Analysis Overview
SHA256
1afc6f0b461fe194e24493a0c57c8320518ebbd50b74234caac0c578e6843380
Threat Level: Known bad
The file Server.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
Stormkitty family
Async RAT payload
Asyncrat family
AsyncRat
StormKitty
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Looks up geolocation information via web service
Looks up external IP address via web service
Browser Information Discovery
Unsigned PE
System Network Configuration Discovery: Wi-Fi Discovery
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-08 12:48
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-08 12:48
Reported
2024-08-08 12:50
Platform
win10-20240611-uk
Max time kernel
57s
Max time network
51s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.0.1218536573\1753954514" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1696 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e6adf61-28f2-4b2a-87b1-24c007ac44be} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 1796 225ff0dd558 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.1.157385489\1461042933" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20848 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2903282-5dd4-4695-9aae-51d1cb7c76d0} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 2152 225fb971c58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.2.514188841\2044967124" -childID 1 -isForBrowser -prefsHandle 1580 -prefMapHandle 2840 -prefsLen 20951 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8c79129-4541-4a0f-ba97-b971b841f484} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 3016 2258abadc58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.3.869631027\2103091711" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3516 -prefsLen 26136 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea9ac86-df54-48b4-8eb9-daa97d947e02} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 3532 2258ba21b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.4.1966176498\1886670980" -childID 3 -isForBrowser -prefsHandle 4044 -prefMapHandle 3828 -prefsLen 26271 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {006f9d45-38cc-42fc-90a4-83167453644d} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 4056 2258bebe758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.5.1266405280\1138692174" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5032 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {387ef80f-711a-4de3-95f4-80247bd018a5} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 4948 2258ccd2058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.6.1471543359\826457425" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4888 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e79b8dfd-7fec-4644-b5bb-f81db7d908ba} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 4832 2258ccd3b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.7.1354349508\1983092733" -childID 6 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb87000b-bdc0-46af-a127-987ab2281a74} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 5248 2258ccd2c58 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:49970 | tcp | |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | 161.99.165.35.in-addr.arpa | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | 53.121.117.34.in-addr.arpa | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:49978 | tcp | |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp |
Files
memory/4368-0-0x00000000735AE000-0x00000000735AF000-memory.dmp
memory/4368-1-0x0000000000AB0000-0x0000000000AE2000-memory.dmp
memory/4368-2-0x00000000735A0000-0x0000000073C8E000-memory.dmp
