Malware Analysis Report

2024-10-18 21:31

Sample ID 240808-p126batdnm
Target Server.exe
SHA256 1afc6f0b461fe194e24493a0c57c8320518ebbd50b74234caac0c578e6843380
Tags
rat default asyncrat stormkitty credential_access discovery persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1afc6f0b461fe194e24493a0c57c8320518ebbd50b74234caac0c578e6843380

Threat Level: Known bad

The file Server.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stormkitty credential_access discovery persistence privilege_escalation spyware stealer

StormKitty payload

Stormkitty family

Async RAT payload

Asyncrat family

AsyncRat

StormKitty

Credentials from Password Stores: Credentials from Web Browsers

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Looks up geolocation information via web service

Looks up external IP address via web service

Browser Information Discovery

Unsigned PE

System Network Configuration Discovery: Wi-Fi Discovery

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-08 12:48

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-08 12:48

Reported

2024-08-08 12:50

Platform

win10-20240611-uk

Max time kernel

57s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4368 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1272 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1272 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1272 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1272 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1272 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1272 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1272 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1272 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4368 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2260 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2260 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2260 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2260 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2260 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 440 wrote to memory of 3460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 440 wrote to memory of 3460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 440 wrote to memory of 3460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 440 wrote to memory of 3460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 440 wrote to memory of 3460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 440 wrote to memory of 3460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 440 wrote to memory of 3460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 440 wrote to memory of 3460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 440 wrote to memory of 3460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 440 wrote to memory of 3460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 440 wrote to memory of 3460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 3348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 3348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.0.1218536573\1753954514" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1696 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e6adf61-28f2-4b2a-87b1-24c007ac44be} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 1796 225ff0dd558 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.1.157385489\1461042933" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20848 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2903282-5dd4-4695-9aae-51d1cb7c76d0} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 2152 225fb971c58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.2.514188841\2044967124" -childID 1 -isForBrowser -prefsHandle 1580 -prefMapHandle 2840 -prefsLen 20951 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8c79129-4541-4a0f-ba97-b971b841f484} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 3016 2258abadc58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.3.869631027\2103091711" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3516 -prefsLen 26136 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea9ac86-df54-48b4-8eb9-daa97d947e02} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 3532 2258ba21b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.4.1966176498\1886670980" -childID 3 -isForBrowser -prefsHandle 4044 -prefMapHandle 3828 -prefsLen 26271 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {006f9d45-38cc-42fc-90a4-83167453644d} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 4056 2258bebe758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.5.1266405280\1138692174" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5032 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {387ef80f-711a-4de3-95f4-80247bd018a5} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 4948 2258ccd2058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.6.1471543359\826457425" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4888 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e79b8dfd-7fec-4644-b5bb-f81db7d908ba} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 4832 2258ccd3b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3460.7.1354349508\1983092733" -childID 6 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb87000b-bdc0-46af-a127-987ab2281a74} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" 5248 2258ccd2c58 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:49970 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 161.99.165.35.in-addr.arpa udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:49978 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/4368-0-0x00000000735AE000-0x00000000735AF000-memory.dmp

memory/4368-1-0x0000000000AB0000-0x0000000000AE2000-memory.dmp

memory/4368-2-0x00000000735A0000-0x0000000073C8E000-memory.dmp

memory/4368-3-0x0000000005460000-0x00000000054C6000-memory.dmp

C:\Users\Admin\AppData\Local\57d34f843575040346c8c83cd408d430\Admin@GKUTWGDF_uk-UA\System\Process.txt

