stormkitty | 1bd0003b7c27d07166b5967d4cfff1ec606d2dd47e3ea63cfeb3e0ded1920965

General

Target

file_2.exe
Size

354KB
MD5

a8bc3922060ac04531cc345cf32187a4
SHA1

1587cf4a2597c265562618f819e7de0793b82b77
SHA256

1bd0003b7c27d07166b5967d4cfff1ec606d2dd47e3ea63cfeb3e0ded1920965
SHA512

9d4b8e32d837642de9bfc9b57a606522d6340958bc49e49ad6e06ea5c30ef985970f82b4445a6719c7abeef56f1cb2335049889e7b73ba350e55e16c586e8136
SSDEEP

6144:ZEORvVBke0lARaQICciUyHd3AdA2ElfejV23oT3E1TfJ79TrOxLHq/hNnJLji:ZEKBke0l69cq9Hzo6F79Tr3pNR

Score

10^/10

stormkitty stealer vmprotect

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1864-54-0x00000000013E0000-0x0000000001440000-memory.dmp	family_stormkitty
behavioral1/memory/1864-55-0x000000001AC50000-0x000000001ACD4000-memory.dmp	family_stormkitty

Downloads MZ/PE file

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

384 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1000 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

836 taskkill.exe

pid	process
384	cmd.exe

flow	ioc
3	ip-api.com

pid	process
1000	timeout.exe

pid	process
836	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file_2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	file_2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	file_2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

file_2.exe

pid process

1864 file_2.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

file_2.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1864 file_2.exe
Token: SeDebugPrivilege 836 taskkill.exe

pid	process
1864	file_2.exe

description	pid	process
Token: SeDebugPrivilege	1864	file_2.exe
Token: SeDebugPrivilege	836	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

file_2.execmd.exe

description	pid	process	target process
PID 1864 wrote to memory of 384	1864	file_2.exe	cmd.exe
PID 1864 wrote to memory of 384	1864	file_2.exe	cmd.exe
PID 1864 wrote to memory of 384	1864	file_2.exe	cmd.exe
PID 384 wrote to memory of 324	384	cmd.exe	chcp.com
PID 384 wrote to memory of 324	384	cmd.exe	chcp.com
PID 384 wrote to memory of 324	384	cmd.exe	chcp.com
PID 384 wrote to memory of 836	384	cmd.exe	taskkill.exe
PID 384 wrote to memory of 836	384	cmd.exe	taskkill.exe
PID 384 wrote to memory of 836	384	cmd.exe	taskkill.exe
PID 384 wrote to memory of 1000	384	cmd.exe	timeout.exe
PID 384 wrote to memory of 1000	384	cmd.exe	timeout.exe
PID 384 wrote to memory of 1000	384	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\file_2.exe
"C:\Users\Admin\AppData\Local\Temp\file_2.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE2E1.tmp.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:324

C:\Windows\system32\taskkill.exe
TaskKill /F /IM 1864
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:1000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
Filesize
293KB

MD5
7a2d5deab61f043394a510f4e2c0866f

SHA1
ca16110c9cf6522cd7bea32895fd0f697442849b

SHA256
75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69

SHA512
b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
448KB

MD5
6d1c62ec1c2ef722f49b2d8dd4a4df16

SHA1
1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

SHA256
00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

SHA512
c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE2E1.tmp.bat
Filesize
235B

MD5
855698603c26f013b63827ba53d85cab

SHA1
997c2f98debaada54716b261b6ef61d4705e716b

SHA256
af642c4e792ca47c1d5654852fffb7244cbfbdd70b28be24f725940a2143c44a

SHA512
4989aea4a982cb140dec7519bfeccd0a50b3ec86194e3cfa047d0e5926138c5db06348a62a815cd03fb543d57bf3f0860eaadf475bc3f940aaaca8862a6cdeef

Download Submit
memory/324-59-0x0000000000000000-mapping.dmp

Download
memory/384-57-0x0000000000000000-mapping.dmp

Download
memory/836-60-0x0000000000000000-mapping.dmp

Download
memory/1000-61-0x0000000000000000-mapping.dmp

Download
memory/1864-54-0x00000000013E0000-0x0000000001440000-memory.dmp

Filesize
384KB

Download
memory/1864-55-0x000000001AC50000-0x000000001ACD4000-memory.dmp

Filesize
528KB

Download
memory/1864-56-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads