Overview

overview

10

Static

static

3

8fe04c6d9b...23.exe

windows7-x64

10

8fe04c6d9b...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-08-2024 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe

  • Size

    156KB

  • MD5

    aa50dea32c4398f49128d5b903a38aef

  • SHA1

    cca7429109dd0e0d2d7f046a6af4ff40773d6722

  • SHA256

    8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523

  • SHA512

    6ae2342df6fd7f0b70562b40d608f5f0c8b2230715934adff39ddae01ff7c0cfa9e78bf4261df473a73ad71cdea963d08ce36b919a5ca0f3a264af32eb5795c9

  • SSDEEP

    3072:NUWIAXFeSQ0oMfYMp2fCoeq63ychNeGQVm3Q4x4+VQ6s:NdIuppY6sdeZywNeGC4xI

Score
10/10
stormkittyxwormcollectioncredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

3.0

C2

sites-sing.gl.at.ply.gg:6789

Mutex

hsYEUqkLaSySRVeL

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 4 IoCs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe
    "C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1800
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1304
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1236
    • C:\Users\Admin\AppData\Local\Temp\zzzz.exe
      "C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MUYDDIIS\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Desktop\LockRevoke.png
    Filesize

    299KB

    MD5

    5f106570d81458e9280086d6a86904aa

    SHA1

    02442b5ee510a4c260f3c06d4ab7002973367880

    SHA256

    b3cd31157b20d777c01057303bf2ed6c53bfbdce5cca33e03b3da29febd9c2bc

    SHA512

    e757be4cf54ccb19dadd0e99e3d9424a174c0318ee66ee8df40af250351f4a130a3d67139a7244e85fae3d13374a165f02b93888776f85b31ca0aea642dd046d

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Desktop\PingTest.html
    Filesize

    368KB

    MD5

    345ceda7e465986632070c4535042693

    SHA1

    d4aff995ea683104ca8a90c7050575282a5bf75b

    SHA256

    c03fd4804da45fac2d029f5ae0b0f9fe96c0af1c0864e69e5894d2faa3a1f8c7

    SHA512

    3d14d9f22b078d182f36a2d7bfeb25b31d9c23b8b51902d120a330950ae8693f109ad6e3582069a9642f8128747e514bd2576e2eb73a4aa5351343050a591a53

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Desktop\TestShow.ini
    Filesize

    231KB

    MD5

    5d9049a52c5ee3b8122070c5a3784fbf

    SHA1

    ef517827e47388ed96dc99883fc6a07589b0abfe

    SHA256

    d637223c2c1242a9cf121ce37114f5036e89696a8befe080da1317c01f4aa3d3

    SHA512

    e1c0917888d6c3aec6d3d85cafb72078d656f86f0aac4fcdc77ae86994fc1b6bdf4c577939cbc5fc28f62768b529dda6e46eadd47544768fe8b157ca79c73046

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Desktop\TraceRemove.pptx
    Filesize

    449KB

    MD5

    5e4ed0843fd1634d061db898ce75a117

    SHA1

    8945024102fa7075fa8e562aa1e439f28f0c0cb8

    SHA256

    f868699b5f3d0a7d7e195f6c49ad69e7ea6b5cda21a21d40df2a1af6b3d7f156

    SHA512

    e1cfcc3aec9810ee0e976dafe258d247e1c5e82ce038ff43e2c0e9be4217d707cb76c61bcefb6d558edf64dfcde3e1fe4cd7e765893fc31cec225531aa64b26a

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Documents\CompressDeny.doc
    Filesize

    1.1MB

    MD5

    3a0b3ec93a84a69d2bbf4d101c37f997

    SHA1

    26118f4e166eeadd877a05ac8e318072ad208b51

    SHA256

    93e53f8d5ac468355870b82422a4aae5c87f0c8137d31e69fc180943a81c9bc0

    SHA512

    2cf8508c408fb4ba4b8c764dd81dcf140d83f289ef0483a5d40c5505775aebbdf623eca74d385e0adfde6c70e85a4545268b289c420fb61a84ad3699b6220412

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Documents\OutSubmit.doc
    Filesize

    1.3MB

    MD5

    9bcacd88d9eae06eb760d2bce743e16c

    SHA1

    b8cf766d8b2083f2da533df7dfeaace455526f3b

    SHA256

    1780ca831902fd789420240450bcb0ee448ff2db53670b04820baaed30bc444d

    SHA512

    b8e040265f898e8755e0afe524f654338f371f59811196b5d74d7b2b1bc3042c062a2fe17c27763e60d6c5bba6369256e815ad7929dd9dc83409d0a070b282ae

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Downloads\GroupHide.ini
    Filesize

    497KB

    MD5

    a22902ff660be0d88bf91453590fc3f3

    SHA1

    ed4a71fb41587cb068ee706aabb88d2b84321401

    SHA256

    3dc4ac5e5f8525838f51c6c9126ac43d02df36c460cf163bac910084bc2479ed

    SHA512

    9cf6138c9176400e230b4258a993c4a4c7641b45195095e97c2603fde25dcef7550e6d91eb4f88d3de627cbf1ffa1e5a6caa1456a53f77afbe4652f81ef9fdee

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Downloads\PushSwitch.bmp
    Filesize