MD5 c1091e96896e3e91848810cd8493630a
SHA1 f3ee038ce38de1555fbf90241f8a4083c83191d0
SHA256 0b41061107ab7f9b92dfee320f5991574479ce6666e875761fa835c3bd43cfe4
SHA512 7c44575ce1177b9a7c5a50111af9905eaa84073badc0db60ef3e989ce36e4b7efb02417ac6926d2d7ba68bed647fdd2893f9d9c7f6988a93251bf45179f8b79b

memory/4368-116-0x0000000006230000-0x00000000062C2000-memory.dmp

memory/4368-117-0x00000000735A0000-0x0000000073C8E000-memory.dmp

memory/4368-118-0x00000000067D0000-0x0000000006CCE000-memory.dmp

memory/4368-122-0x0000000006330000-0x000000000633A000-memory.dmp

memory/4368-123-0x00000000735AE000-0x00000000735AF000-memory.dmp

C:\Users\Admin\AppData\Local\231608184e03f43a514548b074a2ab7b\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4368-129-0x00000000735A0000-0x0000000073C8E000-memory.dmp

memory/4368-130-0x00000000063E0000-0x00000000063F2000-memory.dmp

memory/4368-159-0x00000000735A0000-0x0000000073C8E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\e78b9ef9-87af-4145-b768-20e14c2e1c66

MD5 93a9c7c74231aa4dacef81a0353bec6a
SHA1 6a709dad6aad40b9e83a49038c8bf73bde271765
SHA256 e876543c5670cc96b6919f22605f0cc99e7992a3550b0e44a6c7933d0d9f5d0f
SHA512 6ab40c30c433baae92914215ff8b1987d2540dc59ecaf0ff98256172fc6ea85c21d0ed1024a34a88164da98a791b755efdc81194d717c9a51c13d3deb199a7a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\e285fac2-53a2-4d10-a91d-d365bad7d808

MD5 933fc4cd004171fdbbef0f7a3db2ecdb
SHA1 b955d127aa33bcddb5747c916c057abd60453302
SHA256 a46f393923aa3622aa6f1935004ff8540ebd7b534f2c2ddb6095f3132b7cbf84
SHA512 0cb9ec0d628bbac0191da655bafb5d1c13ee7eaf7eb987e8ff7129ed737373214dfad827775dfcabde969831a3cd61f9db6337f9b123b450b2f0d0f5f5972700

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

MD5 ba5a60828a11fc7f283e549f02d49966
SHA1 2ebc93cb6bf122c233bb5c96690760a538a3f13b
SHA256 f3bc0672de28d6e3acbe3fd62b7d30bbc5bc47c37ec6efcc00fb0574acbe3ea7
SHA512 6976fc179b0fb3d8a032f605881e2d04597e1454eef729f9c4f6e79517bfa338077ae0e1347184526555aadcdb44ef4b90d74a41d421854f14b4e9ad71970282

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

MD5 3deabc6c8e1a2846276bb27abaed37cd
SHA1 6142c6bdb3a48dd647eed9ff95b1eb3b2df88be5
SHA256 cac6be3c6012aaac021921ac30d2f91040879564c85b6d2d8a4183a63c6d52a3
SHA512 02ec0d469e1e2567f05bc540ba1be7dab4b23778209d59cea486841ff58d26ba9c413c516e4c73300ef7014eb63f4e7ba395092eb5d59eb5f86c743644f1ec44

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

MD5 4d219f6608474083d6f98d899c6e3010
SHA1 5e7506f39e9ae5f9267186d044e826166194fe35
SHA256 ac4bed6c8d3d78d8177eaaf7301bdf7abe790ca3002fc956c4d8e3a55c93e9d9
SHA512 1b3aee0e5e7a986ff3dd494684c7bdc1b956e42ecaed5beb2b7b2b7aa4574498d04eeeb22651a1100bea6337b4b383e252c8c96464379071dd11e2cda64bf47a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 523becf1b3fd29bba0051ce0d96fab41
SHA1 d52b0825f9b02fc1c56c7ee66a4fa4333225b889
SHA256 bb25d5b2f28158c780fa9ca5e0f894e06cf9bf47e7b308e97ea42fd041169d82
SHA512 3f3666ed69878c45ec0e9615b8b3e37a4722622fc453052845c74e9918d410451623fb038017da350c03e3abe231ffb2946c9ffec797c62d1e083c67a3184cf5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 85d9cdd76d1032af079a0b9769af7187
SHA1 539936dd575e98d8c3e8c2d9f75803f9343cc566
SHA256 881c2db8111942eaa34e39964872d838a02dc0a91831f3ad297ff795d6a33018
SHA512 6ae78dc13748fcbe783c8289240ece9db4b6026af812e6a236bd8ed8e4687e3780ce30e03c597622d3f4353aee7ecec4a8232b86fab714094f20308afa8f9713

