Analysis
-
max time kernel
78s -
max time network
80s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25-10-2024 06:06
Behavioral task
behavioral1
Sample
Find Wallet v3.2-Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Find Wallet v3.2-Crack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Find Wallet v3.2-Crack.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Find Wallet v3.2-Crack.exe
-
Size
3.5MB
-
MD5
68f929dc1286bf7af65bf056845f9b42
-
SHA1
1f1d9848811b3c00066f8be86035fda994ceedfd
-
SHA256
0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
-
SHA512
d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
-
SSDEEP
24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x000900000001ab38-6.dat family_stormkitty behavioral1/memory/96-17-0x0000000000C70000-0x0000000000CC6000-memory.dmp family_stormkitty -
Executes dropped EXE 2 IoCs
pid Process 96 Client.exe 2336 Find Wallet v3.2-Crack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created C:\ProgramData\KZOWYSNI\FileGrabber\Desktop\desktop.ini Client.exe File opened for modification C:\ProgramData\KZOWYSNI\FileGrabber\Desktop\desktop.ini Client.exe File created C:\ProgramData\KZOWYSNI\FileGrabber\Downloads\desktop.ini Client.exe File created C:\ProgramData\KZOWYSNI\FileGrabber\Pictures\desktop.ini Client.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 api.ipify.org 19 ip-api.com 1 freegeoip.app 3 freegeoip.app 17 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe 96 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 96 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2428 wrote to memory of 96 2428 Find Wallet v3.2-Crack.exe 75 PID 2428 wrote to memory of 96 2428 Find Wallet v3.2-Crack.exe 75 PID 2428 wrote to memory of 96 2428 Find Wallet v3.2-Crack.exe 75 PID 2428 wrote to memory of 2336 2428 Find Wallet v3.2-Crack.exe 76 PID 2428 wrote to memory of 2336 2428 Find Wallet v3.2-Crack.exe 76 PID 2428 wrote to memory of 2336 2428 Find Wallet v3.2-Crack.exe 76 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:96
-
-
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
365KB
MD585cbbf4e3ee88d6569e4892a398f40e7
SHA12da74dacd64bd33ff571663a8eea2bd1940475c0
SHA2561f429576f85078a96e6f0a3f572b374da8f8e6171f657470d1a2479f83875f97
SHA512381b3d2f282f857b7d3db336767e8f708ddc86daae2e91b098a964a71e8012119a87ec8f3363feca7409a61d3988554456bb60974eea709baa6160e77fac7be4
-
Filesize
339KB
MD578b6351422883020ceb5fb1914c91a80
SHA129e8b6000479ed079d5138e0b8fb5cd2daadf831
SHA256de70458d99818190606b9c6e34bc1a0fbf8e0ecce3e65893723f854541e7a574
SHA5122148c15defe82d07cebf5bb753b7f700818dcaab61cd690b26c041d9b2f2d6d9fb7816f0645994257f8efac8109673647ef145ac322c3fb9c35f512eec457247
-
Filesize
300KB
MD5cca87a8b6f4fe72363ee7c7a7c616995
SHA1bad4d7eca077bbcf7ee30e69c1ba76f330bcdea8
SHA2565a6f1979376060b4b3bee8eb3a3954cd73784e93470c4e50057229ce00169abc
SHA5127556a47f77d6895e777ba4219cba7e84203899ae1802e57c2eb210b4f9da685812e8001562fdd82441b5f3e0d60084c46be76a6c20265bdf7f7a2ef2fcf846c8
-
Filesize
2.0MB
MD5655ddfc8a05a76594dc76cbfddf2c9b9
SHA158bf03bb8756454f73c9e52c6abdb28b1db13148
SHA2568b11e2831377fa4f96a09547f7ca6a363b98a338fb0fe4c9b7868906f204ac79
SHA5122d04ac852d22acdfeee377f884160659cfb1ea674e50ae3fe5a7b90a1cba95d76b13b94103f5d7775f59be1486f00b4a201867a378547552330ad8c3dc522029
-
Filesize
241KB
MD5f24942557ffbefc1dee888ee00583797
SHA121c1209e3614752919b26a722c410723daba5dcc
