Malware Analysis Report

2024-10-18 21:31

Sample ID 240813-yfdfwsxdkl
Target WinRAR 7.01 Pro.exe
SHA256 e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5
Tags
asyncrat stormkitty default credential_access discovery persistence privilege_escalation rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5

Threat Level: Known bad

The file WinRAR 7.01 Pro.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default credential_access discovery persistence privilege_escalation rat spyware stealer

StormKitty

AsyncRat

StormKitty payload

Async RAT payload

Credentials from Password Stores: Credentials from Web Browsers

.NET Reactor proctector

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Looks up external IP address via web service

Looks up geolocation information via web service

Drops desktop.ini file(s)

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Wi-Fi Discovery

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 19:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 19:43

Reported

2024-08-13 19:44

Platform

win10v2004-20240802-en

Max time kernel

59s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\3f2200e8abae9d74274fef2335ba6d9b\Admin@ODZKDRGV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3f2200e8abae9d74274fef2335ba6d9b\Admin@ODZKDRGV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\3f2200e8abae9d74274fef2335ba6d9b\Admin@ODZKDRGV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\3f2200e8abae9d74274fef2335ba6d9b\Admin@ODZKDRGV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3f2200e8abae9d74274fef2335ba6d9b\Admin@ODZKDRGV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\3f2200e8abae9d74274fef2335ba6d9b\Admin@ODZKDRGV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3f2200e8abae9d74274fef2335ba6d9b\Admin@ODZKDRGV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\3f2200e8abae9d74274fef2335ba6d9b\Admin@ODZKDRGV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\3f2200e8abae9d74274fef2335ba6d9b\Admin@ODZKDRGV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe
PID 2324 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe
PID 2324 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 2324 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 2324 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 1564 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 760 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 760 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 760 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 760 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 760 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 760 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 760 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 760 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4424 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4424 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4424 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4424 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4424 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe

"C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe"

C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe

"C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe"

C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe

"C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/2324-0-0x000000007486E000-0x000000007486F000-memory.dmp

memory/2324-1-0x0000000000860000-0x0000000000CB2000-memory.dmp

memory/2324-2-0x00000000057C0000-0x000000000585C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe

MD5 5e2849bef6a38ed0b163ea6128afea01
SHA1 d77e1467dcd5e6662a6b97de35cb017579af032a
SHA256 6ec13e13059bac123d839fde5770db2c87248ef862d21f5f818580287a365026
SHA512 e20bcb346b114c5e6f8f0e82d2143a7c02ffc77056983336a011fbe8e292d8fa0ed8d2aebaa6f665ffacfa1063f59a2788bc68bbe2605316d7791eec3a1e1cfb

C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe

MD5 b2795fbed63c8c1b0846b3eaeae2fe0f
SHA1 d1145cff21e008c9ad581ccf1719139d754355de
SHA256 5ea467d548d41b747370a235c9a245910ed58d55482a48246196faf391213c24
SHA512 47ffcc3c74113db4c389ba9a6b5db7ce325d1f63e431405a9f6613918c387de4a677f20804aad6aa458bf2151de418c2f72740f4f5083fb45bf6c4b0f564e564

memory/1564-27-0x0000000004B50000-0x0000000004C34000-memory.dmp

memory/1564-28-0x0000000004CF0000-0x0000000005294000-memory.dmp

memory/1564-29-0x00000000052A0000-0x0000000005382000-memory.dmp

memory/1564-37-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-39-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-67-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-75-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-93-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-91-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-89-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-87-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-85-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-83-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-81-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-79-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-77-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-73-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-71-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-69-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-65-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-63-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-59-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-57-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-61-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-53-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-51-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-49-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-47-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-46-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-43-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-41-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-35-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-33-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-32-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-55-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-30-0x00000000052A0000-0x000000000537C000-memory.dmp

memory/1564-2278-0x0000000002430000-0x0000000002460000-memory.dmp

memory/1564-2279-0x00000000055B0000-0x0000000005616000-memory.dmp

C:\Users\Admin\AppData\Local\3f2200e8abae9d74274fef2335ba6d9b\Admin@ODZKDRGV_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\3f2200e8abae9d74274fef2335ba6d9b\Admin@ODZKDRGV_en-US\System\Process.txt

