Overview

overview

10

Static

static

10

file_2.exe

windows7-x64

10

file_2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2023 00:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file_2.exe

  • Size

    354KB

  • MD5

    a8bc3922060ac04531cc345cf32187a4

  • SHA1

    1587cf4a2597c265562618f819e7de0793b82b77

  • SHA256

    1bd0003b7c27d07166b5967d4cfff1ec606d2dd47e3ea63cfeb3e0ded1920965

  • SHA512

    9d4b8e32d837642de9bfc9b57a606522d6340958bc49e49ad6e06ea5c30ef985970f82b4445a6719c7abeef56f1cb2335049889e7b73ba350e55e16c586e8136

  • SSDEEP

    6144:ZEORvVBke0lARaQICciUyHd3AdA2ElfejV23oT3E1TfJ79TrOxLHq/hNnJLji:ZEKBke0l69cq9Hzo6F79Tr3pNR

Score
10/10
stormkittycollectionspywarestealervmprotect

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Downloads MZ/PE file
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file_2.exe
    "C:\Users\Admin\AppData\Local\Temp\file_2.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1616
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2676
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:2920
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:2988
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3424
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:2824
              • C:\Windows\system32\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:2020
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp339.tmp.bat
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3968
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  3⤵
                    PID:5028
                  • C:\Windows\system32\taskkill.exe
                    TaskKill /F /IM 1616
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3936
                  • C:\Windows\system32\timeout.exe
                    Timeout /T 2 /Nobreak
                    3⤵
                    • Delays execution with timeout.exe
                    PID:2016
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3792

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
                Filesize

                293KB

                MD5

                7a2d5deab61f043394a510f4e2c0866f

                SHA1

                ca16110c9cf6522cd7bea32895fd0f697442849b

                SHA256

                75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69

                SHA512

                b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
                Filesize

                448KB

                MD5

                6d1c62ec1c2ef722f49b2d8dd4a4df16

                SHA1

                1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

                SHA256

                00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

                SHA512

                c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\tmp339.tmp.bat
                Filesize

                235B

                MD5

                8e25ede48fd06e2091e7e073709cf04f

                SHA1

                dbcd5a1bd03cc7f3e3e7a5771fae4a99bcb1f26d

                SHA256

                de09126a318cc86477829580caefc37b8acf8d60df546c3507f35440d8256f6f

                SHA512

                3c25b59b95f1d6ff416945e1655e5f9dd78310c47e7baebfdd7b8e1101cb0fbfb1c6e83da20a77c1c6c509c5ba9234746f6adb5710acae9372fdcf3a1534de82

                Download Submit
              • memory/1348-135-0x0000000000000000-mapping.dmp
                Download
              • memory/1616-132-0x0000019F44E80000-0x0000019F44EE0000-memory.dmp
                Filesize

                384KB

                Download
              • memory/1616-134-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1616-142-0x0000019F5FD70000-0x0000019F5FDE6000-memory.dmp
                Filesize

                472KB

                Download
              • memory/1616-143-0x0000019F5FE80000-0x0000019F5FF04000-memory.dmp
                Filesize

                528KB

                Download
              • memory/1616-149-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1616-133-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2016-148-0x0000000000000000-mapping.dmp
                Download
              • memory/2020-141-0x0000000000000000-mapping.dmp
                Download
              • memory/2676-136-0x0000000000000000-mapping.dmp
                Download
              • memory/2824-140-0x0000000000000000-mapping.dmp
                Download
              • memory/2920-137-0x0000000000000000-mapping.dmp
                Download
              • memory/2988-138-0x0000000000000000-mapping.dmp
                Download
              • memory/3424-139-0x0000000000000000-mapping.dmp
                Download
              • memory/3936-147-0x0000000000000000-mapping.dmp
                Download
              • memory/3968-144-0x0000000000000000-mapping.dmp
                Download
              • memory/5028-146-0x0000000000000000-mapping.dmp
                Download