memory/4368-3-0x0000000005460000-0x00000000054C6000-memory.dmp
C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\System\Process.txt
| MD5 | c1091e96896e3e91848810cd8493630a |
| SHA1 | f3ee038ce38de1555fbf90241f8a4083c83191d0 |
| SHA256 | 0b41061107ab7f9b92dfee320f5991574479ce6666e875761fa835c3bd43cfe4 |
| SHA512 | 7c44575ce1177b9a7c5a50111af9905eaa84073badc0db60ef3e989ce36e4b7efb02417ac6926d2d7ba68bed647fdd2893f9d9c7f6988a93251bf45179f8b79b |
memory/4368-116-0x0000000006230000-0x00000000062C2000-memory.dmp
memory/4368-117-0x00000000735A0000-0x0000000073C8E000-memory.dmp
memory/4368-118-0x00000000067D0000-0x0000000006CCE000-memory.dmp
memory/4368-122-0x0000000006330000-0x000000000633A000-memory.dmp
memory/4368-123-0x00000000735AE000-0x00000000735AF000-memory.dmp
C:\Users\Admin\AppData\Local\231608184e03f43a514548b074a2ab7b\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/4368-129-0x00000000735A0000-0x0000000073C8E000-memory.dmp
memory/4368-130-0x00000000063E0000-0x00000000063F2000-memory.dmp
memory/4368-159-0x00000000735A0000-0x0000000073C8E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\e78b9ef9-87af-4145-b768-20e14c2e1c66
| MD5 | 93a9c7c74231aa4dacef81a0353bec6a |
| SHA1 | 6a709dad6aad40b9e83a49038c8bf73bde271765 |
| SHA256 | e876543c5670cc96b6919f22605f0cc99e7992a3550b0e44a6c7933d0d9f5d0f |
| SHA512 | 6ab40c30c433baae92914215ff8b1987d2540dc59ecaf0ff98256172fc6ea85c21d0ed1024a34a88164da98a791b755efdc81194d717c9a51c13d3deb199a7a4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\e285fac2-53a2-4d10-a91d-d365bad7d808
| MD5 | 933fc4cd004171fdbbef0f7a3db2ecdb |
| SHA1 | b955d127aa33bcddb5747c916c057abd60453302 |
| SHA256 | a46f393923aa3622aa6f1935004ff8540ebd7b534f2c2ddb6095f3132b7cbf84 |
| SHA512 | 0cb9ec0d628bbac0191da655bafb5d1c13ee7eaf7eb987e8ff7129ed737373214dfad827775dfcabde969831a3cd61f9db6337f9b123b450b2f0d0f5f5972700 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
| MD5 | ba5a60828a11fc7f283e549f02d49966 |
| SHA1 | 2ebc93cb6bf122c233bb5c96690760a538a3f13b |
| SHA256 | f3bc0672de28d6e3acbe3fd62b7d30bbc5bc47c37ec6efcc00fb0574acbe3ea7 |
| SHA512 | 6976fc179b0fb3d8a032f605881e2d04597e1454eef729f9c4f6e79517bfa338077ae0e1347184526555aadcdb44ef4b90d74a41d421854f14b4e9ad71970282 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 3deabc6c8e1a2846276bb27abaed37cd |
| SHA1 | 6142c6bdb3a48dd647eed9ff95b1eb3b2df88be5 |
| SHA256 | cac6be3c6012aaac021921ac30d2f91040879564c85b6d2d8a4183a63c6d52a3 |
| SHA512 | 02ec0d469e1e2567f05bc540ba1be7dab4b23778209d59cea486841ff58d26ba9c413c516e4c73300ef7014eb63f4e7ba395092eb5d59eb5f86c743644f1ec44 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | c460716b62456449360b23cf5663f275 |
| SHA1 | 06573a83d88286153066bae7062cc9300e567d92 |
| SHA256 | 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0 |
| SHA512 | 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js
| MD5 | 4d219f6608474083d6f98d899c6e3010 |
| SHA1 | 5e7506f39e9ae5f9267186d044e826166194fe35 |
| SHA256 | ac4bed6c8d3d78d8177eaaf7301bdf7abe790ca3002fc956c4d8e3a55c93e9d9 |
| SHA512 | 1b3aee0e5e7a986ff3dd494684c7bdc1b956e42ecaed5beb2b7b2b7aa4574498d04eeeb22651a1100bea6337b4b383e252c8c96464379071dd11e2cda64bf47a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
| MD5 | 523becf1b3fd29bba0051ce0d96fab41 |
| SHA1 | d52b0825f9b02fc1c56c7ee66a4fa4333225b889 |
| SHA256 | bb25d5b2f28158c780fa9ca5e0f894e06cf9bf47e7b308e97ea42fd041169d82 |
| SHA512 | 3f3666ed69878c45ec0e9615b8b3e37a4722622fc453052845c74e9918d410451623fb038017da350c03e3abe231ffb2946c9ffec797c62d1e083c67a3184cf5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
