Overview

overview

10

Static

static

10

1a.exe

windows7-x64

10

1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a.exe

  • Size

    1.4MB

  • MD5

    80467b17d18000d6fab38846004e81ea

  • SHA1

    1ffbeeeb77a563e7068cbd85c5d2ee2423e01017

  • SHA256

    1aa7b910d99ef87d29be0bc96c4cf3a2823fea04fafd2a4b736c1156d73b2bb0

  • SHA512

    8ca8ddd7609afa50c15927aec910e9a077ffc89aa213d4f3a0bd4c2be7d7e5f4374a06cb58f0f726715e867376f08fbbea16c32ea1286e4b832b496b6d7a42e9

  • SSDEEP

    24576:CofiMngrdePNzQ0ZIxNXaV9x4IUgs36BUI2So5+jnzFYCaGApu8:7TgReFs0ZM0T+Sk6BU7HIFY7G98

Score
10/10
stormkittyspywarestealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a.exe
    "C:\Users\Admin\AppData\Local\Temp\1a.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1040
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:996
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:1028
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2128
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:2056
              • C:\Windows\system32\netsh.exe
                netsh wlan show profile name=65001 key=clear
                3⤵
                  PID:4236
                • C:\Windows\system32\findstr.exe
                  findstr Key
                  3⤵
                    PID:2136

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/996-137-0x0000000000000000-mapping.dmp
                Download
              • memory/1028-138-0x0000000000000000-mapping.dmp
                Download
              • memory/1040-136-0x0000000000000000-mapping.dmp
                Download
              • memory/2056-140-0x0000000000000000-mapping.dmp
                Download
              • memory/2128-139-0x0000000000000000-mapping.dmp
                Download
              • memory/2136-142-0x0000000000000000-mapping.dmp
                Download
              • memory/3748-132-0x0000000000BB0000-0x0000000000D12000-memory.dmp
                Filesize

                1.4MB

                Download
              • memory/3748-134-0x00007FFAA33F0000-0x00007FFAA3EB1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3748-133-0x000000001B840000-0x000000001B85A000-memory.dmp
                Filesize

                104KB

                Download
              • memory/3748-143-0x00007FFAA33F0000-0x00007FFAA3EB1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4236-141-0x0000000000000000-mapping.dmp
                Download
              • memory/4824-135-0x0000000000000000-mapping.dmp
                Download