Analysis
-
max time kernel
94s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 18:52
Behavioral task
behavioral1
Sample
bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe
Resource
win10v2004-20241007-en
General
-
Target
bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe
-
Size
167KB
-
MD5
2494ddf095f3ad52f3ce518c45e37815
-
SHA1
fef7060001121af7720efc877adb57b3a0770e6c
-
SHA256
bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec
-
SHA512
6b1f703c94dcb3b5d33f303dd18c633863f846beb51ce06c574a0030ba7d8e90d71b76893fcf71947186e53567fa8ba9c54cccdce8453610b93df31dad992bf8
-
SSDEEP
3072:Kiuo2wrg+t38kRKQ9pgEvGW2e861u/s9b2JtD1wZp+Wp+WIrk:Cwg+t3DgEvTV91Ss9bY7KdIr
Malware Config
Extracted
asyncrat
0.0.1
Default
bigdaddy-service.biz:6606
bigdaddy-service.biz:7707
bigdaddy-service.biz:8808
https://api.telegram.org/bot1887752763:AAEFHUQhXilkF7u0X0Uqs-Po7aZUCtVrohg/sendMessage?chat_id=1096425866
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/3200-1-0x0000000000FD0000-0x0000000001000000-memory.dmp family_stormkitty -
Stormkitty family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\fbd5ad42a5bcdf761431c4983e04fd19\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe File created C:\Users\Admin\AppData\Local\fbd5ad42a5bcdf761431c4983e04fd19\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe File created C:\Users\Admin\AppData\Local\fbd5ad42a5bcdf761431c4983e04fd19\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe File created C:\Users\Admin\AppData\Local\fbd5ad42a5bcdf761431c4983e04fd19\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe File created C:\Users\Admin\AppData\Local\fbd5ad42a5bcdf761431c4983e04fd19\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe File created C:\Users\Admin\AppData\Local\fbd5ad42a5bcdf761431c4983e04fd19\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2844 3200 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 212 netsh.exe 3664 cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3200 bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe 3200 bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe 3200 bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe 3200 bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3200 bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3200 wrote to memory of 3664 3200 bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe 85 PID 3200 wrote to memory of 3664 3200 bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe 85 PID 3200 wrote to memory of 3664 3200 bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe 85 PID 3664 wrote to memory of 4732 3664 cmd.exe 87 PID 3664 wrote to memory of 4732 3664 cmd.exe 87 PID 3664 wrote to memory of 4732 3664 cmd.exe 87 PID 3664 wrote to memory of 212 3664 cmd.exe 88 PID 3664 wrote to memory of 212 3664 cmd.exe 88 PID 3664 wrote to memory of 212 3664 cmd.exe 88 PID 3664 wrote to memory of 4808 3664 cmd.exe 89 PID 3664 wrote to memory of 4808 3664 cmd.exe 89 PID 3664 wrote to memory of 4808 3664 cmd.exe 89 PID 3200 wrote to memory of 3192 3200 bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe 94 PID 3200 wrote to memory of 3192 3200 bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe 94 PID 3200 wrote to memory of 3192 3200 bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe 94 PID 3192 wrote to memory of 4984 3192 cmd.exe 96 PID 3192 wrote to memory of 4984 3192 cmd.exe 96 PID 3192 wrote to memory of 4984 3192 cmd.exe 96 PID 3192 wrote to memory of 3960 3192 cmd.exe 97 PID 3192 wrote to memory of 3960 3192 cmd.exe 97 PID 3192 wrote to memory of 3960 3192 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe"C:\Users\Admin\AppData\Local\Temp\bb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec.exe"1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:4732
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:212
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:4808
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 20882⤵
- Program crash
PID:2844
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:4984
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3960
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3200 -ip 32001⤵PID:4908
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1