Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 14:54
Behavioral task
behavioral1
Sample
PryntVirus.exe
Resource
win10v2004-20241007-en
General
-
Target
PryntVirus.exe
-
Size
232KB
-
MD5
ea10b6fdbb466c9e2bc1602efa14e4be
-
SHA1
f9144cda448d4cf8ff47ac9cdb56ed262c5f9de3
-
SHA256
e574a3494f4b760d028ccb7c8c73d6997aa7fd422104fa9b56c9ab3ddb695b2b
-
SHA512
81e076141d108f914008b29e2f7b350e832c1e1edb44d778a8150b8011c78452d29c1c563faf3da201cc8a91e61ac2b5bad7298be3ba36659a24298df4149fe9
-
SSDEEP
6144:jDubaBBOBIIj6HLLYLCYJqvc1DfNu4i8wb/SHbt5BasO5oUpNKEzoh:mbaYgh8wb6DY7XpQ
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot8038687818:AAF7yfWLNIj0GslX51tOIFXZ_75cuFnZ9oc/sendMessage?chat_id=6378570062
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/2668-1-0x00000000003D0000-0x0000000000410000-memory.dmp family_stormkitty -
Stormkitty family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation PryntVirus.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\85d567cc101f1614b9f6f61cf73f747c\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini PryntVirus.exe File opened for modification C:\Users\Admin\AppData\Local\85d567cc101f1614b9f6f61cf73f747c\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini PryntVirus.exe File created C:\Users\Admin\AppData\Local\85d567cc101f1614b9f6f61cf73f747c\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini PryntVirus.exe File created C:\Users\Admin\AppData\Local\85d567cc101f1614b9f6f61cf73f747c\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini PryntVirus.exe File created C:\Users\Admin\AppData\Local\85d567cc101f1614b9f6f61cf73f747c\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini PryntVirus.exe File created C:\Users\Admin\AppData\Local\85d567cc101f1614b9f6f61cf73f747c\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini PryntVirus.exe File created C:\Users\Admin\AppData\Local\85d567cc101f1614b9f6f61cf73f747c\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini PryntVirus.exe File opened for modification C:\Users\Admin\AppData\Local\85d567cc101f1614b9f6f61cf73f747c\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini PryntVirus.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PryntVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3904 cmd.exe 1936 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 PryntVirus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier PryntVirus.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2608 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe 2668 PryntVirus.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2668 PryntVirus.exe Token: SeDebugPrivilege 2668 PryntVirus.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2668 wrote to memory of 3904 2668 PryntVirus.exe 86 PID 2668 wrote to memory of 3904 2668 PryntVirus.exe 86 PID 2668 wrote to memory of 3904 2668 PryntVirus.exe 86 PID 3904 wrote to memory of 812 3904 cmd.exe 88 PID 3904 wrote to memory of 812 3904 cmd.exe 88 PID 3904 wrote to memory of 812 3904 cmd.exe 88 PID 3904 wrote to memory of 1936 3904 cmd.exe 91 PID 3904 wrote to memory of 1936 3904 cmd.exe 91 PID 3904 wrote to memory of 1936 3904 cmd.exe 91 PID 3904 wrote to memory of 3696 3904 cmd.exe 92 PID 3904 wrote to memory of 3696 3904 cmd.exe 92 PID 3904 wrote to memory of 3696 3904 cmd.exe 92 PID 2668 wrote to memory of 3216 2668 PryntVirus.exe 93 PID 2668 wrote to memory of 3216 2668 PryntVirus.exe 93 PID 2668 wrote to memory of 3216 2668 PryntVirus.exe 93 PID 3216 wrote to memory of 3068 3216 cmd.exe 95 PID 3216 wrote to memory of 3068 3216 cmd.exe 95 PID 3216 wrote to memory of 3068 3216 cmd.exe 95 PID 3216 wrote to memory of 2268 3216 cmd.exe 96 PID 3216 wrote to memory of 2268 3216 cmd.exe 96 PID 3216 wrote to memory of 2268 3216 cmd.exe 96 PID 2668 wrote to memory of 2608 2668 PryntVirus.exe 109 PID 2668 wrote to memory of 2608 2668 PryntVirus.exe 109 PID 2668 wrote to memory of 2608 2668 PryntVirus.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:812
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1936
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:3696
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:3068
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2268
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2608
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\85d567cc101f1614b9f6f61cf73f747c\Admin@GUMLNLFE_en-US\System\Process.txt
Filesize4KB
MD547b5a5893528b11c8a2713658d2bc8a9
SHA196dfd566b983d991119661b1979519289de8f211
SHA25660dfff81bccb55b2d7899d78174c0b19083b18f885971776cd60ac66cc2cc4c7
SHA5128217105eff91ac78c27e27655ddb5e1b41c65272f542d1c73d4e04761e3e0f7de7ad5c084545ef604818ccb65a659296b8e2aeb6df33957e02a93fe2db0f6ecd
-
Filesize
4B
MD570d31b87bd021441e5e6bf23eb84a306
SHA147af2040bb2012893930fef26cd9f64525453d04
SHA256e991d703329d35bbb1c393db607226e1af7749cc77d3f3e50b15c9b684157e0f
SHA512afe2bbef00a5360fd1b9d165570d31ac9724d06e1aa2c1d0c0e00a7d587df0fe2e38879fcd3477988daf1ac4f66030616f9d0a51c556136d1c7b5072f1e60bec