Overview

overview

10

Static

static

10

Find Walle...ck.exe

windows7-x64

10

Find Walle...ck.exe

windows10-1703-x64

10

Find Walle...ck.exe

windows10-2004-x64

10

Find Walle...ck.exe

windows10-ltsc 2021-x64

10

Find Walle...ck.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    417s
  • max time network
    1136s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    25-10-2024 06:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Find Wallet v3.2-Crack.exe

  • Size

    3.5MB

  • MD5

    68f929dc1286bf7af65bf056845f9b42

  • SHA1

    1f1d9848811b3c00066f8be86035fda994ceedfd

  • SHA256

    0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82

  • SHA512

    d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a

  • SSDEEP

    24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1

Score
10/10
stormkittycollectiondiscoveryspywarestealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 3 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Roaming\Client.exe
      "C:\Users\Admin\AppData\Roaming\Client.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4448
    • C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe
      "C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Client.exe
    Filesize

    320KB

    MD5

    bc5da83795b587fb1dfce2d6bef2d176

    SHA1

    ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0

    SHA256

    d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb

    SHA512

    503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe
    Filesize

    3.0MB

    MD5

    c309cb9865dfc6dbb7f977f4c0f722c0

    SHA1

    b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9

    SHA256

    51472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5

    SHA512

    a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797

    Download Submit

  • C:\Users\Admin\AppData\Roaming\TPKXKBFB\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\TPKXKBFB\Process.txt
    Filesize

    4KB

    MD5

    5eb53c2f007eaed9d7ec788d741681ca

    SHA1

    ab4d7e18fea2ccab48cdbd2914b3a4065afdb2f1

    SHA256

    22ca6c2e46fd21995fb51d553c20792afd5fd6be5322fc9f9d0b4adb874d680e

    SHA512

    724fb5466b6bcd42c7f53b9805646e20b23495bb8d95fbfe3d90fd015d168ffafb85aa79637302f11d8cc10ac50b8234c8572ce312197b2e0852ad5b4ad6746f

    Download Submit

  • memory/1096-33-0x0000000074940000-0x0000000074EF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1096-2-0x0000000074940000-0x0000000074EF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1096-0-0x0000000074942000-0x0000000074943000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-1-0x0000000074940000-0x0000000074EF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1260-32-0x0000000071ABE000-0x0000000071ABF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1260-52-0x0000000009610000-0x000000000961E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1260-157-0x0000000071AB0000-0x0000000072261000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1260-36-0x0000000000C10000-0x0000000000F20000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1260-134-0x0000000071ABE000-0x0000000071ABF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1260-39-0x0000000071AB0000-0x0000000072261000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1260-51-0x0000000009640000-0x0000000009678000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4448-41-0x0000000005D70000-0x0000000005E02000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4448-49-0x0000000006220000-0x0000000006286000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4448-42-0x00000000063C0000-0x0000000006966000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4448-133-0x0000000071AB0000-0x0000000072261000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4448-38-0x0000000071AB0000-0x0000000072261000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4448-136-0x0000000071AB0000-0x0000000072261000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4448-35-0x0000000071AB0000-0x0000000072261000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4448-34-0x00000000001A0000-0x00000000001F6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4448-167-0x0000000071AB0000-0x0000000072261000-memory.dmp

    Filesize

    7.7MB

    Download