stormkitty | 2980fa511cf6d3783e2f5afeaf46a07d09d8bb5e9e7a6ddd9f6d33890d4766c8

General

Target

tmp.exe
Size

308KB
MD5

67019931e1e4a3ce1d18e85e2c3db44a
SHA1

f16e0d3080cfbf02d804138c8acd988eda314880
SHA256

2980fa511cf6d3783e2f5afeaf46a07d09d8bb5e9e7a6ddd9f6d33890d4766c8
SHA512

e99310c34f751f723bfee28a2b0004611a7b22b781335b7c874dd46d1a6555b520102129bfedaeb83314423b0450be57fe8eab8fab2c0ab78d67b5ada4837fb1
SSDEEP

6144:YEtXoAKIx27rgZZQwl9BAoMEoAOZfCxNOlGWf1ssvgWFqlN:YEtXocx27roZ0oME/OZfCxN/m1sagWy

Score

10^/10

stormkitty stealer vmprotect

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1468-54-0x000000013F380000-0x000000013F3D0000-memory.dmp	family_stormkitty
behavioral1/memory/1468-55-0x0000000002390000-0x0000000002404000-memory.dmp	family_stormkitty

Downloads MZ/PE file

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1840 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1784 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1580 taskkill.exe

pid	process
1840	cmd.exe

flow	ioc
3	ip-api.com

pid	process
1784	timeout.exe

pid	process
1580	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	tmp.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tmp.exe

pid process

1468 tmp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1468 tmp.exe
Token: SeDebugPrivilege 1580 taskkill.exe

pid	process
1468	tmp.exe

description	pid	process
Token: SeDebugPrivilege	1468	tmp.exe
Token: SeDebugPrivilege	1580	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.execmd.exe

description	pid	process	target process
PID 1468 wrote to memory of 1840	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 1840	1468	tmp.exe	cmd.exe
PID 1468 wrote to memory of 1840	1468	tmp.exe	cmd.exe
PID 1840 wrote to memory of 1772	1840	cmd.exe	chcp.com
PID 1840 wrote to memory of 1772	1840	cmd.exe	chcp.com
PID 1840 wrote to memory of 1772	1840	cmd.exe	chcp.com
PID 1840 wrote to memory of 1580	1840	cmd.exe	taskkill.exe
PID 1840 wrote to memory of 1580	1840	cmd.exe	taskkill.exe
PID 1840 wrote to memory of 1580	1840	cmd.exe	taskkill.exe
PID 1840 wrote to memory of 1784	1840	cmd.exe	timeout.exe
PID 1840 wrote to memory of 1784	1840	cmd.exe	timeout.exe
PID 1840 wrote to memory of 1784	1840	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp735D.tmp.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1772

C:\Windows\system32\taskkill.exe
TaskKill /F /IM 1468
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
Filesize
293KB

MD5
7a2d5deab61f043394a510f4e2c0866f

SHA1
ca16110c9cf6522cd7bea32895fd0f697442849b

SHA256
75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69

SHA512
b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
448KB

MD5
6d1c62ec1c2ef722f49b2d8dd4a4df16

SHA1
1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

SHA256
00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

SHA512
c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp735D.tmp.bat
Filesize
232B

MD5
466bdc6d2228087e1fca60060b7cec09

SHA1
5d867332b2d5c594a8bea552e104939444bb8190

SHA256
22a22271d89eaeea8e6928e0d52717df0d0e1dd5bbe7518d5f9f928cc0495f35

SHA512
2e4895ffc85921405f766cf0cb2810a558eb3aba8b0c9f3aecdb54ea12982013ea370ee30bad52d618ee58967a85f907ac2ea1b70d4aede19d879e12b69d17aa

Download Submit
memory/1468-54-0x000000013F380000-0x000000013F3D0000-memory.dmp

Filesize
320KB

Download
memory/1468-55-0x0000000002390000-0x0000000002404000-memory.dmp

Filesize
464KB

Download
memory/1468-56-0x0000000000830000-0x0000000000836000-memory.dmp

Filesize
24KB

Download
memory/1580-60-0x0000000000000000-mapping.dmp

Download
memory/1772-59-0x0000000000000000-mapping.dmp

Download
memory/1784-61-0x0000000000000000-mapping.dmp

Download
memory/1840-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads