA256 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
Tags
stormkitty collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b

Threat Level: Known bad

The file 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty collection discovery spyware stealer

StormKitty

Stormkitty family

StormKitty payload

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops desktop.ini file(s)

Checks installed software on the system

Unsigned PE

Checks processor information in registry

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-08 16:24

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-08 16:24

Reported

2024-07-08 16:27

Platform

win7-20240704-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File opened for modification C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\ProgramData\ELZYPTFV\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\ProgramData\ELZYPTFV\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\ProgramData\ELZYPTFV\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 104.21.73.97:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2516-0-0x000000007424E000-0x000000007424F000-memory.dmp

memory/2516-1-0x0000000000050000-0x00000000000A6000-memory.dmp

memory/2516-2-0x0000000074240000-0x000000007492E000-memory.dmp

C:\ProgramData\ELZYPTFV\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2516-85-0x000000007424E000-0x000000007424F000-memory.dmp

memory/2516-86-0x0000000074240000-0x000000007492E000-memory.dmp

C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\EditExport.html

MD5 6b039cf336a0cd8b24b139a6c4dff317
SHA1 45d3aa1744ba4fed4dc996626c5165729dfdef0d
SHA256 ba4e2edd40173a23b9b5332966a4fdd48076757ce9bc3b213e61933cd085c0c3
SHA512 881d0f6f00aae504bc67c14ab5b2231fe0e887adffeb549bcba95bc6712c9f9221eed436741c6b3fad0eb5ff424fa03d77b8cfd7099402e38ca49b6d1fd1cc12

C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\JoinImport.txt

MD5 b8c2f91120f953b49ad802e78a05025d
SHA1 9ef7166044fed8e1a7ee4e2f5dea48ae2fbbccb6
SHA256 0a40da271080c92888ade8a3f1cee009f13555409fe81309f336dd5fade27313
SHA512 a6df2cf8a673ecc06d73478c1c4bcc06dc4c1013afac4b879c7ba7e97fff02dcb60da7185880a97078fb2d6dc7ae7e94667d5def5a2b62fbe668c1237588eeb6

C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\LockUnprotect.svg

MD5 3afc8b45553dfd8fcf9328c396a33e65
SHA1 09ff9a38f3e155407d7f7e2861764c22cae69604
SHA256 0837802d720b2e3874b950b0f924496d820984f40430c56c8d2a6a9e3063c144
SHA512 a998651748818b94c8d037eaa1db39351566cc7e6534cd901fc352ecae9a671047bdc5aab68bcdf092a573529c53512c08d3bdace26a5896b503c1243edf7b87

C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\RegisterAssert.ini

MD5 b67cd8e6dd8e3ad739267d43863adfeb
SHA1 9d11edf1b139d2369ed5e8beaed78897396f1239
SHA256 f84064307d8bed87686e9cc0b66c9c228bdc647fd9c21b7c0ba7a5c6716c5c5b
SHA512 85ee943dc50025b9a1550a02067bf6642602b42cf83fdd710c6dedf8f8052c464806889301457a23f2f836fdd4364a6b744ccb07f1315cd692d8589ad88997e8

C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\RestartWait.xlsx

MD5 f6ef91b3d26e1b4fe7e269405d516084
SHA1 d0b1a6652de6c43685e9d97bb8ef511b1afef896
SHA256 c7013ce1b5533762a8f62f2253d17c2a6d2677a7cff921bc8d877d8126c176e2
SHA512 75820bc95816b43005af48d4a1b257724b9c2a038cfe617770e59873d397d590939ac1d02d5c2cdc0dc5780e247746a154a056702582981f5cfa20e98ce6a6f5

C:\ProgramData\ELZYPTFV\FileGrabber\Desktop\SelectDebug.jpeg

MD5 13b4adf9c7fa5702a72c577fe005b649
SHA1 dbbf674bb72758aafa85763ef474603d672ab001
SHA256 17ec4b4293092d7acb44bd3ea00856afde302d94417a6186ff0880cae52eec76
SHA512 ebc3d22cf512c8aad16076eecc2cef80fa2ea2bb2c360623de86acbe55d161bddd4e03eeecc6f500e24f5164bb3f0537f90429e7931f0c0a714dac3b235dc2b1

