Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
19-08-2024 09:39
General
-
Target
150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
-
Size
227KB
-
MD5
1a83a244d9e90a4865aac14bc0e27052
-
SHA1
d2b65e7aed7657c9915f90f03d46902087479753
-
SHA256
150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712
-
SHA512
f4b9d26d8a0841f9425abf038f85563ddee65e2404bc508fd23c8023bb565fd7f0ceaeaadde49c4951d3bbbb93f6b64b3cf610464855a2bf2d418477dd4fe03f
-
SSDEEP
6144:YzJS6VlWn4bk0+GIKSppY6sdeZywNeGC4xIAY9F:YzdVlHbk0X5SpppMVwfI
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 20 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe"C:\Users\Admin\AppData\Local\Temp\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zzzz.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\zzzz.exe"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
453KB
MD5ea57fc91ae24cfa5b37d7ab7ce42c9b4
SHA1b1d274d56e2b54f79aa44c0c6b9f99ff14d7b9ea
SHA25610ff0c57c1bbf52b5f1bf1e917db6262df84b4b814c228ce67b3f839e2e57384
SHA5122d5a76a8d7357b6675aaafd8429af3b30616e8cea40433797ae85807ad2d064308513f20942be20f86e340929de6021fb03fc29b6a62f1be794558ad893bf5ac
-
Filesize
755KB
MD5a71bdca67bb817662d1c4564f9674132
SHA124f19819c776be10e1126539031e0b8562e2eb47
SHA2569d0c43aa63dda86161b9c6ea43c42d0cbcfa7eba3cae65e2ac2131ea371387e8
SHA5123db961197f198aa72fdfe1da153f0359e779dedc915a15c0caffd75994e6cb223e0bb945fdcf27a7a501d58538941888f7a6580f15e546844b4e1bf2fdb86ca3
-
Filesize
634KB
MD511fcd51a435f575134d3ddc496fb8829
SHA1173fcb895392f9283db6385fffac1706512443ca
SHA25645ef1c9b4c1a9cb7140dd1e3a9f82d285c500676c01a1cc67a0cd8976997e906
SHA512c45a37b6cc756ac303a6e8f390bfbe514bb5e7c615a4038827752203dc5fd1b91dfca125b9ea0ee4403cd217299e6001602fd4907bec6b12d039cfd3c1e73b82
-
Filesize
252KB
MD5d9add683aebe4e206aaa16deb685c5db
SHA11f687b98df14fc8120919f322b0a36c955a2cf1f
SHA256175d57da3112813910d32ff680966c7b6650400e5cb6f4f8c0d69f13b9c3aa77
SHA512803d741951394f39c7c666f376c91561eaf30e33936c7d30eb8028633057e492504f10f92578b02933ce5ecb750203b5022bbfb14bb74af24c4195570844b285
-
Filesize
262KB
MD5c9d6a473d035d36a24346ba22ae5a169
SHA127b7292c1efdcbc84fa0833898067197563bb604
SHA25684308a8e60581462b322e2ba90ed559a12578d0b325006f573f7eb7753c5b2b5
SHA512b3b36ecd02f36961a1afc9553991dd418f44f7659e0ef0c5856d99981a0de8818d4ac30477ed4fd9b42a9095ac00c2c990ed6d3cffc4b912ac3890caae81c89d
-
Filesize
12KB
MD5a021b0d07449b1a32c352ece7868dabc
SHA11a81ce29c1fd9971d1b46d2ab354e27146cbd4f6
SHA256571a590bf32e7672c915579d18a9e9d92c3c2b45022c3440ef8b066d01cd0dca
SHA5123c9e26357a8bd53181f4fd60a5aa3828a17e8425ed41db4ccc062a75dfe6afa6736d945205852d925bb81e45c3c3a9fb22e7b220a54ca7481b2dc749c375c104
-
Filesize
216KB
MD5aa95e274ca959c5824c36ec7fac069ed
SHA11b89b9d770de15a65321bf1812461524040d6b15
SHA2560cd69bba5b824b45721f9f3c970ee51cd5d2db33ea8317a7c9d347ae3edf9f64
SHA51210c52ca03f023235e713a5dfe094599b72d801c82238b7fbfdb21a6394f23ee1c7b8abb3b7476358e653f560cfe82d56e699e106890c1f451ba809a78aecdf15
-
Filesize
418KB
MD5542c02c8ff226cf49302baa9ff2637fa
SHA12a9b6300244144f112371748b98ba76c750f4b02
SHA25641504b846e325b1a7f58f2891aad3e966ab886a497854a8ee27abd24ada3a832
SHA5128be27b951258c404ae47367fa5c2c2d85f4325fc8edaa8fb8166ab9315d3807473340552807d3a68d8fc7a32458f8b38a1d5f351dfdfcfebe7bb5a6c4d0800a4
-
Filesize
436KB
MD5604833e253baacfdbab4ac43bc2e3718
SHA115d27a70cd45d8579cc17ace0f1f8a926bab8d8d
SHA25691a2a9b50b02e69bb9abfe70b21eab271d3b86361ff73676fcf0059b37da3821
