Overview

overview

10

Static

static

1

00000998880.exe

windows7_x64

10

00000998880.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-04-2021 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00000998880.exe

  • Size

    1.1MB

  • MD5

    b75196ccea3a4ed66a87e7a98595b27f

  • SHA1

    db65efb2c2f426165479a6b9f70700d61f56b6e2

  • SHA256

    7a15a21c229fd3f9a2a18f2bb13bf2845a76a3822914c751174b1aa98303b8e8

  • SHA512

    2b23d1b83ecf18cc7ca5cb581691e17704f48320d43e849a527ce5079082c048a35eabb00cc40bf9fd1f207ea1f870de560b283742e8d47228666ed2aa4d49a1

Score
10/10
stormkittyspywarestealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty Payload 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00000998880.exe
    "C:\Users\Admin\AppData\Local\Temp\00000998880.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\AppData\Local\Temp\00000998880.exe
      "C:\Users\Admin\AppData\Local\Temp\00000998880.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:2716
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 932
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          3⤵
            PID:2792
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 88
              4⤵
              • Program crash
              PID:3508
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            3⤵
              PID:1940
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 88
                4⤵
                • Program crash
                PID:556
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              3⤵
                PID:2888
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 88
                  4⤵
                  • Program crash
                  PID:1444
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                3⤵
                  PID:3976
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  3⤵
                    PID:3980
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 88
                      4⤵
                      • Program crash
                      PID:2344

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\BrowsersFiles\MozillaCookies.txt
                MD5

                c0eba57ce108eb752f9d91b8e3529c9c

                SHA1

                ed333454d80787cb146a5c50bfc96fbe0ef881c2

                SHA256

                7afc1e9f51dd43ef4205cb543ebb57bbe6eba7ea23228a7973f397da556ace4b

                SHA512

                b3345a6f9a92d1e04cb4289cecea29e55a4ea4e4843d2218ceac852769fd47cf5d347483792f6ec6495d858cb688aabd74ed7cdd52a81c9b486380edc04216d0

                Download Submit
              • \Users\Admin\AppData\Local\Temp\nsz4482.tmp\8l7r34p5yq96dij.dll
                MD5

                66907ccd5e6961ce220b944d5f62da1a

                SHA1

                311d801569bee3f8f0f2ac340d0771326433b968

                SHA256

                a20de63e493f23c7915a1d68f2aad022a14f9dadb1ae715369059a5b0ecdbb85

                SHA512

                0b8f07fef9edbed24134c18e40df614718fab37e23875ba6e50c6d2d223973bf9925972834afa64f8b0d32798d51565be3587597c1921509347131a92ccd47d4

                Download Submit
              • memory/1940-184-0x0000000000404212-mapping.dmp
                Download
              • memory/2188-115-0x00000000004025C4-mapping.dmp
                Download
              • memory/2188-118-0x0000000000400000-0x00000000004CF000-memory.dmp
                Filesize

                828KB

                Download
              • memory/2716-119-0x0000000000400000-0x00000000004B2000-memory.dmp
                Filesize

                712KB

                Download
              • memory/2716-128-0x0000000009450000-0x0000000009451000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2716-129-0x0000000009560000-0x0000000009561000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2716-183-0x0000000009750000-0x0000000009751000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2716-120-0x00000000004A734E-mapping.dmp
                Download
              • memory/2792-124-0x0000000000404212-mapping.dmp
                Download
              • memory/2888-185-0x00000000004A734E-mapping.dmp
                Download
              • memory/3976-186-0x0000000000404212-mapping.dmp
                Download
              • memory/3980-188-0x0000000000404212-mapping.dmp
                Download