C:\ProgramData\ELZYPTFV\FileGrabber\Documents\ConnectRemove.rtf

MD5 7afe5bf6fe9ed26d6839df83d062e907
SHA1 dba99d3c302b852c966b7e6c66d1ce91590d0391
SHA256 abaee788fd723ac8cb1189001888f5b39d08aab5cefe610cdf18d4749578d3c1
SHA512 f9a2cac420a012911c5a2d7301ce7b76d8e9d749a4cf1df07132e1ebc99f4e30a65245ee498568360881dfbb52cd9680f961ebcdb5d9f2c18d663cded9d6389d

C:\ProgramData\ELZYPTFV\FileGrabber\Documents\SkipWait.xls

MD5 25d4c0907dc14909b1dadbd188316edc
SHA1 3d560f0f90f02155bbe211243b4a6caf88399624
SHA256 390f55f8449f0ad7835180b34c10eed053b0aae4dda4a2b5e7d836646c1add66
SHA512 55ac2e54f94998601b454869c882be3b1055ada7a33d8675d6a04a1ca014ea45ed9026c8a655f78ff55919abe8e8ea7cf06d4c4a64d705332a9fcfef884d173e

C:\ProgramData\ELZYPTFV\FileGrabber\Downloads\ConnectGrant.html

MD5 9424e699a71ac27543a91cfee5cca073
SHA1 53907f2fd2f6e73cbaf4064f4ea5afb609dc48b6
SHA256 7eee9a6fdd039ad4d90330ea3d76f2f7567a1de8839203afb9b9bcd979adca91
SHA512 cc60fdd556b8398f1dbfd9c908bf4c9913ebefb5018a51591f099d10b596c74cadac8e68e9b31252c0c3f2cda6c8f88a9d7b7dc46b0e7ca378cf116f813d0ce5

C:\ProgramData\ELZYPTFV\FileGrabber\Downloads\DenyConvert.jpeg

MD5 bfe48b0e2ad52856b814572672b01d31
SHA1 2d0f452ae70d8abb6040f53416e1d83fc35c96b9
SHA256 945b9c9998abc142fd6706b79e44ea7455e3e0d8869553f0ade42bd3f4cc5053
SHA512 01cc5339b9a6477d773658d3bb9fcb6ec9f523b49991da388167f32cb7ad2dfc9bc4496dfd5c203d2c7f1f06beeb30d2e0c09f22fd4dc0b33142eabdd5bf15d4

C:\ProgramData\ELZYPTFV\FileGrabber\Downloads\FormatReset.jpg

MD5 84424e80ac817b2d92d6814adeff6f2b
SHA1 3101cd9714716dc7cf1cf12432f5bb9e47b58814
SHA256 2304ab7691ad9873e22376ae614cb147a5de1fc55f7be34e9bceff11f2f08f19
SHA512 9cc082b944d690250f9014bdc9645d5469dec0b64df22313a91f9032913c1c41b379500bde98ce38913dbdbefb8e22d059080005244f52d120f0d6b41b411e5c

C:\ProgramData\ELZYPTFV\FileGrabber\Pictures\NewSubmit.png

MD5 7c097e3e9f320f0c2e7e9447e386c8bf
SHA1 e79eb66548b938baeeae938248f9de82e5063c6d
SHA256 a365fec82693652b925ffe1941e12a97e660255090987e9027334de8075c8934
SHA512 01441b5d329d06546c7ac288aa3eb19d81c4023214c5e6747701dd01d4453c2f8e6327df3140ed9aabde163cd2e066e590197367707341ff9ebf3a55b3f74a48

C:\ProgramData\ELZYPTFV\FileGrabber\Pictures\RedoEnter.svg

MD5 3006834b8421663a661af48c9e7b3dfb
SHA1 e80c9a7b04b414d7fbdc373b9e3eac085356765b
SHA256 2cb48bb7dfa0d9286f48c7b0c8d303f5e2989aad94ef6b67d6ef70f2c0149b4c
SHA512 85fbdb2269446b3a9ad2fa68c1ee51eea830ea6a21852469afc063f35be71b9692d18ba71ba4019877501b4197b367d280cbe835959882016309d5063c0eb902

memory/2516-211-0x0000000074240000-0x000000007492E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-08 16:24

