Analysis
-
max time kernel
438s -
max time network
1160s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-10-2024 06:04
Behavioral task
behavioral1
Sample
Find Wallet v3.2-Crack.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Find Wallet v3.2-Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Find Wallet v3.2-Crack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Find Wallet v3.2-Crack.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
Find Wallet v3.2-Crack.exe
Resource
win11-20241007-en
General
-
Target
Find Wallet v3.2-Crack.exe
-
Size
3.5MB
-
MD5
68f929dc1286bf7af65bf056845f9b42
-
SHA1
1f1d9848811b3c00066f8be86035fda994ceedfd
-
SHA256
0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
-
SHA512
d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
-
SSDEEP
24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral5/files/0x001d00000002aac8-7.dat family_stormkitty behavioral5/memory/5760-28-0x0000000000BF0000-0x0000000000C46000-memory.dmp family_stormkitty -
Executes dropped EXE 2 IoCs
pid Process 5760 Client.exe 3312 Find Wallet v3.2-Crack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created C:\ProgramData\OKUUPVQN\FileGrabber\Desktop\desktop.ini Client.exe File created C:\ProgramData\OKUUPVQN\FileGrabber\Documents\desktop.ini Client.exe File created C:\ProgramData\OKUUPVQN\FileGrabber\Downloads\desktop.ini Client.exe File created C:\ProgramData\OKUUPVQN\FileGrabber\Pictures\desktop.ini Client.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com 2 freegeoip.app 2 api.ipify.org 3 freegeoip.app 20 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe 5760 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5760 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2964 wrote to memory of 5760 2964 Find Wallet v3.2-Crack.exe 80 PID 2964 wrote to memory of 5760 2964 Find Wallet v3.2-Crack.exe 80 PID 2964 wrote to memory of 5760 2964 Find Wallet v3.2-Crack.exe 80 PID 2964 wrote to memory of 3312 2964 Find Wallet v3.2-Crack.exe 81 PID 2964 wrote to memory of 3312 2964 Find Wallet v3.2-Crack.exe 81 PID 2964 wrote to memory of 3312 2964 Find Wallet v3.2-Crack.exe 81 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5760
-
-
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3312
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
572KB
MD5022a7a71966bd3851a4db70a7825b9a7
SHA16bbb91f704cbbbe332b28f532419a6a86108b78d
SHA256e72df48cf1e7661160d6d1236f39a7a1d95dd92377be56447e781881fbe91d8f
SHA51200cd8bbf1783e0491271afa167f3f659c33ae9dc84d5934cc5ea9e2a4594805128ac7ec0c4c2363a430a344334b7d2cce22521af4ea2681a5b804057dd670428
-
Filesize
548KB
MD591b85b42314f421656de8752e526e589
SHA1476a69d81f178a1c52e1718880e3ba4adb9b3c84
SHA256eaa8c8b5325dda1ae24e0718703d2da5c8cf394ebe999082621d4208f1ef245b
SHA5124197563fc209e93fbbdd47fc0eae78bc9959ee12b86cef28ccd78be31bb49f39c02b24f3463f976d332b320714fd8d0ddf11cf6fe77170645189be3ce5cc43bd
-
Filesize
676KB
MD59a1003363fa654b6cabb47196fbd3d0a
SHA11717dfc7d1485c2019ec72f31ea010bee5c261f2
SHA256ba78eb2a93889550a26e506e3cb46ce7426f56cd3d591bf3d8bca5fd727b7cae
SHA5126d7b1f325e3647534ae7013a719384fd97e42da5300ad60306c68c5eb6d7cb0cd78554fc6c681999f7143b301dd875392238767486e71b0bb8b4185b3cca6b21
-
Filesize
676KB
MD5baff41d1a5d29c9e80741353f5b170a5
SHA183ece85f04f3caf103b88ef83ac114aa324a716c
SHA256bfd9c57d8e3750883e7ac5f755fdf71aed394d5f0b75ef6f376c4d63b630a7a7
SHA51218432cb5d9dbfb0ca5945df08950c4326a1021e6e8e7ddcaf10d37274327a68925cd19f4727c532ba54d0e8825e4ea9208a3fed99533875c055269080b87cbf3
-
Filesize
437KB
MD59b59af8636f9e1bfc22fb729a2266523
SHA101515fb278d23c39479a86347c992967a6ed0557
SHA256923dd914840fa904a3f43218aaf4eea766b0468c0a7778aed9029a0f210e6b72
SHA512fa99d051807944f0118f7ca64813bf33727f17a05f40f51c478735d3077635b3dc05d0b9371071dac62e45ec8913b0904610352dae0ec911a7a2566766a6b642
-
Filesize
551KB
MD56d58064d19543a95afb764504e635b47
SHA152e611da041e1e0d0d7210c294fcd3458069d927
SHA2567f9fca7c4b47017925c3ec9339d6966bc326a7f74b5964e866908950bf922d60
SHA51280d3a582dc9bda672d6afa23535259931e525e14b0e2c7f7053a39b86a686c8ddbbffdd2a0edd08a326245611994ef26d863e3b1376defff68dcb4dbf3f18b02
-
Filesize
589KB
MD5d3c719316f1ea0f04a74ff40f10024b8
SHA14f44f25293f36be53584679beb36350e4a07ea83
SHA25681e587d66ddc05b22e84dab3ffc7fcd653c2cc99c1f84e8df7cbf28d35d60bcd
SHA51258c957c88bff85927317efafab58061efb7300634526c7b79a32b2dc9f14b2c52118a5b28e9badf954220515d8e9ea0a95be880b44aa9971b265c5cc3a50fc6b
-
Filesize
4KB
MD5f925632a1add3e89ebd87e3bda3f0ac3
SHA14637c514d42c862d9bdda70ca3ac6b1871ed21a5
SHA256baeaf533b4a2dc83ae14b94aee2f0b03364979f4f1b734757318e75b486ffbd7
SHA5126fe4cef9effe804aed132ece75b9754b5993a389cd191ca14a83b1f6e4ae97547de607e7d2b43427967af9703905241c6b6acb5c15e072ecc0e1b0cfd9e34018
-
Filesize
320KB
MD5bc5da83795b587fb1dfce2d6bef2d176
SHA1ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0
SHA256d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb
SHA512503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5
-
Filesize
3.0MB
MD5c309cb9865dfc6dbb7f977f4c0f722c0
SHA1b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9
SHA25651472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5
SHA512a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797