| MD5 | 85d9cdd76d1032af079a0b9769af7187 |
| SHA1 | 539936dd575e98d8c3e8c2d9f75803f9343cc566 |
| SHA256 | 881c2db8111942eaa34e39964872d838a02dc0a91831f3ad297ff795d6a33018 |
| SHA512 | 6ae78dc13748fcbe783c8289240ece9db4b6026af812e6a236bd8ed8e4687e3780ce30e03c597622d3f4353aee7ecec4a8232b86fab714094f20308afa8f9713 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 23ccbcea53ea15ef3326ac197fc24b46 |
| SHA1 | a80562bb64b108e5c9ecea69de1052781dbe24fc |
| SHA256 | 2d337527d3f08141b098a60f2e43c78d8d78569254c261dc78938c7d1cd0b861 |
| SHA512 | 899f9a477aad546ff55a9f5a0aa7ac7550808202dd4a68ed6bd674eb3ca521efb10b6b4ae92069dc23d97d0be5fc141e93c7f2deed2d923ed634f8958657d17c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-08 12:48
Reported
2024-08-08 12:50
Platform
win10-20240404-uk
Max time kernel
59s
Max time network
19s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp |
Files
memory/3780-0-0x0000000073B3E000-0x0000000073B3F000-memory.dmp
memory/3780-1-0x0000000000EE0000-0x0000000000F12000-memory.dmp
memory/3780-2-0x0000000073B30000-0x000000007421E000-memory.dmp
memory/3780-3-0x0000000005860000-0x00000000058C6000-memory.dmp
C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\System\Process.txt
| MD5 | 611946c3bd811488ff2e23a474b63a17 |
| SHA1 | a6ad6c28658bde0658908d71c59e20c1778d9d84 |
| SHA256 | 7770b0bb8fc86ffc7ac8c572fdff03f3e092b4da1477935d824e01c240f0f0ac |
| SHA512 | 9f068ee547debc6c4ef358225217ce6fa23b0db00df8e6b8e48a4df079c9ed7347ec8e18962ce3f0aa899ffa0dd5e7568a16707c85a178d82aff4c22acc937b5 |
memory/3780-119-0x0000000073B30000-0x000000007421E000-memory.dmp
memory/3780-120-0x0000000006260000-0x00000000062F2000-memory.dmp
memory/3780-121-0x0000000006800000-0x0000000006CFE000-memory.dmp
memory/3780-125-0x0000000006460000-0x000000000646A000-memory.dmp
C:\Users\Admin\AppData\Local\3794b58cea973abf9fbca2862ded3252\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/3780-131-0x00000000067E0000-0x00000000067F2000-memory.dmp
memory/3780-155-0x0000000073B3E000-0x0000000073B3F000-memory.dmp
memory/3780-156-0x0000000073B30000-0x000000007421E000-memory.dmp
memory/3780-157-0x0000000073B30000-0x000000007421E000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-08 12:48
Reported
2024-08-08 12:50
Platform
win10v2004-20240802-uk
Max time kernel
53s
Max time network
36s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
memory/4564-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp
memory/4564-1-0x0000000000BB0000-0x0000000000BE2000-memory.dmp
memory/4564-2-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/4564-3-0x00000000055F0000-0x0000000005656000-memory.dmp
C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\System\Process.txt
| MD5 | be4dfdc971d09b9cc3b89ccbe2b56ce7 |
| SHA1 | d48c773bbc788f02c05559ff8a53d66467f18a59 |
| SHA256 | 36217e167a3966b73494edf200519d9572289b5ba994463dc72df9ebe81afe90 |
| SHA512 | ee12dde7412f659aa92a6ff3745074d55403997f9598a03da0ec9f1441a6d1ddf4b1ad8de092a36e2e8c3c8b0fe12ddcdfccb6e86cc3d34b671fea58eb772ca1 |
memory/4564-145-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/4564-147-0x0000000006120000-0x00000000061B2000-memory.dmp
memory/4564-148-0x0000000006770000-0x0000000006D14000-memory.dmp
memory/4564-152-0x0000000006450000-0x000000000645A000-memory.dmp
C:\Users\Admin\AppData\Local\7e3589858c00a19f9af92fd5b201361a\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/4564-158-0x0000000007120000-0x0000000007132000-memory.dmp
memory/4564-183-0x0000000074BCE000-0x0000000074BCF000-memory.dmp
memory/4564-184-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/4564-185-0x0000000074BC0000-0x0000000075370000-memory.dmp