Analysis
-
max time kernel
33s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
19-08-2024 09:34
Errors
General
-
Target
150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
-
Size
227KB
-
MD5
1a83a244d9e90a4865aac14bc0e27052
-
SHA1
d2b65e7aed7657c9915f90f03d46902087479753
-
SHA256
150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712
-
SHA512
f4b9d26d8a0841f9425abf038f85563ddee65e2404bc508fd23c8023bb565fd7f0ceaeaadde49c4951d3bbbb93f6b64b3cf610464855a2bf2d418477dd4fe03f
-
SSDEEP
6144:YzJS6VlWn4bk0+GIKSppY6sdeZywNeGC4xIAY9F:YzdVlHbk0X5SpppMVwfI
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 20 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe"C:\Users\Admin\AppData\Local\Temp\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 003⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\shutdown.exeShutdown /s /f /t 004⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zzzz.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\zzzz.exe"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
747KB
MD55256c16c0ccd44812ce5d7db28bdb649
SHA12b913ac6ac92ab1665a2ea303ac671a830f56999
SHA25635792dc5f231c41a74d24bbc8578059b556ee9297bb1b4763aaaf5cd18685c3a
SHA51252655ea01accd504520c588995950da1d7b91d47814efc6991bbd42d7a8ccc0c65e10fe54ea935a952310b054c47f01671ab7c18c01bce9098c5365720045bf9
-
Filesize
380KB
MD51a817d5bd76b542534a7b94ff80003f0
SHA19f010d1a0c92b3d4476b6244f011c3b263c6e18e
SHA256ea79e605ab1b70d6320d041b24e67d776ea942a034301a1e342844426bf48a26
SHA512fa017ffd364afe3eeb413b3e1bd5644778e4066cc0d36d1db800f07fc30959a38510fd0a185bbd64098330863fab2352b257631431ad43c2d73b3af1b96f50b6
-
Filesize
15KB
MD52fc290862d7a2d7dd638da5c014e4de7
SHA1a43ded7f81e0dcd29904863282de5e1151215ac9
SHA2560bd8c7ded7b03c4e83ca19d89da6d268000bc7493a767c4c87a03e4b0fd529f2
SHA512b32fb94a1e6fbc0e663441161f5092a35ece8ea96eb8f019540e0014b2d2f7173aeb04f454063bc542bfd785c12b674f4e52251c59d1c946d57adb33a6f1a319
-
Filesize
534KB
MD52842f65751bd4e14c02b2fa74867af4a
SHA19e7134c5d5ecc17b183f9e293c2490f341cf60bd
SHA2561172a23e1cdad17a8ab150cee2ba5c715c9387f1ffde2a125445af9e4d95297e
SHA512394e383eb4e5e048b28a5a9c605bec2e3b968f593343a89b6fd16b1d400b4eb2f815642391590a1bbe0c88b07cb823385273f2bb1189c64c13181794e10c2d9b
-
Filesize
497KB
MD5c4bd1964049463fe85e08a1e9a73d3b3
SHA1353b57ef2434766c8927860af2a2e9078dc4c99f
SHA2567380b68413e8aad6b2c390b0d6da4701d7ab939aa707d5e78f6ad59701a98d7a
SHA5122d74531b4ac4e8e183756d4c260b94b2ef04b7e7cee7119b84a5bbf719652fc256524462aa777d4b2560c06921e93e13bf71cbb7a9c6153094ec100cf17aa06c
-
Filesize
719KB
MD50608143a5b3c72e6ba56927f74ebd1fc
SHA1530d4fc96ed7ebf24a8897b7c6108baaa0b9c7da
SHA256036c12001fbed765af362a0c0c481639605daa9cb5b5b13d9e207b9b5593cf29
SHA5126810c6fb0c10fe8d54c604c0b3d89850ac7a9527d6a0ee267511aa101576e44e0f7f41520918bf5482e7fd69851080d1534e15dc6f6d048e8328120cd101c2f9
