Overview
overview
10Static
static
10-pril-main...th.exe
windows10-2004-x64
10-pril-main...aw.exe
windows10-2004-x64
10-pril-main...wd.exe
windows10-2004-x64
7-pril-main...gh.exe
windows10-2004-x64
10-pril-main...se.exe
windows10-2004-x64
10-pril-main...ed.exe
windows10-2004-x64
10Installer/CapCut.exe
windows10-2004-x64
10start-main...on.exe
windows10-2004-x64
8start-main/Sushi.exe
windows10-2004-x64
10start-main...wd.exe
windows10-2004-x64
1start-main...sd.exe
windows10-2004-x64
10start-main...fd.exe
windows10-2004-x64
10start-main...we.exe
windows10-2004-x64
5start-main...wd.exe
windows10-2004-x64
10start-main...pu.exe
windows10-2004-x64
10start-main...th.exe
windows10-2004-x64
5start-main...ed.exe
windows10-2004-x64
10start-main...fk.exe
windows10-2004-x64
5start-main...ha.exe
windows10-2004-x64
10start-main...ha.exe
windows10-2004-x64
10start-main...ea.exe
windows10-2004-x64
10start-main...as.exe
windows10-2004-x64
7start-main...dw.exe
windows10-2004-x64
8start-main...ha.exe
windows10-2004-x64
1start-main...wt.exe
windows10-2004-x64
10start-main...wd.exe
windows10-2004-x64
10start-main...gh.exe
windows10-2004-x64
3start-main/pdf.exe
windows10-2004-x64
10start-main...dh.exe
windows10-2004-x64
10start-main...as.exe
windows10-2004-x64
7start-main...tj.exe
windows10-2004-x64
10Analysis
-
max time kernel
143s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 08:01
Static task
static1
Behavioral task
behavioral1
Sample
-pril-main/dwthjadth.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
-pril-main/feuiyjjdaw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
-pril-main/kldrgawdtjawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
-pril-main/pothjadwtrgh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
-pril-main/ptjjsekfthse.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
-pril-main/thadkythjawed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Installer/CapCut.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
start-main/Session.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
start-main/Sushi.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
start-main/fgthawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
start-main/gawdrgasd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
start-main/hbfgjhhesfd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
start-main/hdawuithjawe.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
start-main/hnfsefawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
start-main/jerniuiopu.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
start-main/jthusjefth.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
start-main/jythjadthawed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
start-main/khseofk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
start-main/khtoawdltrha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
start-main/ksfawtyha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
start-main/ktyhpldea.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
start-main/lhoefskghas.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
start-main/ltpohpadw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
start-main/mhbiwejrtgha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
start-main/njrtdhadawt.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
start-main/odrsfgawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
start-main/opthjdkawrtgh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
start-main/pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
start-main/pthjadh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
start-main/ptihjawdthas.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
start-main/yjadyjasfdtj.exe
Resource
win10v2004-20241007-en
General
-
Target
start-main/pthjadh.exe
-
Size
2.3MB
-
MD5
9c044a232b3f817c3b91ce10adc92e0c
-
SHA1
12c9eb2e4c0b014356112a40cde6f4ff6ea5af6b
-
SHA256
798b09042289ed11db467e8c1d239b68e9ae1cf1f73401e5bf2bdc95bcc8a123
-
SHA512
37b8c133ca63e3f32e44d1417d3d6f7ff6c682696012bbedc65d07e0773ec9d70a9e12e519b9368ccc1bdf6273edb63d5b797b7b3e7c1bf749f42ed08052bef6
-
SSDEEP
49152:Rwcx9pgRLTOTnqEOEvERC2F9L0ViBBM84yv8Pdm/c7YrFUJUUUUUUU:Rwcx9pgRLTOT3dERjUJUUUUUUU
Malware Config
Signatures
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule behavioral29/memory/4544-1-0x0000000000A70000-0x0000000000CBA000-memory.dmp family_stormkitty behavioral29/files/0x0002000000022ab5-12.dat family_stormkitty -
Stormkitty family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral29/files/0x0002000000022ab5-12.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pthjadh.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation pthjadh.exe -
Executes dropped EXE 1 IoCs
Processes:
Wihnup.exepid Process 1540 Wihnup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 4652 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
pthjadh.exeWihnup.exepid Process 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 4544 pthjadh.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe 1540 Wihnup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pthjadh.exeWihnup.exedescription pid Process Token: SeDebugPrivilege 4544 pthjadh.exe Token: SeDebugPrivilege 1540 Wihnup.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Wihnup.exepid Process 1540 Wihnup.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
pthjadh.execmd.execmd.exedescription pid Process procid_target PID 4544 wrote to memory of 4896 4544 pthjadh.exe 86 PID 4544 wrote to memory of 4896 4544 pthjadh.exe 86 PID 4544 wrote to memory of 3884 4544 pthjadh.exe 88 PID 4544 wrote to memory of 3884 4544 pthjadh.exe 88 PID 4896 wrote to memory of 4588 4896 cmd.exe 90 PID 4896 wrote to memory of 4588 4896 cmd.exe 90 PID 3884 wrote to memory of 4652 3884 cmd.exe 91 PID 3884 wrote to memory of 4652 3884 cmd.exe 91 PID 3884 wrote to memory of 1540 3884 cmd.exe 94 PID 3884 wrote to memory of 1540 3884 cmd.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\start-main\pthjadh.exe"C:\Users\Admin\AppData\Local\Temp\start-main\pthjadh.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC3CD.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4652
-
-
C:\Users\Admin\AppData\Roaming\Wihnup.exe"C:\Users\Admin\AppData\Roaming\Wihnup.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1540
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5b6d53d9d3740a13cc26dcafe0f7c8353
SHA1fc355d0283440335f0ebe981f02b4e7abfeccef9
SHA25664859e0cee2bf861443f3a5aeb07ca3a393c6297af6ce488aa5a209c15dd5325
SHA5121390b552287ddce2f6232a01cb755eaa5dba5fabd60351ca94c47b741f8c0232a6d3c639a5286452ebc6e8ac26712f997aa51b48276d42c723582717f54bec9d
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
2.3MB
MD59c044a232b3f817c3b91ce10adc92e0c
SHA112c9eb2e4c0b014356112a40cde6f4ff6ea5af6b
SHA256798b09042289ed11db467e8c1d239b68e9ae1cf1f73401e5bf2bdc95bcc8a123
SHA51237b8c133ca63e3f32e44d1417d3d6f7ff6c682696012bbedc65d07e0773ec9d70a9e12e519b9368ccc1bdf6273edb63d5b797b7b3e7c1bf749f42ed08052bef6