Analysis
-
max time kernel
29s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-02-2023 21:48
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20221111-en
General
-
Target
tmp.exe
-
Size
308KB
-
MD5
67019931e1e4a3ce1d18e85e2c3db44a
-
SHA1
f16e0d3080cfbf02d804138c8acd988eda314880
-
SHA256
2980fa511cf6d3783e2f5afeaf46a07d09d8bb5e9e7a6ddd9f6d33890d4766c8
-
SHA512
e99310c34f751f723bfee28a2b0004611a7b22b781335b7c874dd46d1a6555b520102129bfedaeb83314423b0450be57fe8eab8fab2c0ab78d67b5ada4837fb1
-
SSDEEP
6144:YEtXoAKIx27rgZZQwl9BAoMEoAOZfCxNOlGWf1ssvgWFqlN:YEtXocx27roZ0oME/OZfCxN/m1sagWy
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1468-54-0x000000013F380000-0x000000013F3D0000-memory.dmp family_stormkitty behavioral1/memory/1468-55-0x0000000002390000-0x0000000002404000-memory.dmp family_stormkitty -
Downloads MZ/PE file
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll vmprotect -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1840 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1784 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1580 taskkill.exe -
Processes:
tmp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 tmp.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde tmp.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmp.exepid process 1468 tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tmp.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1468 tmp.exe Token: SeDebugPrivilege 1580 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
tmp.execmd.exedescription pid process target process PID 1468 wrote to memory of 1840 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 1840 1468 tmp.exe cmd.exe PID 1468 wrote to memory of 1840 1468 tmp.exe cmd.exe PID 1840 wrote to memory of 1772 1840 cmd.exe chcp.com PID 1840 wrote to memory of 1772 1840 cmd.exe chcp.com PID 1840 wrote to memory of 1772 1840 cmd.exe chcp.com PID 1840 wrote to memory of 1580 1840 cmd.exe taskkill.exe PID 1840 wrote to memory of 1580 1840 cmd.exe taskkill.exe PID 1840 wrote to memory of 1580 1840 cmd.exe taskkill.exe PID 1840 wrote to memory of 1784 1840 cmd.exe timeout.exe PID 1840 wrote to memory of 1784 1840 cmd.exe timeout.exe PID 1840 wrote to memory of 1784 1840 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp735D.tmp.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 14683⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dllFilesize
293KB
MD57a2d5deab61f043394a510f4e2c0866f
SHA1ca16110c9cf6522cd7bea32895fd0f697442849b
SHA25675db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
448KB
MD56d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
C:\Users\Admin\AppData\Local\Temp\tmp735D.tmp.batFilesize
232B
MD5466bdc6d2228087e1fca60060b7cec09
SHA15d867332b2d5c594a8bea552e104939444bb8190
SHA25622a22271d89eaeea8e6928e0d52717df0d0e1dd5bbe7518d5f9f928cc0495f35
SHA5122e4895ffc85921405f766cf0cb2810a558eb3aba8b0c9f3aecdb54ea12982013ea370ee30bad52d618ee58967a85f907ac2ea1b70d4aede19d879e12b69d17aa
-
memory/1468-54-0x000000013F380000-0x000000013F3D0000-memory.dmpFilesize
320KB
-
memory/1468-55-0x0000000002390000-0x0000000002404000-memory.dmpFilesize
464KB
-
memory/1468-56-0x0000000000830000-0x0000000000836000-memory.dmpFilesize
24KB
-
memory/1580-60-0x0000000000000000-mapping.dmp
-
memory/1772-59-0x0000000000000000-mapping.dmp
-
memory/1784-61-0x0000000000000000-mapping.dmp
-
memory/1840-57-0x0000000000000000-mapping.dmp