SHA51284772666045df4f6feaf345ae1d87bdf8d2f708353912fef15841ae0b3cc1df0f453daf0a0a5b5ad584be23766cbd83674d9b16a1aaab3ef56ce762af7a57df5
-
Filesize
248KB
MD588b4547a92b3837b764229f2f0c27995
SHA1c040da10e16e258d54eeac3215e3b3b8b56a77b1
SHA256cd5ae38a7a476af095020f8ed086aed25ea61f060ac93e90599fb6965feec6b5
SHA5122b52b9ca57fa92efce8bd4393e0178e2aa4ce55923fe3976a44ae41fd3234c9cb01fa804c6c58517407eb4940fd62047c0a4e5c8620ef9aae3893686b99c873f
-
Filesize
533KB
MD5aac37ac1b106cfe4a0ddea33cc30be2d
SHA1a9519a64e2a0673a23f087a08ae05142410a7403
SHA256a91e4b7680a8b6a1ba14b54636327d92f19b396b8a806f6504b313a6e21eca3c
SHA5129c141c2d5161c444c2fe1a095f7f51e61cd5663e0b40a05aa3d1dc3e86ce227db9e84e21ef49536dc329837b3e50b1d527d96d2af2e3936d03c084f3a50eb78b
-
Filesize
426KB
MD5b93c7adf8d2d9140683965e54e2355c7
SHA1c4d7b8c13bc67e1466abef37108c5d623d4cabab
SHA256af62a7dabd4868eafc41112b292e728baa18b777771c326503f499a0a89cf2e1
SHA5122db1bcc6acda4ff2a6137932a10f2e2b24a984f8b88c52364e59f8e7fdfe682242b19e0cc1283b2b8dd2fd02542748a40e0b283fc3d1136a55fa7e27e18838f3
-
Filesize
272KB
MD5260bbe5fba583ddb5d07e20dc6ed8445
SHA1289a13a3478de95715f92755c086bc76d733b699
SHA256f27d2c47e67a33e6407db270eac71ba6da2bb0ed6288e5c8900ffae80377c827
SHA512e52f8cafc1bf60f1508fc90a5a43d1f610f6fec162bca374aa54beb04c0f38f7c2e26065b824a38b1b48e8d38030d8b5ac8e0d8822bad2a173e61f56eae4325c
-
Filesize
367KB
MD5ff99de647450febf761ee65c56e4ceb7
SHA163b3eca2db9881fcd62b0975bccb8af11e1f5b76
SHA256fb83b08ebdbf8f3b237c96df81677f03c37319b18752173f710d7ac135c775a1
SHA5124271b66ab074cd62a9d80ddb4295f064c10d0891b081dc04fe90ccde7205e4596d92443d8ef9c7bc10f3e800bf43f647e8a22b18abccecb624ccaf466bcb0ad0
-
Filesize
477KB
MD58be08500f076d1a5336369af28c13ab7
SHA10c5b97611518ce96cdcd683d72045f9310f1f04d
SHA256d3b874e1ed72974163299f29f8e944c57c486d33544b3ca14c1eb5452f4e9b3a
SHA512c274cf33694b5944053ece0ecd76fc21480ac4c90866a4b26c44d745f53dd72d2aab1dcd8d833ddeb9f3eba100ba82250850af5da0a3195f916c22899b9d039b
-
Filesize
519KB
MD56afe1c39a34c5190e5fc7a39767bff84
SHA1597d608ec328bdfae726d760503f9fdedb52814c
SHA25628809aac3a0d3c5a3e713e236dae92b561a969ee6f19278605cc5c84d37e93b5
SHA512065748b31bf16b64e60071421a049676ff7937102e7b59807317b51998f221d76acaea65790c1c66c974d7c9e7c080a48b347fe1efedd9a4253479240fe5bc1b
-
Filesize
100KB
MD521560cb75b809cf46626556cd5fbe3ab
SHA1f2eec01d42a301c3caacd41cddb0ef2284dbb5a6
SHA256d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa
SHA51221eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db
-
Filesize
22KB
MD54c8f3a1e15f370ca8afe2992902a6e98
SHA1dc6324d924ac31bea4ad7e4dd6720ecdad3877dd
SHA256dcdc72549f7ad41cc860738adbeee5e44f02222415fd84ed5c92538ac9049b92
SHA512b63c4e48f3024edcf1e1391b5df6ff65fc5111849eb093b429fa0f21c03339dbaeff835f18e250758498f3432874b85348530e47b2ada93f6f68615a5ccf66c0
-
Filesize
320KB
MD5de4824c195cf1b2bb498511ef461e49b
SHA1f15ca6d0e02c785cce091dbd716cd43e3f5a80bd
SHA25651813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209
SHA512b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a
-
Filesize
7KB
MD53208f38bba6152a013f94e2e55b8c301
SHA13936870130647e8125790fbdf02e4347a3e74f99
SHA25666820ea715c024e01e25584f186b7a0069f7e3449219be06b2d34e54865f7ea8
SHA5128d8e95e48a2d7e8773ae2b8f6c931d8ec1b3aeaf513ae2182df00d208ffab2c53d89a11e2dccece237d9cde4b75476476e97dba953172e9aaa1a19a7458e344d
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
344KB
-
Filesize
136KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
128KB