Reported

2024-07-08 16:27

Platform

win10v2004-20240704-en

Max time kernel

137s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 104.21.73.97:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/4536-0-0x000000007455E000-0x000000007455F000-memory.dmp

memory/4536-1-0x0000000000770000-0x00000000007C6000-memory.dmp

memory/4536-2-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4536-36-0x00000000064C0000-0x0000000006552000-memory.dmp

memory/4536-37-0x0000000006B10000-0x00000000070B4000-memory.dmp

memory/4536-41-0x00000000069D0000-0x0000000006A36000-memory.dmp

C:\Users\Admin\AppData\Local\DJVPRFTV\Process.txt

MD5 8ffdc0a1156b079ae04f4b52b28fb3b2
SHA1 35b53f7c9769c711a61199453f911a18384256da
SHA256 f41130d097512f5d8959a1d2e429d45f4e343325f2d83e4469d02479b9d0f36d
SHA512 f0c02adc4f28ea5ff8d49ca60d797f5d241b4efbc0f8164d4474a10d42dc5f798d4cd0db6fa3a679fbbdc251c9028b617dc1bd6273a09b62040b5564414c2c05

C:\Users\Admin\AppData\Local\DJVPRFTV\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\CheckpointEnable.rtf

MD5 c0b854aaa1481ebed201bb28984e10f6
SHA1 393d259622c3d6ce7d7165cc146e3169c43df8df
SHA256 b3f4fafb3f335b2ddc978e4adb5f04d94506834d3ef5a9622b181a0c19217f9a
SHA512 79cbba2e21c5dcb067ffea967da936dac3f7aea56b0f17301f4c93de978743a8602a339e20f43ce0a80f62263c09b6132beab7372db02e04ff547dc6c513b14e

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\CompareCheckpoint.jpeg

MD5 deaad2210966073a544ce701c90ae5d3
SHA1 59ebc204aff3c24c49ce7a40c45062d4ffe37cca
SHA256 ed84d2fbcf63d75bd8d28df61a6aaa9fbfb83dbe8f4a6bae691bd09c01285744
SHA512 fe9702e9e2a7d292e41e95500212c3143b342a0cd081cfd3e0e82d957b903222399057f3e659a954969d0f5c0dbce1d6059ccf5096551cd3964005cb0348bec0

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\DisableCompare.html

MD5 25f9f6f15e749534f3db0a2079c445f5
SHA1 be3133681b6092af03e2325afdb3bcf48adedecd
SHA256 1cb37e5c6220adcd2c72b549711da43b0dd262c39a59a6d8b0b95e49a5b9d9c3
SHA512 131795cd52916ecbdde65f536e2fae694c911912ea8033f1c2808e114cbfdfcbd3996fa7a2bada628ade3aeeac19e99564d854c3178b4e15d2a4761e1b6ddb26

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\InvokeImport.css

MD5 02e561d03b5b4186020c27724f3787a4
SHA1 4ec35fb7e0089858d5596c2f5da2ff10489b1e9d
SHA256 788853b48028c4c0cd0135fe3e6adca6f882937fb0790e566c76042c72e8aca1
SHA512 f4196fa1c341a2d24831667017b2fb03c340ebed05abddd846ca8e0c7964ddbb4fe60f0ca67859332d31e3cdb83cad6272ebb0c1243a8172f796bf4bb71f0bc0

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\JoinDisable.pdf

MD5 e50d86070194763e9090846288e50222
SHA1 2f233b106fa9fd56e8f0be54eba4f6e5f41e6672
SHA256 f1564091585eebf8e511b951afd089c1c7f4a215862f2b7861cafec524ef05f2
SHA512 b965e05e9a3e47e4e34a526044b8ec43007cd5044301565110416559939c19d2c8ed86d5df7ce97d53a28c87176469431e80ded1fcd1323e8b1bf6471848c1da

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\TraceRepair.docx

MD5 863ea08e9bef0345d6c6e17af62b26b2
SHA1 9247e80576c722988ce7668ba3e927d93f6f958c
SHA256 f3c5e5352e72236094a5befa91ddd1f9655ee37d090c89b7bf4ec96a7ab29d4d
SHA512 00aba907113b19fee4e4b28743ddece81b09ff88c6bbb7aea4401aad5cdbcc2103555d7e896d7524e654bf9265424dbaf23e44f83aaa7c399e67dfbff5e2b2aa

