stormkitty | 25d0c4ef21f49c4794220886919feebccbe942bffc1c36b8430b9b005693ce42

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe
Size

842KB
MD5

de7711ff0df1b36bd31f32f15843905b
SHA1

abd7c78b184f42525f0d7b53ba829e8f81bd2134
SHA256

25d0c4ef21f49c4794220886919feebccbe942bffc1c36b8430b9b005693ce42
SHA512

fa154ea9e1bad8e71434dc4ccef5182fd5eb93880e7fb10ca95da8399edcfcccc52d47cb78c17a0514bf15ca667865030519cf7c3be85b0494e6f9b83bc95428
SSDEEP

12288:JuC9eHN8vWHXsYIugb+94LlvTyFLPkZqVQV3309b+Z2x2G4Q4UFfHak3sD8H7:QCQH2TYqtBTfZqVQBY2Gv4UFfHH328b

Score

10^/10

stormkitty collection credential_access discovery persistence privilege_escalation stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2724-4-0x0000000004C50000-0x0000000004D3C000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updaters.exe	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updaters.exe	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\chrome updaters.exe	MSBuild.exe

Executes dropped EXE 1 IoCs

pid	Process
2392	ctfmom.exe

Loads dropped DLL 1 IoCs

pid	Process
2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ctfmom.exe\\Microsoft\\ctfmom.exe\" /noshow\\ctfmom.exe\" /noshow"	ctfmom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ctfmom.exe\\Microsoft\\ctfmom.exe\" /noshow\\ctfmom.exe\" /noshow"	ctfmom.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2476	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2724 set thread context of 2500	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	31

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\windows sidebar\gadgets\weather.gadget\images\120dpi\(120dpi)alerticon.png	MSBuild.exe
File opened for modification	\??\c:\program files\windows sidebar\gadgets\weather.gadget\it-it\js\highdpiimageswap.js	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\themes14\cascade\preview.gif	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0099190.jpg	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml	MSBuild.exe
File opened for modification	\??\c:\program files\videolan\vlc\uninstall.log	MSBuild.exe
File opened for modification	\??\c:\program files\windows sidebar\gadgets\mediacenter.gadget\flyout.html	MSBuild.exe
File opened for modification	\??\c:\program files\videolan\vlc\lua\http\view.html	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\common files\adobe air\versions\1.0\airappinstaller.exe	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\themes14\ricepapr\preview.gif	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0099198.gif	MSBuild.exe
File opened for modification	\??\c:\program files\registerhide.odp	MSBuild.exe
File opened for modification	\??\c:\program files\google\chrome\application\106.0.5249.119\installer\chrome.7z	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\extcheck.exe	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0341654.jpg	MSBuild.exe
File opened for modification	\??\c:\program files\windows sidebar\gadgets\currency.gadget\de-de\css\currency.css	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\office14\oarpmany.exe	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\config\modules\com-sun-tools-visualvm-host.xml	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\adobe\reader 9.0\reader\plug_ins\annotations\stamps\enu\dynamic.pdf	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0341554.jpg	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\lang\da.txt	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	MSBuild.exe
File opened for modification	\??\c:\program files\microsoft games\mahjong\mahjong.exe	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\images\cursors\win32_linkdrop32x32.gif	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\themes14\capsules\preview.gif	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0341475.jpg	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\moduleautodeps\org-openide-nodes.xml	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\themes14\layers\preview.gif	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\ag00090_.gif	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\ph02749g.gif	MSBuild.exe
File opened for modification	\??\c:\program files\dvd maker\shared\dvdstyles\travel\16_9-frame-background.png	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml	MSBuild.exe
File opened for modification	\??\c:\program files\videolan\vlc\lua\http\requests\browse.xml	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\publisher\backgrounds\j0143746.gif	MSBuild.exe
File opened for modification	\??\c:\program files\dvd maker\shared\dvdstyles\layeredtitles\1047x576black.png	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\themes14\breeze\thmbnail.png	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0099200.gif	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\access.en-us\accessmuiset.xml	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0099167.jpg	MSBuild.exe
File opened for modification	\??\c:\program files\windows sidebar\gadgets\calendar.gadget\fr-fr\css\calendar.css	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0382944.jpg	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\lang\kab.txt	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	MSBuild.exe
File opened for modification	\??\c:\program files\mozilla firefox\install.log	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0145168.jpg	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\j0341645.jpg	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\clipart\pub60cor\wb01296_.gif	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\lang\tg.txt	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-core-multiview.xml	MSBuild.exe
File opened for modification	\??\c:\program files\java\jre7\bin\javacpl.exe	MSBuild.exe
File opened for modification	\??\c:\program files\windows sidebar\gadgets\clock.gadget\es-es\clock.html	MSBuild.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\smart tag\lists\1033\stocks.xml	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2972	netsh.exe
2512	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe
2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe
2500	MSBuild.exe
2500	MSBuild.exe
2500	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe
Token: SeDebugPrivilege	2476	tasklist.exe
Token: SeDebugPrivilege	2500	MSBuild.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2624	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2624	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2624	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2624	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2500	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2500	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2500	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2500	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2500	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2500	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2500	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2500	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2500	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	31
PID 2500 wrote to memory of 2512	2500	MSBuild.exe	32
PID 2500 wrote to memory of 2512	2500	MSBuild.exe	32
PID 2500 wrote to memory of 2512	2500	MSBuild.exe	32
PID 2500 wrote to memory of 2512	2500	MSBuild.exe	32
PID 2500 wrote to memory of 2964	2500	MSBuild.exe	34
PID 2500 wrote to memory of 2964	2500	MSBuild.exe	34
PID 2500 wrote to memory of 2964	2500	MSBuild.exe	34
PID 2500 wrote to memory of 2964	2500	MSBuild.exe	34
PID 2512 wrote to memory of 2536	2512	cmd.exe	35
PID 2512 wrote to memory of 2536	2512	cmd.exe	35
PID 2512 wrote to memory of 2536	2512	cmd.exe	35
PID 2512 wrote to memory of 2536	2512	cmd.exe	35
PID 2512 wrote to memory of 2972	2512	cmd.exe	37
PID 2512 wrote to memory of 2972	2512	cmd.exe	37
PID 2512 wrote to memory of 2972	2512	cmd.exe	37
PID 2512 wrote to memory of 2972	2512	cmd.exe	37
PID 2964 wrote to memory of 2476	2964	cmd.exe	38
PID 2964 wrote to memory of 2476	2964	cmd.exe	38
PID 2964 wrote to memory of 2476	2964	cmd.exe	38
PID 2964 wrote to memory of 2476	2964	cmd.exe	38
PID 2512 wrote to memory of 1664	2512	cmd.exe	39
PID 2512 wrote to memory of 1664	2512	cmd.exe	39
PID 2512 wrote to memory of 1664	2512	cmd.exe	39
PID 2512 wrote to memory of 1664	2512	cmd.exe	39
PID 2724 wrote to memory of 2392	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	41
PID 2724 wrote to memory of 2392	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	41
PID 2724 wrote to memory of 2392	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	41
PID 2724 wrote to memory of 2392	2724	de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe	41

