Analysis
-
max time kernel
24s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06-08-2024 03:33
Behavioral task
behavioral1
Sample
7acd7ca811c678a92d62d556cae858dc.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
7acd7ca811c678a92d62d556cae858dc.exe
Resource
win10v2004-20240802-en
General
-
Target
7acd7ca811c678a92d62d556cae858dc.exe
-
Size
74KB
-
MD5
7acd7ca811c678a92d62d556cae858dc
-
SHA1
b05d0fd47d2d905234db53614f725e3744c93b3e
-
SHA256
736f8b467d09e4805d336c56b49ec183355dc433e04b93904d2e8d5876d5b9de
-
SHA512
24fe70950fc092d9de383f5c80c70bdc4bd5e342b927e2fb495752e0036c3d2eb0547f60467ef5019a686fffd2f8057105d13dd566172f9438ffe4434748166b
-
SSDEEP
1536:rNtW7bvrmSbUMiuidaw6v3ZfXR6/A8Id0FWGV09auvIUxjFxtbm:rzTyXRKA8Iwg9auvIUhFxty
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/3068-1-0x0000000000A20000-0x0000000000A38000-memory.dmp disable_win_def -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/3068-1-0x0000000000A20000-0x0000000000A38000-memory.dmp family_stormkitty -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe" 7acd7ca811c678a92d62d556cae858dc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3068 7acd7ca811c678a92d62d556cae858dc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2844 3068 7acd7ca811c678a92d62d556cae858dc.exe 30 PID 3068 wrote to memory of 2844 3068 7acd7ca811c678a92d62d556cae858dc.exe 30 PID 3068 wrote to memory of 2844 3068 7acd7ca811c678a92d62d556cae858dc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7acd7ca811c678a92d62d556cae858dc.exe"C:\Users\Admin\AppData\Local\Temp\7acd7ca811c678a92d62d556cae858dc.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3068 -s 10082⤵PID:2844
-