stormkitty | 7a15a21c229fd3f9a2a18f2bb13bf2845a76a3822914c751174b1aa98303b8e8

General

Target

00000998880.exe
Size

1.1MB
MD5

b75196ccea3a4ed66a87e7a98595b27f
SHA1

db65efb2c2f426165479a6b9f70700d61f56b6e2
SHA256

7a15a21c229fd3f9a2a18f2bb13bf2845a76a3822914c751174b1aa98303b8e8
SHA512

2b23d1b83ecf18cc7ca5cb581691e17704f48320d43e849a527ce5079082c048a35eabb00cc40bf9fd1f207ea1f870de560b283742e8d47228666ed2aa4d49a1

Score

10^/10

stormkitty spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2716-119-0x0000000000400000-0x00000000004B2000-memory.dmp	family_stormkitty
behavioral2/memory/2716-120-0x00000000004A734E-mapping.dmp	family_stormkitty

Loads dropped DLL 1 IoCs

Processes:

00000998880.exe

pid process

3108 00000998880.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3108	00000998880.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

00000998880.exe00000998880.exe

description	pid	process	target process
PID 3108 set thread context of 2188	3108	00000998880.exe	00000998880.exe
PID 2188 set thread context of 2716	2188	00000998880.exe	AppLaunch.exe
PID 2188 set thread context of 2792	2188	00000998880.exe	InstallUtil.exe
PID 2188 set thread context of 1940	2188	00000998880.exe	InstallUtil.exe
PID 2188 set thread context of 2888	2188	00000998880.exe	AppLaunch.exe
PID 2188 set thread context of 3976	2188	00000998880.exe	InstallUtil.exe
PID 2188 set thread context of 3980	2188	00000998880.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3508	2792	WerFault.exe	InstallUtil.exe
1732	2716	WerFault.exe	AppLaunch.exe
556	1940	WerFault.exe	InstallUtil.exe
1444	2888	WerFault.exe	AppLaunch.exe
2344	3980	WerFault.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

00000998880.exe

pid process

2188 00000998880.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

00000998880.exe

pid process

3108 00000998880.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1732 WerFault.exe
Token: SeBackupPrivilege 1732 WerFault.exe
Token: SeDebugPrivilege 1732 WerFault.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

00000998880.exe

pid process

2188 00000998880.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

00000998880.exe

pid process

2188 00000998880.exe
2188 00000998880.exe

pid	process
2188	00000998880.exe

pid	process
3108	00000998880.exe

description	pid	process
Token: SeRestorePrivilege	1732	WerFault.exe
Token: SeBackupPrivilege	1732	WerFault.exe
Token: SeDebugPrivilege	1732	WerFault.exe

pid	process
2188	00000998880.exe

pid	process
2188	00000998880.exe
2188	00000998880.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

00000998880.exe00000998880.exe

description	pid	process	target process
PID 3108 wrote to memory of 2188	3108	00000998880.exe	00000998880.exe
PID 3108 wrote to memory of 2188	3108	00000998880.exe	00000998880.exe
PID 3108 wrote to memory of 2188	3108	00000998880.exe	00000998880.exe
PID 3108 wrote to memory of 2188	3108	00000998880.exe	00000998880.exe
PID 2188 wrote to memory of 2716	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 2716	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 2716	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 2716	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 2716	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 2716	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 2716	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 2716	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 2792	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 2792	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 2792	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 2792	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 1940	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 1940	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 1940	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 1940	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 2888	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 2888	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 2888	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 2888	2188	00000998880.exe	AppLaunch.exe
PID 2188 wrote to memory of 3976	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 3976	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 3976	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 3976	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 3976	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 3976	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 3976	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 3976	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 3980	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 3980	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 3980	2188	00000998880.exe	InstallUtil.exe
PID 2188 wrote to memory of 3980	2188	00000998880.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\00000998880.exe
"C:\Users\Admin\AppData\Local\Temp\00000998880.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\00000998880.exe
  "C:\Users\Admin\AppData\Local\Temp\00000998880.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 932
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:2792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 88
      4⤵
      Program crash
      PID:3508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 88
      4⤵
      Program crash
      PID:556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 88
      4⤵
      Program crash
      PID:1444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:3976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 88
      4⤵
      Program crash
      PID:2344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\BrowsersFiles\MozillaCookies.txt

MD5
c0eba57ce108eb752f9d91b8e3529c9c

SHA1
ed333454d80787cb146a5c50bfc96fbe0ef881c2

SHA256
7afc1e9f51dd43ef4205cb543ebb57bbe6eba7ea23228a7973f397da556ace4b

SHA512
b3345a6f9a92d1e04cb4289cecea29e55a4ea4e4843d2218ceac852769fd47cf5d347483792f6ec6495d858cb688aabd74ed7cdd52a81c9b486380edc04216d0

Download Submit
\Users\Admin\AppData\Local\Temp\nsz4482.tmp\8l7r34p5yq96dij.dll

MD5
66907ccd5e6961ce220b944d5f62da1a

SHA1
311d801569bee3f8f0f2ac340d0771326433b968

SHA256
a20de63e493f23c7915a1d68f2aad022a14f9dadb1ae715369059a5b0ecdbb85

SHA512
0b8f07fef9edbed24134c18e40df614718fab37e23875ba6e50c6d2d223973bf9925972834afa64f8b0d32798d51565be3587597c1921509347131a92ccd47d4

Download Submit
memory/1940-184-0x0000000000404212-mapping.dmp

Download
memory/2188-115-0x00000000004025C4-mapping.dmp

Download
memory/2188-118-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2716-119-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2716-128-0x0000000009450000-0x0000000009451000-memory.dmp

Filesize
4KB

Download
memory/2716-129-0x0000000009560000-0x0000000009561000-memory.dmp

Filesize
4KB

Download
memory/2716-183-0x0000000009750000-0x0000000009751000-memory.dmp

Filesize
4KB

Download
memory/2716-120-0x00000000004A734E-mapping.dmp

Download
memory/2792-124-0x0000000000404212-mapping.dmp

Download
memory/2888-185-0x00000000004A734E-mapping.dmp

Download
memory/3976-186-0x0000000000404212-mapping.dmp

Download
memory/3980-188-0x0000000000404212-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads