Analysis
-
max time kernel
99s -
max time network
101s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
25-10-2024 06:06
Behavioral task
behavioral1
Sample
Find Wallet v3.2-Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Find Wallet v3.2-Crack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Find Wallet v3.2-Crack.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Find Wallet v3.2-Crack.exe
-
Size
3.5MB
-
MD5
68f929dc1286bf7af65bf056845f9b42
-
SHA1
1f1d9848811b3c00066f8be86035fda994ceedfd
-
SHA256
0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
-
SHA512
d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
-
SSDEEP
24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral3/files/0x00290000000450c2-7.dat family_stormkitty behavioral3/memory/4612-36-0x0000000000C60000-0x0000000000CB6000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation Find Wallet v3.2-Crack.exe -
Executes dropped EXE 2 IoCs
pid Process 4612 Client.exe 2964 Find Wallet v3.2-Crack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\TEIQHMFC\FileGrabber\Desktop\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\TEIQHMFC\FileGrabber\Documents\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\TEIQHMFC\FileGrabber\Downloads\desktop.ini Client.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 freegeoip.app 6 freegeoip.app 27 api.ipify.org 28 api.ipify.org 29 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe 4612 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4612 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3652 wrote to memory of 4612 3652 Find Wallet v3.2-Crack.exe 83 PID 3652 wrote to memory of 4612 3652 Find Wallet v3.2-Crack.exe 83 PID 3652 wrote to memory of 4612 3652 Find Wallet v3.2-Crack.exe 83 PID 3652 wrote to memory of 2964 3652 Find Wallet v3.2-Crack.exe 84 PID 3652 wrote to memory of 2964 3652 Find Wallet v3.2-Crack.exe 84 PID 3652 wrote to memory of 2964 3652 Find Wallet v3.2-Crack.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4612
-
-
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
4KB
MD5d76b3b55903d33b8f8dad1c75068b9fa
SHA1175fddaad3d80160dd36fc3f6e4202db3ad41632
SHA256bcd4d941fccf6b008f5650d6a6720fe980ac14b63ad458f1fadec5c1b8dd9695
SHA512dc99b59471de7c1a367d985e0d147bc1fd1aecb0734cd7c9c33ded6b4d18565ea9ff76a5b3e80d10f1226aa6c3b888aacb1e2b036fad8a24705846f8f8780b31
-
Filesize
320KB
MD5bc5da83795b587fb1dfce2d6bef2d176
SHA1ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0
SHA256d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb
SHA512503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5
-
Filesize
3.0MB
MD5c309cb9865dfc6dbb7f977f4c0f722c0
SHA1b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9
SHA25651472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5
SHA512a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797