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Desktop\WriteUnregister.php

MD5 83c9566df27c6a8a30c6b80bac1020da
SHA1 debb7ce6b9d33de6f63ac1d5c928e1f5b0fddc93
SHA256 847ed08519daaa0764c6fb8c051f7a1dd867d8b9bf0c6f528e614b6093ad7ec7
SHA512 6f9a44bf32bfeaef77e83de1609a4f9cd84bcf2b2362653885ec7651416e964f070adb913d40ca7d5aae4b527f8e83b30c47ba15b599d4e19921eb96610f1e18

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Documents\BackupBlock.docx

MD5 3300d712438e903e25efa2d47bb83baf
SHA1 15bdbb6d3d92de33ded4b5639eabe03ab042bfa3
SHA256 ca254c9c0603678c1504347cd0c142aa7e4aff393f95b45b3e40958828a3196e
SHA512 f7557ed2b4dbda08d3fc46088abac284bf4f1cfe0577b81a1b74759314ec977a53db95d49ef7400e139794618671dca425e97b2f24a60d423a87c00895adee99

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Documents\CompressSearch.xls

MD5 524395022f41ef99c20087c20fc0a5f3
SHA1 2ed6f05554ad82805a5841972e49cd8914df44d3
SHA256 c33db37c70d780292df8092335d062458146ab783043fc2d942f20ac6cb6d356
SHA512 7c2bd305a046abd7c53729db3e4b36d70d2b01fdb753a13401267b488268d77e2a031a9f9f034195245aebf3a464fbd66d997e699a31bed0f7dd16352e2d6394

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Downloads\CloseShow.doc

MD5 aec151fc8ca93acf18e2d64ec0b5bda3
SHA1 57050101b10895124369247dcc47dbc2a90505eb
SHA256 e2d6b18be33692d6e0d4a6a75fc53077b4ed5267fdb6d6b65807ed54cde60ba7
SHA512 c05fc5480bd3aeab978597073aea93fdb2873337955fc11b45cbd08eb567a82a539f8a54e3fdce0d437cf5f285563ca07836d9634ba69221e0780d0026dd1a94

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Downloads\CompareGrant.txt

MD5 b8e75a98480ab9e9354eb1efc69ee12f
SHA1 29c64c634dd1453cb29f0b50c9a05e66fd02e149
SHA256 2526a081d6f69a98601a7fe549ae5d0157fdf56fb7a3b2f414bbf005564b55a5
SHA512 e144de984f6c090e47bc356d525fd6c963d82a9cf5f24c52c23b8bbce6697e106aa435254a78c42e64ef926d105b77e73f5e47e1bedb484c54d3ad56f8e5c8bd

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Pictures\CheckpointRedo.png

MD5 5faa6c524082d8001ee81dcaad51c75e
SHA1 f25a772832ee9b3785a9602a3e41dad81c0da45d
SHA256 61c05aa604aef4f32613f323b38c729bf43cd2ddae0ac838f92a6fe5d1cee60f
SHA512 bb02788a0e4bf3570b304233e961f92839d6bcbb338c5f413f6e169ec24516511cd75544fbcbdbd389d27fad7fcabb00086c968ce027a341e030d3439efe8cd3

C:\Users\Admin\AppData\Local\DJVPRFTV\FileGrabber\Pictures\UnregisterSwitch.svg

MD5 0c53a4859f2ab65d344be1426aa9a9fb
SHA1 0080aa3eb394ba196300116911ccdaa30eafd112
SHA256 14e215a0509e3a41283ce6574f37ebf83a3a3e4ad5854aa60304354986817f23
SHA512 20768038c47f96c7d85261a3b0135e9227ecb0a071159d3ba11a90c18358458789c3f1adb78a6d03156ac4631f4ba9abd7b7f5281dedbffc5d6cf65c45c3fdf9

memory/4536-242-0x000000007455E000-0x000000007455F000-memory.dmp

memory/4536-243-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4536-270-0x0000000074550000-0x0000000074D00000-memory.dmp