SHA25660559136de42208ada31868ce26026f3fcda30f2fd00551ea200d4f8c3999b81
SHA51269314c883d439b7b6436f33585f76293be4deb6cf9197f78eb80fdb60330e87129476603c666822b625849c3275623d936abb82781340ac54993be449d5c3031
-
Filesize
269KB
MD508e0893c6d24b16f3cbb9ead28d8e7e6
SHA1f4b32ccff85f3abeaede77b2c5f5e59c502df520
SHA256f2b77e9a1548f3b98660441de4cefb3ba723826503813df7b0884809fb35dc84
SHA51278451a4472bf950f2f27a7cf5ab8f9d660bd1ecec81d950a73381399f9bf6d1db1ba1a1c92f0a9637ccdf86b89e6c8394aa4ec18879ff47ffb000144bedc5655
-
Filesize
163KB
MD561868e437b88b59f37a284891f3ae1bc
SHA1d182454610222a242491091f30bddb993bd37fe8
SHA256d52fb90629e510c0001fa6835ebe533dbebb617b6a06b5ea7ab2e675e16f10d4
SHA5125dfa30af67a7eb325dd12452eb689a21a946cf4f3550e9633bcbd87e79766ed4f2ceeb2d33406505148473807b3229d86dac947836e0c9946979d49c9d93263d
-
Filesize
198KB
MD542557a9e07fe0f7900eaff3c800db511
SHA1dfa5cb9aba950b4c400794ee4af0e55ecf3871ba
SHA25662d742de52135d1d3aae913e383c707e215fef4e730fd9bc28bf2f8fc68f833c
SHA51232d4639337815461bf4cf79921dcea8ba177e4e3ad84e3ad5c8e390303dd8da208c44ac259632e6ffb367582b35292f033152eba7148ae1679b63c80f4e829cb
-
Filesize
148KB
MD50714534f530e423e132d4c37302559c8
SHA1619247041ecb06e6049b58233a13fe59b0857555
SHA256c3a807939a4c75bcf38099aa4e1af9d72d2be4b391a566347f34f37a817bf7be
SHA5123ea543d9937f2a27b735c37130d2f9b90ec03cc31f82ee28f73079be93d4da9376513a84d1446b1dbba311add497049dad4e67073113a1081d0798935dac7285
-
Filesize
283KB
MD578efe67312716ab970ff4b322f0ca60e
SHA16ef60c255bb123998bbc7b5eaeb86ee32e2e7276
SHA256b9bdd9dc6c72bfaddebf324f154e2b8fad243d8fc543cef56c41ff8da822fc5d
SHA51213fc1f3aa52787e53d17880fab8e868b762ce2b295e1fa3d5aab1f3a2966f8641ec063ac896641fd19cfbcbf59e66a5fff4ddaa5f4d33cb61411afc91754bbc9
-
Filesize
340KB
MD5b194a6daef54d25898116ad1f19ab7ad
SHA17e3323b8a5c9f36f1ba59cba74bf9157c16fbe51
SHA25604cab27e98963b330fcdda7b5272cccda72f5f3790c175a616d5339360de9a4e
SHA5123c97ed86322cf3e963db6713a2e6a4947845317b4a13b42443cba386001113c0d860c9919984cdabc627cbcca723ffdbe758bb43a6227e59c9631a2caec01d89
-
Filesize
502KB
MD5823f3001bbaa43c08f1915e00d4cfac0
SHA11d0868a58dfcea7ee8c37ea8161543e4b8e68296
SHA256d7358485af7ddb703cf712d5533192184e550a17bb8d1e1f0c07cf183428cd56
SHA512dabded4a5be76fd29d165fe06e254bd196a4d23839cc59d7997a12c86fc5df995d6652c55c0cf2a06557c395d6560199d05384c9a2625c8e93d781396e79a390
-
Filesize
266KB
MD511b0dcfe584fb4fcbd788d0c1cef879d
SHA1a458620ca82111d363253f51cad68443baf406f8
SHA256f31e82d242656fdbea0ef60d381f249ac9aa650a19e3e5a59cde891f2dd2ba9e
SHA5124c48fdec4d9f5162411edf3539f82f852be2fabe755b06d17d22c52adc8424613ff0616becb20f4d850b0f6e79e2ac385db88e52a80adc8b576fc2670c055a21
-
Filesize
636KB
MD536a4bd7404b0e2a7efc4e88c33222420
SHA170527afe41c983e4b5987475f31ddd02a4affb06
SHA256443fec0c0904157605487b05a756b5d1730820509a8777e20e32156352e25614
SHA512c65af1153bd94fcf1b8dc22e3d43e6e44ef8d9580b51949c1ef5bb076fad1610f1f6ffc17d24027a07916989094b323186660997ad226f924be4ded725b76d1c
-
Filesize
320KB
MD5bc5da83795b587fb1dfce2d6bef2d176
SHA1ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0
SHA256d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb
SHA512503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5
-
Filesize
3.0MB
MD5c309cb9865dfc6dbb7f977f4c0f722c0
SHA1b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9
SHA25651472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5
SHA512a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797