Overview

overview

10

Static

static

1

00000998880.exe

windows7_x64

10

00000998880.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-04-2021 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00000998880.exe

  • Size

    1.1MB

  • MD5

    b75196ccea3a4ed66a87e7a98595b27f

  • SHA1

    db65efb2c2f426165479a6b9f70700d61f56b6e2

  • SHA256

    7a15a21c229fd3f9a2a18f2bb13bf2845a76a3822914c751174b1aa98303b8e8

  • SHA512

    2b23d1b83ecf18cc7ca5cb581691e17704f48320d43e849a527ce5079082c048a35eabb00cc40bf9fd1f207ea1f870de560b283742e8d47228666ed2aa4d49a1

Score
10/10
stormkittyspywarestealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty Payload 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00000998880.exe
    "C:\Users\Admin\AppData\Local\Temp\00000998880.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\AppData\Local\Temp\00000998880.exe
      "C:\Users\Admin\AppData\Local\Temp\00000998880.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:2716
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 932
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          3⤵
            PID:2792
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 88
              4⤵
              • Program crash
              PID:3508
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            3⤵
              PID:1940
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 88
                4⤵
                • Program crash
                PID:556
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              3⤵
                PID:2888
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 88
                  4⤵
                  • Program crash
                  PID:1444
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                3⤵
                  PID:3976
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  3⤵
                    PID:3980
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 88
                      4⤵
                      • Program crash
                      PID:2344

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2188-118-0x0000000000400000-0x00000000004CF000-memory.dmp

                Filesize

                828KB

                Download

              • memory/2716-119-0x0000000000400000-0x00000000004B2000-memory.dmp

                Filesize

                712KB

                Download

              • memory/2716-128-0x0000000009450000-0x0000000009451000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2716-129-0x0000000009560000-0x0000000009561000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2716-183-0x0000000009750000-0x0000000009751000-memory.dmp

                Filesize

                4KB

                Download