Overview

overview

10

Static

static

10

ProtectPass.exe

windows10-2004-x64

10

ProtectPass.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2024 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ProtectPass.exe

  • Size

    320KB

  • MD5

    d91ce8584e3ea4ab871df46a5691ad55

  • SHA1

    1a8d835fc8b40731181b71a230837d71fc183e2f

  • SHA256

    75bc18011ab2a39bdd97e241ee748399fa0fdf7fbd51a640abe5067cee34abcc

  • SHA512

    2db75e9d2833a7bd086548f59cf1abc264b7a499382e09e343fa101b953fb390f64ff605e6cdc19423009332bc7cce4a6871f99c6404e6c49e7ecc5c337974ab

  • SSDEEP

    6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvN:3m/Q6P8j/svm1TXI5tZB

Score
10/10
stormkittycollectioncredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 4 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe
    "C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:4284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\OARDHGDN\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Desktop\ConfirmGroup.php
    Filesize

    551KB

    MD5

    1291734e8db998d3a9581370320efd6c

    SHA1

    e3655d42aca84d9e562e484978f62854576e927d

    SHA256

    a1cc1a8934c153e53ba42dbfd03bd1fe1c079ceea780f40d441c19889a3ff859

    SHA512

    404b1ef78325c658b207990b37ecd228031ea24031b1dd030ed06afe03543464ec942c0b8848a59bff25625eb341696bad645be90ca98f9b8c59230f4f2fee75

    Download Submit

  • C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Desktop\DebugConvertTo.html
    Filesize

    374KB

    MD5

    1e3400d6a285c7046b0286e873bbece3

    SHA1

    0ea79e84a2d849cc207610e93a0dbd52961dfaf1

    SHA256

    5802323adbd61903ad13a2c4d5cf8438544276d943ca1dbbc672c07ad0118054

    SHA512

    ae186e97a70cbc2da0525144cb41e4ae01cf20fc177fe8ca228161afd335c5c276f99a04166c8fca64877fb348db4b5b6e1ffa7098bba4e263d6bc488a22b87e

    Download Submit

  • C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Desktop\RenameEnable.html
    Filesize

    315KB

    MD5

    0c1b66f340ecd052ed90de2f65122134

    SHA1

    145a54f79e6e6d6fe63c85ba999486764272f7d8

    SHA256

    35395f12a4655109a0bab4279b9251795f18f601b914b479ab28f7cf6998b61e

    SHA512

    4bcfe30ae2f5b87692e37ab79eedcbde6bb368d34bee9193f4c751a2130b29831bb44966c92968394a0e577af679f9bb256ec5f5ad770e855fa89c3082286f3a

    Download Submit

  • C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Documents\DisableReset.txt
    Filesize

    1.0MB

    MD5

    e8f96c24bfd3d1424b84732386619b2c

    SHA1

    d6902fe1602db76698f0ba6233c28d8cb32be6d0

    SHA256

    005cc8f865b99c3c4a5fc88632b29438dd290e806ed18ca71da472c1d12f01fb

    SHA512

    6d3780080b6289f7b3577743f36da8f2e2a1e1cc8840440db1cddcf9268d280c11c5c793d0d196dff9afb66f97b97005f98404b81c6f236624c515f643515d1c

    Download Submit

  • C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Documents\MoveResume.ppt
    Filesize

    1.5MB

    MD5

    ac05b5c3b1a5bff6a7832539882844c0

    SHA1

    2d4f52d8954866665dc5e955934cf08fe40db5a3

    SHA256

    e2ea4332dc491decb1af22edf096ba7655bd890692d7ee2317b9f282a8d4fa1c

    SHA512

    f0e1dcd6a0e2d466aa976636e3f9353000a8a6e91c6c9460f4a7fa5ffe32cf73797e158d21b41425799bc547e83e07e65850dd39340fcf0ce71aee7f3b0a3b40

    Download Submit

  • C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Downloads\CloseSend.js
    Filesize