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Drops startup file
  - Accesses Microsoft Outlook profiles
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2536
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2972
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C tasklist /FO TABLE > "C:\Users\Admin\AppData\Local\Temp\396d02e5e395f0e65d014577dd84a371\43165e9e92447b3045fdbdffe549ec75\processes.txt"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO TABLE
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2476
- C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML

Filesize
582KB

MD5
a4733f5a4b05315b159f6b05d8c3af43

SHA1
f3607f55ec7bdce89345f03142de78df59f2b020

SHA256
dc8680421e17b13adbfc409ac15df55971d45d13e01cfe8719eb2776df0658ec

SHA512
d6a521e976adfc02e7ea4c199f781fc144491974f42b09a5a0ab19159166e62fb756807f3378559ac43a4122b79e25dff130f3787c4e24a17da3f98b529c2be4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
f2db28fe29c24c06bbfb5892d85636dd

SHA1
9e3441dcd2dd187f9c62d60148e4d5d7b00262ee

SHA256
5e556fa7a5c99be5ba57178d041d39a61932cef928805f6cad0481005dc2970f

SHA512
7d9d8ae649559d50f19bed02efbd669b571faa07b1dcd6b6551563f2dd22bb8a1f6d66f7926f3f3c2134c50051c4e92345f9c3a3f2d33310df6ebaecf457cede

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
f59f14f6f2b7a84a9006686179c1477b

SHA1
3abae0dc0dc0cd6eae5e679b92ac7941f91eaa32

SHA256
4984709791505724c57985a0339df119d51dea1828c7021b2b0c90a2bd56d614

SHA512
7c2deb782bdd113f063447bd1886bb60b1efb5c2dd473b3e5425f1e8c62b53f92ffb6c69898f531f8ae04d1f3c553575665e490955bc5d5b3837f66c9d72dfd7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
a1af9bc1f76d9dbf67738a9171ee5550

SHA1
2c5f1c957735e09efeaf3248682a97fd0ea1a938

SHA256
2c90ca9f3960bf7933a3707cb36780e3021cd27e82ed2b0c0fa0f788e0c4992f

SHA512
1b7b2fcd11a5406e0d67cdc4c00e274cd4484dd3581b5f8c71621c019a9038779c9e5d4db065df2accc76c100d8ecb672b10f5cd4df54ced60e92adbba0d8873

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
a1212aef370fea988b29ced6086b84df