MD5 61dd74619c02255b78fa60427a9e28ca
SHA1 9662edde0995fbf4df33de654754cad1cd80f1fb
SHA256 595b3a9c6c99f7ff1331ccb9daa649cc241900995f5bfa323807335a7ab04ac7
SHA512 0c8d7bc6a5a64f6a5ba64da742b0e6a2a7ad5fddbbc91a6d8cb87f278c610d979a51091367a4c6252a0ad423511c15a3f53daa17add1615ef39cf5da85f58338

memory/1564-2431-0x0000000006220000-0x00000000062B2000-memory.dmp

memory/1564-2435-0x0000000006350000-0x000000000635A000-memory.dmp

C:\Users\Admin\AppData\Local\1a8eaa2b5c0618edf84bf02a3eb874a5\msgid.dat

MD5 2b5d91dad3a23178ce75ba6ad0edfd30
SHA1 f3413c38d3ff17a27112729c2a26734254a64089
SHA256 f076574d3dc64d820e16d00c6180e80901aad1a50bffce0d07fe05bbe6a30ac5
SHA512 aaf38f38ec0e3c10bfd9c3119f98ac242570f78f3b1fdd2d20df208b8db5abf63fb77f4ecf3c91b1ddae6331975d2b614e394d05ca4d40774cb96e84e3adaf7b

memory/1564-2441-0x0000000006360000-0x0000000006372000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 19:43

Reported

2024-08-13 19:45

Platform

win11-20240802-en

Max time kernel

60s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe
PID 2632 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe
PID 2632 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 2632 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 2632 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 3564 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3028 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3028 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3028 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3028 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3028 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3028 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3028 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3028 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3564 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2524 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2524 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2524 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2524 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2524 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe

"C:\Users\Admin\AppData\Local\Temp\WinRAR 7.01 Pro.exe"

C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe

"C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe"

C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe

"C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/2632-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

memory/2632-1-0x00000000001E0000-0x0000000000632000-memory.dmp

memory/2632-2-0x0000000005120000-0x00000000051BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe

MD5 5e2849bef6a38ed0b163ea6128afea01
SHA1 d77e1467dcd5e6662a6b97de35cb017579af032a
SHA256 6ec13e13059bac123d839fde5770db2c87248ef862d21f5f818580287a365026
SHA512 e20bcb346b114c5e6f8f0e82d2143a7c02ffc77056983336a011fbe8e292d8fa0ed8d2aebaa6f665ffacfa1063f59a2788bc68bbe2605316d7791eec3a1e1cfb

C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe

MD5 b2795fbed63c8c1b0846b3eaeae2fe0f
SHA1 d1145cff21e008c9ad581ccf1719139d754355de
SHA256 5ea467d548d41b747370a235c9a245910ed58d55482a48246196faf391213c24
SHA512 47ffcc3c74113db4c389ba9a6b5db7ce325d1f63e431405a9f6613918c387de4a677f20804aad6aa458bf2151de418c2f72740f4f5083fb45bf6c4b0f564e564

memory/3564-27-0x0000000004DB0000-0x0000000004E94000-memory.dmp

memory/3564-28-0x0000000004E90000-0x0000000005436000-memory.dmp

memory/3564-29-0x0000000004CB0000-0x0000000004D92000-memory.dmp

memory/3564-35-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-39-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-91-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-93-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-89-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-87-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-85-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-83-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-81-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-79-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-77-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-75-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-73-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-71-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-69-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-67-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-63-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-65-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-61-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-59-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-57-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-55-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-53-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-51-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-49-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-47-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-45-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-43-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-37-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-33-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-31-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-41-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-30-0x0000000004CB0000-0x0000000004D8C000-memory.dmp

memory/3564-2278-0x0000000002670000-0x00000000026A0000-memory.dmp

memory/3564-2279-0x00000000057F0000-0x0000000005856000-memory.dmp

C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

MD5 fb799ff6614adfd9b3c099e2870607a7
SHA1 9242facff8dd935824b34d8667e363c9ed1d7336
SHA256 3b32db1cdd86c116bbe6c1fa850b978f911f37502a9ed690e5647cc001b963e1
SHA512 37348f23065c94ac04320047c3b00aebffa9ee492de4fdb27c16695d37a50288e82c2b1ee622cf5978a287577359c3b459764addabb4fccd9dbf05ebca59bf43

memory/3564-2419-0x0000000006470000-0x0000000006502000-memory.dmp

memory/3564-2423-0x00000000065A0000-0x00000000065AA000-memory.dmp

C:\Users\Admin\AppData\Local\847b19771ec05254524dbacfa3aba31c\msgid.dat

MD5 23a4f338ff0ec4559eef3dadbc87fa94
SHA1 7e0c6a093793927f58670c8cdbed0e77e006106b
SHA256 48ebaa79c7017ac4d7de5f8346c5e0ed154b13d6bb7474a4255eb7cc4068c3fc
SHA512 c63dae27a467a84d891e29d2ac43f71cc128b0e52f737b0ef22565710d70af1dc3e7b7a9672ca6a239bf4fcb858ba6da2746677d6bf439c1b6ca7b13daac538d

memory/3564-2429-0x0000000006EE0000-0x0000000006EF2000-memory.dmp

C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7