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 23ccbcea53ea15ef3326ac197fc24b46
SHA1 a80562bb64b108e5c9ecea69de1052781dbe24fc
SHA256 2d337527d3f08141b098a60f2e43c78d8d78569254c261dc78938c7d1cd0b861
SHA512 899f9a477aad546ff55a9f5a0aa7ac7550808202dd4a68ed6bd674eb3ca521efb10b6b4ae92069dc23d97d0be5fc141e93c7f2deed2d923ed634f8958657d17c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-08 12:48

Reported

2024-08-08 12:50

Platform

win10-20240404-uk

Max time kernel

59s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3780 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 4664 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4664 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4664 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4664 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4664 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4664 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4664 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4664 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4664 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3780 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1756 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1756 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1756 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1756 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1756 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/3780-0-0x0000000073B3E000-0x0000000073B3F000-memory.dmp

memory/3780-1-0x0000000000EE0000-0x0000000000F12000-memory.dmp

memory/3780-2-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/3780-3-0x0000000005860000-0x00000000058C6000-memory.dmp

C:\Users\Admin\AppData\Local\3dc94fb4dcb55810d1957e671b46f922\Admin@UOKLYWYH_uk-UA\System\Process.txt

MD5 611946c3bd811488ff2e23a474b63a17
SHA1 a6ad6c28658bde0658908d71c59e20c1778d9d84
SHA256 7770b0bb8fc86ffc7ac8c572fdff03f3e092b4da1477935d824e01c240f0f0ac
SHA512 9f068ee547debc6c4ef358225217ce6fa23b0db00df8e6b8e48a4df079c9ed7347ec8e18962ce3f0aa899ffa0dd5e7568a16707c85a178d82aff4c22acc937b5

memory/3780-119-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/3780-120-0x0000000006260000-0x00000000062F2000-memory.dmp

memory/3780-121-0x0000000006800000-0x0000000006CFE000-memory.dmp

memory/3780-125-0x0000000006460000-0x000000000646A000-memory.dmp

C:\Users\Admin\AppData\Local\3794b58cea973abf9fbca2862ded3252\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/3780-131-0x00000000067E0000-0x00000000067F2000-memory.dmp

memory/3780-155-0x0000000073B3E000-0x0000000073B3F000-memory.dmp

memory/3780-156-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/3780-157-0x0000000073B30000-0x000000007421E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-08 12:48

Reported

2024-08-08 12:50

Platform

win10v2004-20240802-uk

Max time kernel

53s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4564 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1252 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1252 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1252 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1252 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1252 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1252 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1252 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1252 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4564 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 556 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 556 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 556 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 556 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 556 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/4564-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/4564-1-0x0000000000BB0000-0x0000000000BE2000-memory.dmp

memory/4564-2-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4564-3-0x00000000055F0000-0x0000000005656000-memory.dmp

C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\af3f80ce0998d0d8aad77baa7521143c\Admin@UXMRPRRI_uk-UA\System\Process.txt

MD5 be4dfdc971d09b9cc3b89ccbe2b56ce7
SHA1 d48c773bbc788f02c05559ff8a53d66467f18a59
SHA256 36217e167a3966b73494edf200519d9572289b5ba994463dc72df9ebe81afe90
SHA512 ee12dde7412f659aa92a6ff3745074d55403997f9598a03da0ec9f1441a6d1ddf4b1ad8de092a36e2e8c3c8b0fe12ddcdfccb6e86cc3d34b671fea58eb772ca1

memory/4564-145-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4564-147-0x0000000006120000-0x00000000061B2000-memory.dmp

memory/4564-148-0x0000000006770000-0x0000000006D14000-memory.dmp

memory/4564-152-0x0000000006450000-0x000000000645A000-memory.dmp

C:\Users\Admin\AppData\Local\7e3589858c00a19f9af92fd5b201361a\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4564-158-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4564-183-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/4564-184-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4564-185-0x0000000074BC0000-0x0000000075370000-memory.dmp