Resubmissions

27-03-2023 10:22

230327-mepxrafa5v 10

04-01-2023 02:34

230104-c2x7jagh6t 10

04-01-2023 02:21

230104-cta22agh5v 10

Analysis

  • max time kernel
    98s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2023 02:21

General

  • Target

    ChMetamask.exe

  • Size

    1.3MB

  • MD5

    e7529d32d963da6df89e3ffc6b14cd08

  • SHA1

    4a11070ee8c0030ffdcf299e2b49d180e1890f57

  • SHA256

    75883a7761887acd7afab7f2acc4f48fe72ff32577397a3c6786ded83db1e57b

  • SHA512

    35c220822e24eb8d5b5fef18fd2b7f57b73ab61102632007af89bbe4b9eaca814e817adf6fb0a830c08928cb50e649cdb2da1c5550797ff4b1b377e9ffa99156

  • SSDEEP

    24576:HWiMngrdePNzQ0ZIxNXaV9x4IUgs36BUI2So5+jnzFoCaGApu8L:qgReFs0ZM0T+Sk6BU7HIFo7G98L

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ChMetamask.exe
    "C:\Users\Admin\AppData\Local\Temp\ChMetamask.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4372
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:4804
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:4892
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4332
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:3120
              • C:\Windows\system32\netsh.exe
                netsh wlan show profile name=65001 key=clear
                3⤵
                  PID:4328
                • C:\Windows\system32\findstr.exe
                  findstr Key
                  3⤵
                    PID:3436

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Credential Access

              Credentials in Files

              1
              T1081

              Collection

              Data from Local System

              1
              T1005

              Command and Control

              Web Service

              1
              T1102

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2156-132-0x00000000009A0000-0x0000000000AF8000-memory.dmp
                Filesize

                1.3MB

              • memory/2156-133-0x0000000002BD0000-0x0000000002BEA000-memory.dmp
                Filesize

                104KB

              • memory/2156-134-0x00007FF871800000-0x00007FF8722C1000-memory.dmp
                Filesize

                10.8MB

              • memory/2156-135-0x00007FF871800000-0x00007FF8722C1000-memory.dmp
                Filesize

                10.8MB

              • memory/2156-145-0x000000001DCC0000-0x000000001DCFC000-memory.dmp
                Filesize

                240KB

              • memory/2156-144-0x000000001DC60000-0x000000001DC72000-memory.dmp
                Filesize

                72KB

              • memory/3120-141-0x0000000000000000-mapping.dmp
              • memory/3436-143-0x0000000000000000-mapping.dmp
              • memory/3988-136-0x0000000000000000-mapping.dmp
              • memory/4328-142-0x0000000000000000-mapping.dmp
              • memory/4332-140-0x0000000000000000-mapping.dmp
              • memory/4372-137-0x0000000000000000-mapping.dmp
              • memory/4804-138-0x0000000000000000-mapping.dmp
              • memory/4892-139-0x0000000000000000-mapping.dmp