Analysis
-
max time kernel
10s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-10-2024 13:07
Behavioral task
behavioral1
Sample
NL Brute ACTIVATEOR.exe
Resource
win10-20240404-en
General
-
Target
NL Brute ACTIVATEOR.exe
-
Size
226KB
-
MD5
dbd8368aacabeb2f3007f2e41651e43e
-
SHA1
fc83221eca35d6fe5e71d12caa63d6b19fc702b5
-
SHA256
06da872afe3d9c80535c2fccdbe7054d299de1285cdf3666fa1a69a1a288c287
-
SHA512
4580870152c081843e0d6de2d6ad6a7b4b6fda017b09722720bb87c3ca790765cf355a6abf20810217085d8dc00a6fc2fe517d069214f64387ad59880a632f32
-
SSDEEP
3072:Z+STW8djpN6izj8mZw/Zf7/dFoUbBjXpW+WQwARPzjjyCYNMUL6+Wp0:m8XN6W8mm/VgUbfNBdnGd
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5787513945:AAHk4B_J3fjaWnYKNH9snbwB6zLOSTidL0E/sendMessage?chat_id=5611920321
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/2116-1-0x0000000000560000-0x000000000059E000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 9 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\29e692a91c1575a9b8b62ae3f9d03bea\Admin@DFZPKZRM_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini NL Brute ACTIVATEOR.exe File opened for modification C:\Users\Admin\AppData\Local\29e692a91c1575a9b8b62ae3f9d03bea\Admin@DFZPKZRM_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini NL Brute ACTIVATEOR.exe File created C:\Users\Admin\AppData\Local\29e692a91c1575a9b8b62ae3f9d03bea\Admin@DFZPKZRM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini NL Brute ACTIVATEOR.exe File opened for modification C:\Users\Admin\AppData\Local\29e692a91c1575a9b8b62ae3f9d03bea\Admin@DFZPKZRM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini NL Brute ACTIVATEOR.exe File created C:\Users\Admin\AppData\Local\29e692a91c1575a9b8b62ae3f9d03bea\Admin@DFZPKZRM_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini NL Brute ACTIVATEOR.exe File created C:\Users\Admin\AppData\Local\29e692a91c1575a9b8b62ae3f9d03bea\Admin@DFZPKZRM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini NL Brute ACTIVATEOR.exe File created C:\Users\Admin\AppData\Local\29e692a91c1575a9b8b62ae3f9d03bea\Admin@DFZPKZRM_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini NL Brute ACTIVATEOR.exe File created C:\Users\Admin\AppData\Local\29e692a91c1575a9b8b62ae3f9d03bea\Admin@DFZPKZRM_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini NL Brute ACTIVATEOR.exe File created C:\Users\Admin\AppData\Local\29e692a91c1575a9b8b62ae3f9d03bea\Admin@DFZPKZRM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini NL Brute ACTIVATEOR.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NL Brute ACTIVATEOR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4536 cmd.exe 1472 netsh.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe 2116 NL Brute ACTIVATEOR.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2116 NL Brute ACTIVATEOR.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2116 wrote to memory of 4536 2116 NL Brute ACTIVATEOR.exe 74 PID 2116 wrote to memory of 4536 2116 NL Brute ACTIVATEOR.exe 74 PID 2116 wrote to memory of 4536 2116 NL Brute ACTIVATEOR.exe 74 PID 4536 wrote to memory of 804 4536 cmd.exe 76 PID 4536 wrote to memory of 804 4536 cmd.exe 76 PID 4536 wrote to memory of 804 4536 cmd.exe 76 PID 4536 wrote to memory of 1472 4536 cmd.exe 77 PID 4536 wrote to memory of 1472 4536 cmd.exe 77 PID 4536 wrote to memory of 1472 4536 cmd.exe 77 PID 4536 wrote to memory of 4652 4536 cmd.exe 78 PID 4536 wrote to memory of 4652 4536 cmd.exe 78 PID 4536 wrote to memory of 4652 4536 cmd.exe 78 PID 2116 wrote to memory of 4684 2116 NL Brute ACTIVATEOR.exe 79 PID 2116 wrote to memory of 4684 2116 NL Brute ACTIVATEOR.exe 79 PID 2116 wrote to memory of 4684 2116 NL Brute ACTIVATEOR.exe 79 PID 4684 wrote to memory of 600 4684 cmd.exe 81 PID 4684 wrote to memory of 600 4684 cmd.exe 81 PID 4684 wrote to memory of 600 4684 cmd.exe 81 PID 4684 wrote to memory of 4644 4684 cmd.exe 82 PID 4684 wrote to memory of 4644 4684 cmd.exe 82 PID 4684 wrote to memory of 4644 4684 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\NL Brute ACTIVATEOR.exe"C:\Users\Admin\AppData\Local\Temp\NL Brute ACTIVATEOR.exe"1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:804
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1472
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:4652
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:600
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4644
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\29e692a91c1575a9b8b62ae3f9d03bea\Admin@DFZPKZRM_en-US\System\Process.txt
Filesize4KB
MD516f62089a547fb334e999de782e9f2e1
SHA1e9cc1d1d69522fa2f0e4a73f9538b4fb638b1f3f
SHA2569b46f318406c1f758a1d9f9fc3ec104b12133ff8e079cbaa39ca393aa13e9364
SHA5120cef05207f3b69288173a6d3cf698e38449e526099b38a6a22408f5c1d8f715417be81fc39367d8e79fcf1a64dcfd6d14a9d8dc08f9629054d9774efaf34c595