Analysis
-
max time kernel
38s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-01-2023 00:46
Behavioral task
behavioral1
Sample
file_2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file_2.exe
Resource
win10v2004-20221111-en
General
-
Target
file_2.exe
-
Size
354KB
-
MD5
a8bc3922060ac04531cc345cf32187a4
-
SHA1
1587cf4a2597c265562618f819e7de0793b82b77
-
SHA256
1bd0003b7c27d07166b5967d4cfff1ec606d2dd47e3ea63cfeb3e0ded1920965
-
SHA512
9d4b8e32d837642de9bfc9b57a606522d6340958bc49e49ad6e06ea5c30ef985970f82b4445a6719c7abeef56f1cb2335049889e7b73ba350e55e16c586e8136
-
SSDEEP
6144:ZEORvVBke0lARaQICciUyHd3AdA2ElfejV23oT3E1TfJ79TrOxLHq/hNnJLji:ZEKBke0l69cq9Hzo6F79Tr3pNR
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1864-54-0x00000000013E0000-0x0000000001440000-memory.dmp family_stormkitty behavioral1/memory/1864-55-0x000000001AC50000-0x000000001ACD4000-memory.dmp family_stormkitty -
Downloads MZ/PE file
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll vmprotect -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 384 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1000 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 836 taskkill.exe -
Processes:
file_2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 file_2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde file_2.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
file_2.exepid process 1864 file_2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file_2.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1864 file_2.exe Token: SeDebugPrivilege 836 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
file_2.execmd.exedescription pid process target process PID 1864 wrote to memory of 384 1864 file_2.exe cmd.exe PID 1864 wrote to memory of 384 1864 file_2.exe cmd.exe PID 1864 wrote to memory of 384 1864 file_2.exe cmd.exe PID 384 wrote to memory of 324 384 cmd.exe chcp.com PID 384 wrote to memory of 324 384 cmd.exe chcp.com PID 384 wrote to memory of 324 384 cmd.exe chcp.com PID 384 wrote to memory of 836 384 cmd.exe taskkill.exe PID 384 wrote to memory of 836 384 cmd.exe taskkill.exe PID 384 wrote to memory of 836 384 cmd.exe taskkill.exe PID 384 wrote to memory of 1000 384 cmd.exe timeout.exe PID 384 wrote to memory of 1000 384 cmd.exe timeout.exe PID 384 wrote to memory of 1000 384 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file_2.exe"C:\Users\Admin\AppData\Local\Temp\file_2.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE2E1.tmp.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 18643⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dllFilesize
293KB
MD57a2d5deab61f043394a510f4e2c0866f
SHA1ca16110c9cf6522cd7bea32895fd0f697442849b
SHA25675db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
448KB
MD56d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
C:\Users\Admin\AppData\Local\Temp\tmpE2E1.tmp.batFilesize
235B
MD5855698603c26f013b63827ba53d85cab
SHA1997c2f98debaada54716b261b6ef61d4705e716b
SHA256af642c4e792ca47c1d5654852fffb7244cbfbdd70b28be24f725940a2143c44a
SHA5124989aea4a982cb140dec7519bfeccd0a50b3ec86194e3cfa047d0e5926138c5db06348a62a815cd03fb543d57bf3f0860eaadf475bc3f940aaaca8862a6cdeef
-
memory/324-59-0x0000000000000000-mapping.dmp
-
memory/384-57-0x0000000000000000-mapping.dmp
-
memory/836-60-0x0000000000000000-mapping.dmp
-
memory/1000-61-0x0000000000000000-mapping.dmp
-
memory/1864-54-0x00000000013E0000-0x0000000001440000-memory.dmpFilesize
384KB
-
memory/1864-55-0x000000001AC50000-0x000000001ACD4000-memory.dmpFilesize
528KB
-
memory/1864-56-0x0000000000450000-0x0000000000456000-memory.dmpFilesize
24KB