Overview

overview

10

Static

static

3

SpyroidRat...ed.exe

windows7-x64

10

SpyroidRat...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 17:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SpyroidRatv8.5OriginalCracked.exe

  • Size

    55.7MB

  • MD5

    f2a9d485cc841bbd44543973e3739c05

  • SHA1

    53235a653bfc5822693e9adfdea01e1164909df9

  • SHA256

    37fae2ac78281be79821e625ba969bcd0c11336c56e68b71b5fbb284e9f8fd60

  • SHA512

    4de26d0f38868934182e0ef1fc3270990a66eba2c6af340490f55e4bf7f04696f91f93f62457191031d468e34c0ec5f0ba4995df63275dbf77254b1a7d2be56d

  • SSDEEP

    786432:JrXC9Vqv1tRgvtgkG8iAl0dYyBGpjKElxsdo/AG9Lqxlwy+WpL15Q7HxJ1KP3u5C:JjC9VvtdG8iV6jKmqdo/ry+gXwIuqxZ

Score
10/10
stormkittycollectiondiscoverylateral_movementspywarestealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Stormkitty family
    stormkitty
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking 1 TTPs 1 IoCs

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

    lateral_movement
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 4 IoCs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SpyroidRatv8.5OriginalCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\SpyroidRatv8.5OriginalCracked.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Users\Admin\AppData\Local\Temp\rl payload.exe
      "C:\Users\Admin\AppData\Local\Temp\rl payload.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2908
    • C:\Users\Admin\AppData\Local\Temp\test rdp.exe
      "C:\Users\Admin\AppData\Local\Temp\test rdp.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net user ThanksEgalsa ThanksEgalsa /add
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\system32\net.exe" user ThanksEgalsa ThanksEgalsa /add
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user ThanksEgalsa ThanksEgalsa /add
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2868
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net localgroup administrators ThanksEgalsa /add
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\system32\net.exe" localgroup administrators ThanksEgalsa /add
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:316
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup administrators ThanksEgalsa /add
            5⤵
            • System Location Discovery: System Language Discovery
            PID:484
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net localgroup "Remote Desktop Users" ThanksEgalsa /add
        3⤵
        • Remote Service Session Hijacking: RDP Hijacking
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\system32\net.exe" localgroup Remote Desktop Users ThanksEgalsa /add
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup Remote Desktop Users ThanksEgalsa /add
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2388
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp561C.tmp.cmd""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2580
    • C:\Users\Admin\AppData\Local\Temp\Spyroid Rat V8.5 Cracked.exe
      "C:\Users\Admin\AppData\Local\Temp\Spyroid Rat V8.5 Cracked.exe"
      2⤵
      • Executes dropped EXE
      PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Privilege Escalation

Account Manipulation

1
T1098

Defense Evasion

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Remote Service Session Hijacking

1
T1563

RDP Hijacking

1
T1563.002

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rl payload.exe
    Filesize

    320KB

    MD5

    dfa05cfd683034da7b16c32b76a6619c

    SHA1

    efe6fa32ba1c53155ed6acc32de614a3ca8cadff

    SHA256

    0c67544fc30499491749cc9cda184c4af9e61bf16dd697b402ad936df9e182f3

    SHA512

    cb966cf5dba9b32950b0f96e62dedcaeb1de22ee41a010f247f4e3ac2be602075bcd76d71a431164cee649ba4e91319a4dad41f553260ecffc7c02905d5889f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\test rdp.exe
    Filesize

    8KB

    MD5

    6019493627e029531ac13da62d870719

    SHA1

    46d7c20fd308c376e40060ee455743f7b913f7af

    SHA256

    0b85f47949effe436c598cddf1ddabf1b952eac63009d25fdee34f864bc10569

    SHA512

    a125613e5718dea3499e5a1b4b13dc48eef6b5bbc33462ae2a6cda2efd129992fec09ed799be738048c226e4f1743e4cc298236c2c9d2acf41c8301830a328da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp561C.tmp.cmd
    Filesize

    154B

    MD5

    e719f4f4e9b48b1042fa684c85287f55

    SHA1

    9fdc2568c26edda40bd5570f85d25a45595a918b

    SHA256

    d7f9ba246cf4e4fd107728f76afcdbbbe87ac4727c84a08fb30f9bff2a4c316b

    SHA512

    76496f284f0c8abbed0585acfe37a045f4861efe3f20985409ff75b3a3708632f7c3c6e8f8f897111caf0bf01ae09eba172969eb0b0fdd6fc950420a0361d569

