General
-
Target
shellbag anylizer.exe
-
Size
302KB
-
Sample
240807-qw4c9asfje
-
MD5
722ed5e7ff86512f825d296e073413eb
-
SHA1
cb452bdb2c77c3edbe46374fdebc8f6009798aa1
-
SHA256
13b348cd229e23b0e55c9c2088a51916b819a369e363de8d11d7cb6391f29176
-
SHA512
000fc1a7e61b0ea48056fba746aa3200545002797bf76519e5fe28d48ad30a093fc13860d05a07d697d19d246f627962782d1c1aa62d6e07aa7e6c19806f028a
-
SSDEEP
1536:vUvlGtNL49D1Qo2u5hpisqGXfFHfrXEvIzVAXuiRp6EE8bMlnEfwGzod8MddBK1d:cvAT49D1l2SMubpxiBYe1oUJ2hsOFlD
Static task
static1
Behavioral task
behavioral1
Sample
shellbag anylizer.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
shellbag anylizer.exe
Resource
win10v2004-20240802-en
Malware Config
Targets
-
-
Target
shellbag anylizer.exe
-
Size
302KB
-
MD5
722ed5e7ff86512f825d296e073413eb
-
SHA1
cb452bdb2c77c3edbe46374fdebc8f6009798aa1
-
SHA256
13b348cd229e23b0e55c9c2088a51916b819a369e363de8d11d7cb6391f29176
-
SHA512
000fc1a7e61b0ea48056fba746aa3200545002797bf76519e5fe28d48ad30a093fc13860d05a07d697d19d246f627962782d1c1aa62d6e07aa7e6c19806f028a
-
SSDEEP
1536:vUvlGtNL49D1Qo2u5hpisqGXfFHfrXEvIzVAXuiRp6EE8bMlnEfwGzod8MddBK1d:cvAT49D1l2SMubpxiBYe1oUJ2hsOFlD
-
StormKitty payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
2