Resubmissions
27-03-2023 10:22
230327-mepxrafa5v 1004-01-2023 02:34
230104-c2x7jagh6t 1004-01-2023 02:21
230104-cta22agh5v 10Analysis
-
max time kernel
98s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2023 02:21
Behavioral task
behavioral1
Sample
ChMetamask.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ChMetamask.exe
Resource
win10v2004-20221111-en
General
-
Target
ChMetamask.exe
-
Size
1.3MB
-
MD5
e7529d32d963da6df89e3ffc6b14cd08
-
SHA1
4a11070ee8c0030ffdcf299e2b49d180e1890f57
-
SHA256
75883a7761887acd7afab7f2acc4f48fe72ff32577397a3c6786ded83db1e57b
-
SHA512
35c220822e24eb8d5b5fef18fd2b7f57b73ab61102632007af89bbe4b9eaca814e817adf6fb0a830c08928cb50e649cdb2da1c5550797ff4b1b377e9ffa99156
-
SSDEEP
24576:HWiMngrdePNzQ0ZIxNXaV9x4IUgs36BUI2So5+jnzFoCaGApu8L:qgReFs0ZM0T+Sk6BU7HIFo7G98L
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2156-132-0x00000000009A0000-0x0000000000AF8000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ChMetamask.exedescription pid process Token: SeDebugPrivilege 2156 ChMetamask.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
ChMetamask.execmd.execmd.exedescription pid process target process PID 2156 wrote to memory of 3988 2156 ChMetamask.exe cmd.exe PID 2156 wrote to memory of 3988 2156 ChMetamask.exe cmd.exe PID 3988 wrote to memory of 4372 3988 cmd.exe chcp.com PID 3988 wrote to memory of 4372 3988 cmd.exe chcp.com PID 3988 wrote to memory of 4804 3988 cmd.exe netsh.exe PID 3988 wrote to memory of 4804 3988 cmd.exe netsh.exe PID 3988 wrote to memory of 4892 3988 cmd.exe findstr.exe PID 3988 wrote to memory of 4892 3988 cmd.exe findstr.exe PID 2156 wrote to memory of 4332 2156 ChMetamask.exe cmd.exe PID 2156 wrote to memory of 4332 2156 ChMetamask.exe cmd.exe PID 4332 wrote to memory of 3120 4332 cmd.exe chcp.com PID 4332 wrote to memory of 3120 4332 cmd.exe chcp.com PID 4332 wrote to memory of 4328 4332 cmd.exe netsh.exe PID 4332 wrote to memory of 4328 4332 cmd.exe netsh.exe PID 4332 wrote to memory of 3436 4332 cmd.exe findstr.exe PID 4332 wrote to memory of 3436 4332 cmd.exe findstr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChMetamask.exe"C:\Users\Admin\AppData\Local\Temp\ChMetamask.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\system32\findstr.exefindstr All3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile name=65001 key=clear3⤵
-
C:\Windows\system32\findstr.exefindstr Key3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2156-132-0x00000000009A0000-0x0000000000AF8000-memory.dmpFilesize
1.3MB
-
memory/2156-133-0x0000000002BD0000-0x0000000002BEA000-memory.dmpFilesize
104KB
-
memory/2156-134-0x00007FF871800000-0x00007FF8722C1000-memory.dmpFilesize
10.8MB
-
memory/2156-135-0x00007FF871800000-0x00007FF8722C1000-memory.dmpFilesize
10.8MB
-
memory/2156-145-0x000000001DCC0000-0x000000001DCFC000-memory.dmpFilesize
240KB
-
memory/2156-144-0x000000001DC60000-0x000000001DC72000-memory.dmpFilesize
72KB
-
memory/3120-141-0x0000000000000000-mapping.dmp
-
memory/3436-143-0x0000000000000000-mapping.dmp
-
memory/3988-136-0x0000000000000000-mapping.dmp
-
memory/4328-142-0x0000000000000000-mapping.dmp
-
memory/4332-140-0x0000000000000000-mapping.dmp
-
memory/4372-137-0x0000000000000000-mapping.dmp
-
memory/4804-138-0x0000000000000000-mapping.dmp
-
memory/4892-139-0x0000000000000000-mapping.dmp