    1014KB

    MD5

    12c65cdda4fd1cb551792f4bd5c299d1

    SHA1

    9b93d6298f050b9b20d2f9eaa76e4b95c27cf15d

    SHA256

    003b201a96ef285c79aed1965c19a0b869d1829b0e2de7f61869d57dca17ded7

    SHA512

    145dfc3067f56cf7cc57911abadfe39f85c99fc641cb695c06db6d7f149bf6de155bbffc6c350215ede7f53c97a92287e9c77230de17cb930c450cbc947eada5

    Download Submit

  • C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Downloads\ShowRemove.php
    Filesize

    598KB

    MD5

    8a0587542e6f49b98ca645cd37e60eeb

    SHA1

    7c8264770dfb1995b94735de9a08c09fc81e333a

    SHA256

    011c43379e90dd1d64e4f32de364f6cb14f56048deed637959df3baf759fac4e

    SHA512

    b317b70d43eff9e2121d36cf6fba0d28863d8188a2a6c31852def228727aa7a51cbc9a01f7c31fbfda96d0eb872b981dfe4ae483200134335229c0698ddb92e9

    Download Submit

  • C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Pictures\EnableInvoke.png
    Filesize

    460KB

    MD5

    699f442d59ad65152953d7f16e104ca8

    SHA1

    9f2b93e3e0a7d4b8cf69017ac62aa318c85ee8fe

    SHA256

    a8ee5af25a1a34c37bb4d05a7a6e3c32075ae12edd2b10261c063381ed07655f

    SHA512

    de288220e5aebe1bab075d8a25fcaf3fd137ea17ae3e0487f6f7553c1490dc4588ab4ed7fde3420cf6e35d95cadb988ffb0308c183b683587f115f859c16e724

    Download Submit

  • C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Pictures\LockMerge.png
    Filesize

    534KB

    MD5

    b7e1de38f6f0f301180634b885aed515

    SHA1

    bf34beb7471d49e6819fea8365125a6653c12ba9

    SHA256

    65062b2547ebf178e98e39e0e074f6c5aa4a299c80fb6e6ccff67f0b777bf541

    SHA512

    398790fd7a3b2e19a1e8394fac1801850e200a17b35d48db8fe44900d28185003516b88b10df93e15f259723bc418e664148c9b3d646bffdb5c98c5bcc9d0418

    Download Submit

  • C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Pictures\PingPush.jpg
    Filesize

    387KB

    MD5

    ca6ab6b2672b2a049bef5528d3993f6a

    SHA1

    b801f548238a4fe8a95605942e981f044db7c7f8

    SHA256

    71492c6923db0279e574928c5a0e61f8d918f969f82c0150c871a05545e55b9a

    SHA512

    0377670bd44211aec305a67ca613cc6ce2b0e4a94a6bcd6768e6b6efc8305b566a8e784fd67f6ff0ddc16f238cdbbecdce94f573bca1539c3ff21551668f7611

    Download Submit

  • C:\Users\Admin\AppData\Local\OARDHGDN\Process.txt
    Filesize

    4KB

    MD5

    b9de1c3959308ca8ce4b41d11f8f31c5

    SHA1

    ed3e4f5ce28c03a70ac67c58e8699ce62d9f9833

    SHA256

    54f5889b99019e5b5ec147484c99b92cb11c2a83d12febdc71a1a4cb07c6cda9

    SHA512

    b4d706b03b5aa700d87e3a3efdf2a4355053c16477a54d598f08ddca2af2dfc914b877ec3eb717ae8d418d7fb72b7f3be9a21d6d2ad1eeed9a85b911d93e414e

    Download Submit

  • memory/4284-40-0x0000000006FC0000-0x0000000007026000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4284-32-0x0000000007110000-0x00000000076B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4284-31-0x0000000006AC0000-0x0000000006B52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4284-2-0x00000000744C0000-0x0000000074C70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4284-1-0x0000000000D90000-0x0000000000DE6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4284-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4284-237-0x00000000744CE000-0x00000000744CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4284-238-0x00000000744C0000-0x0000000074C70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4284-264-0x00000000744C0000-0x0000000074C70000-memory.dmp

    Filesize

    7.7MB

    Download