-
Filesize
724KB
MD5dd26c159523541674580ee1c1cedd567
SHA17131f2ae762756c303159239a82a758a9f1d9132
SHA2561e200c774b2154d3f543182e5caa8a4f16cdd18f9a1ee27d4e3f1b8fca66fc99
SHA5125c7ed14b0eb046bb4c0658f56ee3b0ab61b7138b6b6b2a93d2d76e02cff7f90e955575621e84f419bbf1e62627d7a641543b59997be95b392b47a1a0aa4e62a6
-
Filesize
385KB
MD585542f7ad353a9659285e7363435b783
SHA1deaf8206f9a1c4b01288c0392602cd01301aa3be
SHA25677f2ae3029ec4905c950d31bb5973ee6c21855e5521b4a2f12182fa1b3ed209a
SHA5126a9813f140c26668be95e870f3920fcaca9047d420fb06fed4010b4c20a1d4984617a125715de772293a18eea575b2ae1271b2ad2a566c2070195fb36284fd27
-
Filesize
373KB
MD5dcae2a8dde0aa7bd967df1dc373a8252
SHA173f21bb3a32e0bd85be54d0cf6d953330c9ebc6e
SHA256b5ea43cab58d7df57ed0d9d7dc7e0039f4e151cb277b07b57a09533e3d6cd5a7
SHA512affc5899c3ee569136eb4dda8ebbe0bbcb635d76fa2fb49353ae636700b36b8f98c1f628750ab706128d0a01991350fa6d7cdc27a7ae5e8b202a216933e8d1ad
-
Filesize
627KB
MD507f06f583d492b7468cceebf53584648
SHA157c73601d116cf0d5f24a07b890b4fbe7bd9f36a
SHA256901472f43ae09b5eede72b3bcc3c72a5e5f59faa5cf48726a18da853b8c1c5ba
SHA5122bf3cb75ed49ed4ef3584e34d3ed7b28903f77c51bf617b9ed1d3d79e5b05d18369053db20c86f65da9fb13ba51dbc1d20ba01c3bfd0b7d3170068537eeb5886
-
Filesize
500KB
MD5303edff994099f44f36a46d12de94b10
SHA1b216b1581a8cf91110924ffb695fa7a6f6f8946c
SHA2564b01aac22168f01cfa9cd35debfc8305d37504e84432de8c34c10879c8a29599
SHA512e743cf8af69771ce8627605909c74d1f0056d14e2483d3b94bb872e56059a9fba3c87f1c45cf2e544c13da7938296172bd285306d3539a1c36d79f5289da4bd1
-
Filesize
100KB
MD521560cb75b809cf46626556cd5fbe3ab
SHA1f2eec01d42a301c3caacd41cddb0ef2284dbb5a6
SHA256d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa
SHA51221eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db
-
Filesize
320KB
MD5de4824c195cf1b2bb498511ef461e49b
SHA1f15ca6d0e02c785cce091dbd716cd43e3f5a80bd
SHA25651813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209
SHA512b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a
-
Filesize
7KB
MD518e38b53f1527568ff25be278160fd24
SHA1b4deeabd0f47bdc7bb989b4307d9db52896cd918
SHA2561021447d18013f4e33df901b6ef8e4ec5bfaede45a6429fc962926b42db1a170
SHA5120a4a7f7061de05da424cc937cbb3554edcf4bec4170ab9bfa86a571a9f1cc3a3e3b99df240425ee152d65e2d7943e72887ca6360e998da3c138f8463bdb06fba
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
22KB
MD54c8f3a1e15f370ca8afe2992902a6e98
SHA1dc6324d924ac31bea4ad7e4dd6720ecdad3877dd
SHA256dcdc72549f7ad41cc860738adbeee5e44f02222415fd84ed5c92538ac9049b92
SHA512b63c4e48f3024edcf1e1391b5df6ff65fc5111849eb093b429fa0f21c03339dbaeff835f18e250758498f3432874b85348530e47b2ada93f6f68615a5ccf66c0
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
128KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
64KB
-
Filesize
344KB
-
Filesize
256KB
-
Filesize
4KB