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    0b588179a16a11f2d75004467abe2bff

    SHA1

    9f427bf0df1f6df931270b056198d5b1c92baee8

    SHA256

    02b80cccafda51c30e38936f95014b01bbf03ba5452583025810118d6a62272f

    SHA512

    65d37461f5531ebe3ab2bfbe982d9e2f58dbcc45215969ce135d6c0a52fa972f36d584134fd4bd252395d9721ee69e0f2ed5749e49e7eed0e72d50df430c3be1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Desktop\DismountPublish.xlsx
    Filesize

    10KB

    MD5

    544ecb0e0cedb765bdcaf32159ae654f

    SHA1

    262c5d7ca655ed1bbbb3f60b9651972aabc8b084

    SHA256

    54b60720b6383da68b06a49f1dd052f6406a2128cc1da236c8c89a3d137b2995

    SHA512

    df85b392043a3dd309012411c64295a8b6fbff48fc8fcd50537c41bae6a1ce0a4597a8937705ffaad483886b09bcc603fc8e5dd6ce53cf99c251145e0215f219

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Desktop\ResetExpand.rtf
    Filesize

    895KB

    MD5

    f3c8e1d9fdb95e2bf387ea9a14e316a9

    SHA1

    b0d87d9eef27c5586a6b7ed13d099c81524f6e99

    SHA256

    d202201fad7e2aa3d0cfa62fe5b81fb3193a15f5a77fa551f4f7b8876632c906

    SHA512

    519f812441f880ce84fd92b790ddc88df7c56ac5f93718756413b69ad5520dd2bb46a08e4425a1dc7f8993323fa439c8a515514f180f59550c64428a731935b9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Desktop\SkipConvertFrom.txt
    Filesize

    561KB

    MD5

    865688004cdde90ad2f6a465c3dcd57a

    SHA1

    34afc29542ccd0f111dc3700859a789af2a944e7

    SHA256

    f8f068a58233fc35a4fde31120303d8d36692dc6fee0349f0323b52afdea6bb3

    SHA512

    56614d559bf944db583cee2972b257aebb1d1c614d75c5839a72b08f149adce216a278046f7e751d11073bc3e138761b6ede8f2c271a4c58e71ffbb796b567a9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Documents\AddUpdate.ppt
    Filesize

    407KB

    MD5

    0221797aea340df8d524b70a83595b43

    SHA1

    74b2f5ec045bd0eac09d2bbfeb6523d6dbbc1f36

    SHA256

    ce0f17c4f79c40e7038840e9aeb2407effb86c0261e9fb5c351a2f058e0bff7d

    SHA512

    2c9a8fa82953ab0a2baa21af50cdc4a06c8784dfa1d38f69f6e6f7c3aff3a52c94f10e0ef6adcadc5f47ee6f76198b60a06043fde236dee3a59b4be924f04b3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Documents\BackupDisable.doc
    Filesize

    579KB

    MD5

    ee815ab3368a2dfb752c3b6ed632665c

    SHA1

    02da22b85196b40a04072c19ecb7bf7d141204c0

    SHA256

    6bfc161e7e7cc01df8f217bde20b05f443fd2adef93712ed61c222f9b3e40f5c

    SHA512

    b5d048a4c30e4a5db8d2d9f8581aaf8c6d04ae0569759c90213f289be3fb88de2bab77ca74729089fa11b24a7480e0a7e1b9fe7a4337c55fa1707d1d19b8d936

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Documents\ConvertPublish.rtf
    Filesize

    250KB

    MD5

    dea64c71dd2b939af90de3e88ccd9123

    SHA1

    c120c26c04afdd06794b0a0a511ccc9ad787b109

    SHA256

    76cf47bc7623874e556a74b79908164919e48b4b2d3b883c79b4e72752146a8b

    SHA512

    9288b87c016e5a84f400aa7df745bf0f9d6387af4efb9021f404f1178499003870e9c0533f3194eafe85c95febbfd8ce1d8bf9fb1ea98d44d61cdb783a04edd0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Downloads\SetUnregister.jpeg
    Filesize