SHA1
9b677ba39cae901253f0a22be3fec6a43c42904e

SHA256
5131298c0f515e7fe7ef85d962af77545eb30183031f2f48018e3f5c6fa2a183

SHA512
17f3ceea9bc9d281fde662571552fa72f57a91707c5bd88c0c833b6827901089e580b3f05a8a9b6094a82eeeee753b9afbb81ec5cdaa8054a7cd320c70319973

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
66514031f376ecb8fedae94d526ddb29

SHA1
42a939eebda32c583e22e37bf3ef76dd84ff8cba

SHA256
3060604eef9eaae0c14582eed2c804fa61680449336aa62c30cdb52c89d18d72

SHA512
1fbfe9fd8c98d6657516a55b91ae654c2e80cc5924822d54d5666cef8f3416f83039549bd449f6082d7afcd32acd0ebfbeb112bacd29a139a670feb317006317

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
22fb889e74bc0343a9ecb3bfbfc67ed7

SHA1
d260885894e9bf3a273690a1934dbd962a6f10ab

SHA256
2294f8bc023211ea11ea17b0d92068dcc7e704a4ae054c6a14c7b71d4908bcbd

SHA512
f2b3791c76a5811b24d7c19855d6ac7d0c243df0f98c2b144a05c3af85890d026d4d54aaaf57c4c91d0827695bb9b6bb5987d3d9b3e3d9aba503693f12966622

Download Submit
C:\Users\Admin\AppData\Local\Temp\396d02e5e395f0e65d014577dd84a371\43165e9e92447b3045fdbdffe549ec75\processes.txt

Filesize
3KB

MD5
b1748c26fe54046b0751ea660b2f83cb

SHA1
82f0eda5b637ae42e712d65cf06fe95efd1292f2

SHA256
a2881ebe4562fab6c8f80700a611c47528fc2286f6af8a8523e9ef9f5875bc77

SHA512
e173da1b886657d4d5aa029015f912761886d33738bbb07687cb3361c489ddd6694fbbcc2b3c7ed45a33bf7f95f084ece21a76d265184a3c85bcf4799b25c293

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

Filesize
48KB

MD5
1f3e951a60e7fd09c8aeb02bd519fc62

SHA1
8bdaf1ada75122938406a7e94b8c80b368042359

SHA256
b8f9ca821d9f544f6beb7c24bb3dd96b0a40c20657578f451db850c320bcc975

SHA512
b11fdaeaa8b82b03690b17b31a3b7b401a59c4f6f1e8659f54ad3dd4e7628ce3d40d66dcc9ceb774b6732907ca0356cca34a778c539cfea526e9e3971c74a046

Download Submit
C:\Users\Admin\Desktop\RECOVERY INSTRUCTIONS 4 .txt

Filesize
250B

MD5
c3dc5952b6f46d997f8c6c29a01fe227

SHA1
d4ae6d0be31788744c456ab07253ca316c28e92c

SHA256
77fb1bb1ab4a441cc3fedbb015e64b84a136a380119b0687ed8de0bdb9548173

SHA512
1b43248fe03488a70e4aed8cd0334eba26874ff0b9dcdb50fc6fba32b830eb6bf53f8ba5548350af806980748b6da12a85f59a1e0cac399173e10870c2b5927e

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\chrome updaters.exe

Filesize
842KB

MD5
fd66a4c8ccd02ce1ae5540b52ff16da9

SHA1
5aed2a82aeb1d2d8067ed9d9002e334052af603b

SHA256
c8800fea1cde3085df76be37a6ac312b64fc25dcd9ea5b4d2c4b1a176baa1fa8

SHA512
544d084c75a37d5623a5736d3e0a17027836441f9e5ea77fe21397f65df44755e0ea54097b850014562948029fa1a885aeac7fdff79ff8e6901ff298843fe6f2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe

Filesize
238KB

MD5
21f6685dd6b90f73bf9586acbc41f408

SHA1
33fcfb9cb7c7e698c1c7da27174ded1e00cfdf0a

SHA256
6b50dffc03fa2eb27a7cfb43c0e9fc31c95411e2193a564eb6b6578e28155839

SHA512
2f39b9ed3a9a5d55d4172ad6681e9506d38d06b6e04bb80861c41cdc07c3ce692c533adf820f3a2024bcbdb8ded7f7db4e99c92e3ebd125468dfa6ccc2eb23f1

Download Submit
memory/2500-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-43-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-38-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-45-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2500-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-34-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2500-71-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2500-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-218-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2500-44-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2724-65-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2724-54-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2724-52-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/2724-0-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/2724-4-0x0000000004C50000-0x0000000004D3C000-memory.dmp

Filesize
944KB

Download
memory/2724-3-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2724-2-0x00000000004B0000-0x00000000004C4000-memory.dmp

Filesize
80KB

Download
memory/2724-1-0x00000000012C0000-0x0000000001398000-memory.dmp

Filesize
864KB

Download