Analysis
-
max time kernel
90s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2025 02:48
Behavioral task
behavioral1
Sample
80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Resource
win10v2004-20241007-en
General
-
Target
80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
-
Size
320KB
-
MD5
1b8dac31eb30bd909fadcd9738c832ca
-
SHA1
3d5021b656dcb39863d39430a4eddb5d6eb0e177
-
SHA256
80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660
-
SHA512
25b02e6ae62add0a550b6c6cf3b1506177012ff94d885f0773fe5a7554d1fee1c96c3f286d6728eae31249eacbfc26d4869633145ba48ff3e6cef54ae8a9e54a
-
SSDEEP
6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvv:3m/Q6P8j/svm1TXI5tZB
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/1968-1-0x0000000000BA0000-0x0000000000BF6000-memory.dmp family_stormkitty -
Stormkitty family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\OFGADUSE\FileGrabber\Pictures\desktop.ini 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe File created C:\Users\Admin\AppData\Local\OFGADUSE\FileGrabber\Desktop\desktop.ini 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe File created C:\Users\Admin\AppData\Local\OFGADUSE\FileGrabber\Documents\desktop.ini 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 freegeoip.app 9 freegeoip.app 35 api.ipify.org 36 api.ipify.org 37 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1968 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe"C:\Users\Admin\AppData\Local\Temp\80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1968
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
457KB
MD5508e7c8f620edd2e6c597dfc4a03bc3c
SHA125573a93fc32421f9326b60683436012672d14de
SHA256e551fe89a5d5ffa55df8c60e8e24ba2386285cb883954bdaf83e42412f605e2b
SHA512d10a2c9e6d7c7a3d97d92a355a3eed030742b720b7560fd940940e7b5b3656f54d89eaf1540a2ada0534a4d6cc57ef46883a38c21cd4f96d755b495c4c06aa98
-
Filesize
652KB
MD5dc9b6c573566cb264a84ecbeb551183c
SHA18d8fcd765452ff436d9130d606a0b96bc9d4ac7b
SHA256dc0bf2aa691ae7c8f106331530eb63077372035b7aed6d4c8f5fd322e662c815
SHA5129feac23bb974f739b9018dd70bba6931aea53aebd9970bd4b682a4896b2925b049e800584553d50a04e61c85cc6aa1e4f5faad42b19d2905140481b03d439caf
-
Filesize
633KB
MD528821afabc507ddbb41f9fb7e1b3f811
SHA1c632a6fd5e5505894a34f502f8da2a46fde4fa32
SHA25674f9bfd4bd022156cc0657731724d591cb4cd43e09736fa487d3b538f08b34fc
SHA512b284c9983c7856bf95b37cc7de5f2a428d61d6e90f79cb51d9252576322fdd1e35090d0dd36c7a575b52024b934c6919ccc7db1e9ecf4ab00bdab280a55a59e5
-
Filesize
2.8MB
MD5431a371cf38a738215dd7ce68a6582ea
SHA1db1053fe961bcb7221ece78d926b16adefeda71b
SHA256b65a47f6bb99ee0d8845b6c084ebd99b03f7735c65cab477ef0661bab5e3358a
SHA512e68e5dd61d55349b65f37c52de0c5c83e1def485a3ff42c08fc3c6c9751c7d4ca0a934f83de3d3cc32d9a768df0ecbb68be44ae6dbaca0b454b8fa1c4cd16449
-
Filesize
617KB
MD565f452beba2c26da64fb5725b94c8af0
SHA1abe7b72d17820792b332260aebaebeb945c9a80b
SHA256864e5ba0142ddb730308def3bdbcf6de62b2b359764eea8f6b264f842a5afd3d
SHA512ac4a466b2529adf14ca28994c4845dac4957646dcbffe76d09f4af33242fc51ab19710e61493c3d3c31a64520d07db680581e7a60b7e15465553d0e636cdef9d
-
Filesize
633KB
MD5b7654d1728fd8f7af39e894d61da3267
SHA1a79deceb9f4d680450d40273b6ceefab15e41b4d
SHA2567dad9aaac7f5325d111a207af43360abf1d9a8d6b9a5fa583a161c100ae140b8
SHA5121f525b2a482d91fc4c75b8bf34f8cfd40c42ea7e5e597cd43f2140d542d71aad86bd2ef55a0d7e40fafc0b3257711aa38edfedbde3b76187f06c300e130ebaca
-
Filesize
753KB
MD5f1c006c82d82f0526d03ee6051475f25
SHA17fc711ffa1674f0cb3ba4baf4acd36d9abe020d5
SHA25602ac5b07bb4de30228d6f2b1be44724671a78e6ff37cea2cf6a3118986294f18
SHA51238c7bc778db3382603381c5cee16aa6547f3126447e8461436d4078fdd31c8853e8e516a5f25df9b65dcd78f99954a5f854e8cce1b8984929c1f63eec6b440c6
-
Filesize
1.6MB
MD546328c1852bc76b44307ae7bc7d08479
SHA1a572ed9e7e0428e98905b414da2266fbd6143224
SHA2568b8d4e30e75682e35e898b94da633c64181e1c1483d5ab60acfc2ee346eaae7a
SHA5129aba9be1db9640904c94cb0863e2d2e4db1a5947c8e04b09050d3f665193de1ba0fb5f62a1bd91b0d808ffad9ef6eefd7a1e017e988844e03274dc7c5e97b0d1
-
Filesize
4KB
MD5093ef0ab7996bbcb796ccccc1b59494e
SHA105a7d29ff012e467202d6d989d96c2c80987a75a
SHA256d66362f49f31b05747722372a68e491063ae2743c81bc7533768a063fe5e886e
SHA512dce97ae8908752d99dbd124aeb0f1dc26dc14ad752d388aabcc95b607aa6c6b353041f0aca59e4420e86c031eed222d47d251d90ed8fc06c04c2cd68b5ea3804