Analysis
-
max time kernel
1558s -
max time network
1559s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-10-2024 16:54
Behavioral task
behavioral1
Sample
sample1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
sample1.exe
Resource
win10v2004-20241007-en
General
-
Target
sample1.exe
-
Size
45KB
-
MD5
d4e300eb8ed5bc378b50c2c0fa73dd82
-
SHA1
de0f866207fa8d5018a82aa75261a65b7d6697bd
-
SHA256
80e3e1b6447f2f22593ca40b29a153060c2c92bb5e237d2932a275f87dc16146
-
SHA512
ffaeba3bd79aed5b1f812dcb07efdddf27ec38c788a042f78c57d3caabb363a8c6720df2d0cf9b830b8c73dea2d8350e5e700408c4e831ce3287793aed9b5a8f
-
SSDEEP
768:+Dl1L0/tSsg+vpZzXOC/5G6hKCJmt02XtRkbyh2M3qQYHzYOahWlte:wzL01rrzXOCRthKCJa0wkby0LYOawHe
Malware Config
Extracted
xworm
147.185.221.16:40164
147.185.221.20:40164
-
install_file
System Volume Information Prefetch.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/1304-1-0x00000000008F0000-0x0000000000902000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/1304-6-0x000000001B720000-0x000000001B83E000-memory.dmp family_stormkitty -
Deletes itself 1 IoCs
pid Process 556 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Delays execution with timeout.exe 1 IoCs
pid Process 2508 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1304 sample1.exe 1304 sample1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1304 sample1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1304 wrote to memory of 556 1304 sample1.exe 32 PID 1304 wrote to memory of 556 1304 sample1.exe 32 PID 1304 wrote to memory of 556 1304 sample1.exe 32 PID 556 wrote to memory of 2508 556 cmd.exe 34 PID 556 wrote to memory of 2508 556 cmd.exe 34 PID 556 wrote to memory of 2508 556 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample1.exe"C:\Users\Admin\AppData\Local\Temp\sample1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF030.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2508
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD543bed6fb808bbf4a74002c2cef8f6900
SHA144e2d245fa293aa222e8d62316a45bcedd276676
SHA256f553dca488255c388b59be9ad6b947e676ad21b28bfb2f6641aee532df038d54
SHA512869d80cd6a4970598d26f8ef0497affa58faa452afdbd4c2819c3bfc3d5df6490588e13499c3f1b7018b1b3a1ee588983bd5c7a72956c533ca5083c978f21dd1