    331KB

    MD5

    f50d1d3c27cab87c13a3bb32200562e4

    SHA1

    a7771739646433783fff37b1424554f2b2911b96

    SHA256

    3a387315ab3ff8e2fe2ad35bf6d5a03856a8eb2cc67244bb358f9d1469c5ac2f

    SHA512

    b1c6bc2f89b88f81ab2239c1c5fbcd5287131b239710394874d1515b2b1a1392c05a98988befcd13b481296b99c6aaa92ba036c758efcb34442c09313baa1f09

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Downloads\RequestPush.pptx
    Filesize

    260KB

    MD5

    5ff972fbfbea2e47949a738eb4b3c87e

    SHA1

    12501b453b85a1fb625a8ee411f7ea4ca3c60b35

    SHA256

    a0bc04018ef19c8e3d92fc217bcb8b33d1658eae0dd796c51f584ca438706943

    SHA512

    0685e6a9425e53e6713649b5157d87d91151641a55197dd913e60dc26ae61c22172de57c17ac32eb6ce2879bb7ebb80ada483e974e1ed2185c4b6b7ab673c49f

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Downloads\SaveTrace.png
    Filesize

    580KB

    MD5

    70eb14fbe1349884bf91e3fb13ad55de

    SHA1

    779f0a8633d2cdc491c9b3b510bdc9956872b744

    SHA256

    389034dfb1926b464f2ec0abe71e79f55919356db565d7d84d0763b8ee7bcd2e

    SHA512

    7418474e048d174b6b1a9ce565683d90c52511f0ec67a85df9b6cc7426c8597f166cc6ef940aab827990c982368036cc83d533dc2421067daa7b3f2f80a6e1d7

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Pictures\CheckpointRead.png
    Filesize

    597KB

    MD5

    6062304de3add9dbcb65caa19ec7bcdd

    SHA1

    ef2d52896e3aac1596510a2a46d6ba2144efa7c9

    SHA256

    3b9c583bad97707e848cc639b481b426579432d7d11003fdc6c68b67bba60295

    SHA512

    6eb4d3ae816b6833c13be100bea54ee293e888a955234ecc19e2148ae398a546c82994ea7cc1c32af74a667fa19337fce610f7d8c0fc9aaeb1f5a687bdb11c84

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Pictures\CheckpointShow.png
    Filesize

    255KB

    MD5

    d2663a1edf1d631f916ea240d8d83654

    SHA1

    58186a9ee455ebd713bff103606fdaeacf3ee609

    SHA256

    a99d3f53dbdae7db21da31458a01a19896ed09890c8a3e3d91e810b542c3f002

    SHA512

    d212aa5b9915b219fdea877cbc5ae9274ca43f7d9b45c09800b3042103492b96af78bdc214812814046c7effadf45f7a0e5a614ed3357885966ffb6f9738acc4

    Download Submit

  • C:\ProgramData\MUYDDIIS\FileGrabber\Pictures\GrantSkip.bmp
    Filesize

    725KB

    MD5

    e09c7e8e491ffd81737efb0ddfafccb2

    SHA1

    e6ed7c2767966989ef3baca3d123582073716b91

    SHA256

    e2c0b0370584279ee03e62abd9d665a78e9c6489db343c1d4b2014ff565782cf

    SHA512

    fd0aa7005fb12ddbbe57517268ff4a1cfc84a18222ac1a3f41c3d82aa0e0b3e63eb4fc9437be638b60865292ecd614e7be6f988504bc287de804f5fb38683f71

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    35KB

    MD5

    90feaeac1ed833652f5267124acd8293

    SHA1

    ba3fa9aa1c28e54d712bf8766234410d56494859

    SHA256

    a9ad869209d1344ab64479f2f1557291b97358451a4aa6d32da2f570de02851b

    SHA512

    0b29579c520bd59fddb14e50c2f4c7ab407ee6177cc2682461c1308f78bacfc151b5d3fc16c2b5b566fca40fdba683cf403b7efaa23fe3b9b5efec1ad0568042

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zzzz.exe
    Filesize

    320KB

    MD5

    de4824c195cf1b2bb498511ef461e49b

    SHA1

    f15ca6d0e02c785cce091dbd716cd43e3f5a80bd

    SHA256

    51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209

    SHA512

    b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    9e15157b00e6c377e52f739ab5f09ad5

    SHA1

    633facc32a4501fac0ea66a7c46afa897dd64506

    SHA256

    9183046b5792c1bd784834d3e2772d63b01283fd34ecfb890efd6dec2767bc39

    SHA512

    081ed449e3afe0c28d06a1df33827f7c7eafad86c548d698059729281ab88771066834fc174e8cc23febf79f0fdafdb02441146efa735932bfb0bfa57a3e563b

    Download Submit

  • memory/1304-102-0x0000000000370000-0x0000000000378000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1304-101-0x000000001B6A0000-0x000000001B982000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1800-92-0x00000000026E0000-0x00000000026E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1800-91-0x000000001B8C0000-0x000000001BBA2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2480-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-14-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2480-1-0x0000000000CD0000-0x0000000000CFE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2936-15-0x0000000000F50000-0x0000000000FA6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2940-122-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2940-16-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2940-13-0x0000000001350000-0x0000000001360000-memory.dmp

    Filesize

    64KB

    Download