stormkitty | 501317a60d63bac59b9cc6994cd4d03207a929ab689939d062635656b4ed8231

Analysis

max time kernel
82s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2022 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CfGQYemJHRdTnFG.exe
Size

117KB
MD5

19358aa5a8795a331a7f742e98ee5e58
SHA1

a94378675c169915e3b11ae3ac8b3a0a17f714ac
SHA256

cd1124d49f6e248b69e167e7fb5914040da63675486608cfa035082a837fe6ff
SHA512

fbd3b723e1c6684a01b24edd711a1d361052e92d5e76870f7b2141800a3542ee714872823183b25a79542bb6cb7b7564df1b04962ab0de3bd9333800a57363ae
SSDEEP

3072:ZaOqc4zX7NK4w0qVc6j2D9bW0YBDrUbpgDwk:fF4zX7NKUGjg9ba

Score

10^/10

stormkitty spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral20/memory/1632-132-0x0000012ABCAC0000-0x0000012ABCAE2000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	CfGQYemJHRdTnFG.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3300	1632	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
1632	CfGQYemJHRdTnFG.exe
428	powershell.exe
428	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	CfGQYemJHRdTnFG.exe
Token: SeDebugPrivilege	428	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2380	1632	CfGQYemJHRdTnFG.exe	87
PID 1632 wrote to memory of 2380	1632	CfGQYemJHRdTnFG.exe	87
PID 2380 wrote to memory of 1548	2380	cmd.exe	89
PID 2380 wrote to memory of 1548	2380	cmd.exe	89
PID 2380 wrote to memory of 3252	2380	cmd.exe	90
PID 2380 wrote to memory of 3252	2380	cmd.exe	90
PID 2380 wrote to memory of 676	2380	cmd.exe	91
PID 2380 wrote to memory of 676	2380	cmd.exe	91
PID 1632 wrote to memory of 2444	1632	CfGQYemJHRdTnFG.exe	92
PID 1632 wrote to memory of 2444	1632	CfGQYemJHRdTnFG.exe	92
PID 2444 wrote to memory of 2364	2444	cmd.exe	94
PID 2444 wrote to memory of 2364	2444	cmd.exe	94
PID 2444 wrote to memory of 4712	2444	cmd.exe	95
PID 2444 wrote to memory of 4712	2444	cmd.exe	95
PID 1632 wrote to memory of 428	1632	CfGQYemJHRdTnFG.exe	96
PID 1632 wrote to memory of 428	1632	CfGQYemJHRdTnFG.exe	96

C:\Users\Admin\AppData\Local\Temp\CfGQYemJHRdTnFG.exe
"C:\Users\Admin\AppData\Local\Temp\CfGQYemJHRdTnFG.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1548
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:3252
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:676
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2364
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $source = 'C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US';;$destination = 'C:\Users\Admin\AppData\Roaming/Admin-logs.zip';;If(Test-path $destination) {Remove-item $destination};;Add-Type -assembly 'system.io.compression.filesystem';;[io.compression.zipfile]::CreateFromDirectory($Source, $destination)
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1632 -s 2768
  2⤵
  - Program crash
  PID:3300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 1632 -ip 1632
1⤵
PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
115B

MD5
0ca02d5a982debc89a18a061bac91a4b

SHA1
8f0cfe7f0dade0a74f698ba1ea1384045710060c

SHA256
63ed103f5076c20b34f36efa685154aaeda7b66c206fa2f2588994fd9c60de7f

SHA512
a3aff8e71e8288d97b167b9f72bb0be2a4cc5fb4b7d0975e04c792d053aa30e5882005863c7666ef94b08976a924903d52d614c2220836d0b1c247031c87f1ce

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\Browsers\InternetExplorer\Passwords.txt

Filesize
406B

MD5
a70c01a301af5922c13cd6fbaa6606c1

SHA1
c994d604d4bbc15c661e5165e8cd240879d60083

SHA256
d6831857c1ccceeb608c0ef58eafc352f57c35d1f7fde7583f7c059a3472d6e2

SHA512
721c1e572de47962c52a0bae9fa0a05ccb1f5c1e3a877efc7307f8c71427191c4bfa14284427d219630b217c629e5bc1482c1ed09b35dbd2956fdc0b42732a5a

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\Directories\Desktop.txt

Filesize
548B

MD5
fd7c4294c8acae3c548893882728f2ef

SHA1
5dd3bfb5486d4bebbee196b01a93e78e296781c2

SHA256
6f725a430970374e87f1270c45dac881077a0f188d53ae3ee41bc5bbd7667fe0

SHA512
03893461ae2617d7075600388d3d34173ff79ec6b2253874e7e068c8ebbf57f357134aa283f85ced969be30172172b7ea5c8e3d3bddccca9d088dd2e58e4097b

