Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2025, 16:25
Behavioral task
behavioral1
Sample
Release/Stub/DestinyClient.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Release/Stub/DestinyClient.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Release/ZeroTrace Stealer.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Release/ZeroTrace Stealer.exe
Resource
win10v2004-20250129-en
General
-
Target
Release/Stub/DestinyClient.exe
-
Size
124KB
-
MD5
18a330c0c46815c227282a7904934490
-
SHA1
f3cfb765a2dabbf2b8387c345116de9d6fa32583
-
SHA256
037cbf74f9c74780a84978646ae71eb7cf1c1324b7dff7828a92383d17896f4a
-
SHA512
b27e92d34126c3007875c80d05287a153c15fca763a93ac133a1fe3d280b7da9a66a055770205233c60a857c9d867bdb4b5214bebdf85d6ca9c507aa14ae7692
-
SSDEEP
3072:2k80D8yw5Ib5p3UuIns87TFbi9kN7xU53+X2KrVl:2kuI/Ehs0bwi
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/3156-1-0x0000000000080000-0x00000000000A6000-memory.dmp family_stormkitty -
Stormkitty family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DestinyClient.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DestinyClient.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DestinyClient.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ipinfo.io 7 ipinfo.io -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5040 3156 WerFault.exe 80 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DestinyClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 1136 cmd.exe 1384 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 DestinyClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier DestinyClient.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3156 DestinyClient.exe 3156 DestinyClient.exe 3156 DestinyClient.exe 3156 DestinyClient.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3156 DestinyClient.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3156 wrote to memory of 1136 3156 DestinyClient.exe 81 PID 3156 wrote to memory of 1136 3156 DestinyClient.exe 81 PID 3156 wrote to memory of 1136 3156 DestinyClient.exe 81 PID 1136 wrote to memory of 3112 1136 cmd.exe 83 PID 1136 wrote to memory of 3112 1136 cmd.exe 83 PID 1136 wrote to memory of 3112 1136 cmd.exe 83 PID 1136 wrote to memory of 1384 1136 cmd.exe 85 PID 1136 wrote to memory of 1384 1136 cmd.exe 85 PID 1136 wrote to memory of 1384 1136 cmd.exe 85 PID 1136 wrote to memory of 3200 1136 cmd.exe 86 PID 1136 wrote to memory of 3200 1136 cmd.exe 86 PID 1136 wrote to memory of 3200 1136 cmd.exe 86 PID 3156 wrote to memory of 1096 3156 DestinyClient.exe 90 PID 3156 wrote to memory of 1096 3156 DestinyClient.exe 90 PID 3156 wrote to memory of 1096 3156 DestinyClient.exe 90 PID 1096 wrote to memory of 3596 1096 cmd.exe 92 PID 1096 wrote to memory of 3596 1096 cmd.exe 92 PID 1096 wrote to memory of 3596 1096 cmd.exe 92 PID 1096 wrote to memory of 4484 1096 cmd.exe 93 PID 1096 wrote to memory of 4484 1096 cmd.exe 93 PID 1096 wrote to memory of 4484 1096 cmd.exe 93 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DestinyClient.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DestinyClient.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Release\Stub\DestinyClient.exe"C:\Users\Admin\AppData\Local\Temp\Release\Stub\DestinyClient.exe"1⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3156 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:3112
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1384
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:3200
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 24562⤵
- Program crash
PID:5040
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:3596
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4484
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3156 -ip 31561⤵PID:5024
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7