    631KB

    MD5

    a4dfb825139d656d57b2d4b4aeaa9de9

    SHA1

    98c31438e9495e4da1f82435999efb9e9a03528c

    SHA256

    2975551961400db857c0444d73ac68d210a558a6110bb39c11c251b53e56823e

    SHA512

    d5e4c90048e20816347fc5848236a2816cba8d021e8b6ec61245d9ee58fa27c65b18e6ad86f9747caa19e4e85ce45888c01a85097a174a2f860d690bfe5baddf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Downloads\UndoRead.pptx
    Filesize

    460KB

    MD5

    acfba740284e2cc6d59daea78291bb09

    SHA1

    d24680cdac3412266995d14ce3c2ee79d4ba5222

    SHA256

    f70f9065bdd746f9e9b9c6da83d625be6ca661193bd2d89012a060c30a76e085

    SHA512

    491f8d4a5487f0b92fdbeb6ba6c3f2a15c9922e8107ed8076e50d3ec51ab4a9755874c4fefa6a36aabbf62d8ecb1f8ec9337e33f727d0dde6d956bc1a2a101b8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Pictures\AddSelect.jpeg
    Filesize

    456KB

    MD5

    4eb95c3db1212de416c691a1f0447b10

    SHA1

    cc86336459b48beb08f9b29a87354921b404a830

    SHA256

    58c9d4cb842140210afd92c97eb67b583a6ce41486abcf05fe0e946735998580

    SHA512

    f8c8de690aa84249c48bee0351240bb439b0c9e11c0de72a63bd7740bc9aba49b41cd3b906ec1e9f00f60f12f02881a2b6ada31f042398eb865030df7a62b90e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Pictures\EnableExpand.jpeg
    Filesize

    360KB

    MD5

    d0177a12596a86fbb9e2116f648c940c

    SHA1

    2564af0c2db80ac9cec454aa7e3b2a24f2492928

    SHA256

    d158fb48bec3e514aa43633738acddc4cf59ecb89a70aa7268d83d4bddac88ec

    SHA512

    36e1c7e120042e420ef9d4f62bfae84a7ac648632ef6d02eddb871d8bd9ba1b867fc994f7edb9411509df3d76df0336da5843a6815edc38b86573792c92e14e8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Pictures\JoinClose.jpg
    Filesize

    264KB

    MD5

    e5fac5e0d3a63d8512de8f2d774bf2c7

    SHA1

    274f7e104d257c8f1d33bdb07c08704383cfb015

    SHA256

    6a70176d2c948875a370561c88eefcf3bf746738c12bbc501bd427e09a551af8

    SHA512

    d13e5dc6611eab38221804c925cd59c251167bc46059eaf0a9464d296da6fa7d33660bbe6d36b0213668668f391fee95e98040c31ac1db15e8bc890d054a3416

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PIDEURYY\FileGrabber\Pictures\ReadApprove.png
    Filesize

    252KB

    MD5

    69cc90b560b09b12cb6e2ae383ff09cb

    SHA1

    f5e93cc78ec62f115d7d6bba673b1bf06a08a8ea

    SHA256

    e56bf99edcd39f5fbf76039593c832b353dad918414f6fa91996b99b9428b4bd

    SHA512

    a318252536f95c83224bfdf60fbeaf08cef9c622cf422a8074e0d0681cb2c6b7394393ded770d3e147022ba5cde23aa7e84e2725806e96db1302023e4f02dae9

    Download Submit

  • memory/1028-14-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1028-18-0x00000000742DE000-0x00000000742DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2452-52-0x00000000000D0000-0x00000000042E0000-memory.dmp

    Filesize

    66.1MB

    Download

  • memory/2744-1-0x0000000000BD0000-0x0000000004392000-memory.dmp

    Filesize

    55.8MB

    Download

  • memory/2744-0-0x000007FEF5963000-0x000007FEF5964000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-17-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2744-51-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2908-15-0x00000000002B0000-0x0000000000306000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2908-53-0x00000000742D0000-0x00000000749BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2908-223-0x00000000742D0000-0x00000000749BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2908-251-0x00000000742D0000-0x00000000749BE000-memory.dmp

    Filesize

    6.9MB

    Download