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\Directories\Documents.txt

Filesize
756B

MD5
6cb90dd95fbf32d34b3c277f56afd293

SHA1
a0bdd4618f0c3f51eacc65d63d13a35b049da131

SHA256
98bdadc07077a9f419b4de730c25167ab63e658fe176141507778b5190f8c9a8

SHA512
6e499d0017c1ce294f66ddbf36f2445bee11e455dbe799a3a190f1f552cdc89f497c4b992629d3e9b21c0e17c1673d65024eb04c468d36d696f59dc55b3f738d

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\Directories\Downloads.txt

Filesize
601B

MD5
018acefc67a0e5bf397140f07f09a4e8

SHA1
48fe18bf8208756ae61bb8ad6433b0ba1b623e30

SHA256
2a84b22f171f6ef385f2ea5c3ed6a24bf1f537a01364492e34e07137254d99fd

SHA512
9e32ca4f0e169529711e290af804320ee5eb39a6ef5987506603b57a1a65c68f9fe81d31af826cbcff6ce070b1a9a8f1ae0ab4b584fc64b7f0416b05bba8af3b

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\Directories\Pictures.txt

Filesize
622B

MD5
66eb98e09617847105c624cb766d4761

SHA1
61a142de6bcb6689b81cca99f43e2261abd2a2fc

SHA256
b0c7fc83b01a8e0bfe91e4490be7ecafdecceb8cf0672aeb02b15e7712ffb4d6

SHA512
4470ac1c11466dbf1e8933b650a7d20ef5c3262952812c21abd0166c151e12792373af8e003eb6ed5d1fad7ea6ed81ab232209c97de2501981b330de1d132f39

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\Directories\Temp.txt

Filesize
1KB

MD5
f732c6847e6565e1432e6131979c3a11

SHA1
a9206492888485f503fbb777b6d7445c5c61fae2

SHA256
25386de248842ce0d93852a6b22484920e9588c32c783e5c6a12c904b708e50e

SHA512
1fa4cf24fad13f70f25645be2995b65734ce1793b9437a865315ae076f7dbe6daded60df222f43903ca267885bf92e12accacea0b3d9deee80d126b582c87a5c

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\System\Desktop.jpg

Filesize
83KB

MD5
0de81670a1aade0df1379554501522c5

SHA1
b287672ef60d76147600b38cae496f4b4245ecde

SHA256
d377000270027309fee05b4ee233b7c3c2738d51e32464d466bf717e3435e56e

SHA512
d0eb8a24e17be0d8a147f3e495f94eb40797a5c763dcb49f367a95dda88928219bc661a52bea2b797d820f0e7802d6f35a42661b6266cf9fee8a9e13f285f61e

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\System\Process.txt

Filesize
5KB

MD5
538db361c5f9b11d7ef91f64330d101b

SHA1
b86edd8cfc2177fd59bc5acdbfe7a02edae4adf0

SHA256
781314bbdff04d10708e3457f47895cc2eca5c0f5f7d61474c05b3b25f51360a

SHA512
04c982e7c78f7ad7af58b7b73de279116a2aa40403c12757c749c3a37a36b9bfbe39de085afa6b38cdd781e33ae788be35e8061347629dbcc022e3d28e59f7ab

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\f5b716681a1738d30865fa9250b7ed59\Admin@ESAXYXWD_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
memory/428-144-0x000001777A1C0000-0x000001777A1D2000-memory.dmp

Filesize
72KB

Download
memory/428-160-0x00007FFB00050000-0x00007FFB00B11000-memory.dmp

Filesize
10.8MB

Download
memory/428-143-0x000001777A190000-0x000001777A19A000-memory.dmp

Filesize
40KB

Download
memory/428-142-0x0000017777AC0000-0x0000017777AE2000-memory.dmp

Filesize
136KB

Download
memory/1632-133-0x00007FFB00050000-0x00007FFB00B11000-memory.dmp

Filesize
10.8MB

Download
memory/1632-161-0x00007FFB00050000-0x00007FFB00B11000-memory.dmp

Filesize
10.8MB

Download
memory/1632-132-0x0000012ABCAC0000-0x0000012ABCAE2000-memory.dmp

Filesize
136KB

Download
memory/1632-159-0x00007FFB00050000-0x00007FFB00B11000-memory.dmp

Filesize
10.8MB

Download