Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2023 21:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    308KB

  • MD5

    67019931e1e4a3ce1d18e85e2c3db44a

  • SHA1

    f16e0d3080cfbf02d804138c8acd988eda314880

  • SHA256

    2980fa511cf6d3783e2f5afeaf46a07d09d8bb5e9e7a6ddd9f6d33890d4766c8

  • SHA512

    e99310c34f751f723bfee28a2b0004611a7b22b781335b7c874dd46d1a6555b520102129bfedaeb83314423b0450be57fe8eab8fab2c0ab78d67b5ada4837fb1

  • SSDEEP

    6144:YEtXoAKIx27rgZZQwl9BAoMEoAOZfCxNOlGWf1ssvgWFqlN:YEtXocx27roZ0oME/OZfCxN/m1sagWy

Score
10/10
stormkittycollectionspywarestealervmprotect

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Downloads MZ/PE file
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1616
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2556
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:3944
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:808
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4204
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:1796
              • C:\Windows\system32\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:2844
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEB9A.tmp.bat
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:5024
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  3⤵
                    PID:4236
                  • C:\Windows\system32\taskkill.exe
                    TaskKill /F /IM 1616
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:960
                  • C:\Windows\system32\timeout.exe
                    Timeout /T 2 /Nobreak
                    3⤵
                    • Delays execution with timeout.exe
                    PID:4544
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4420

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
                Filesize

                293KB

                MD5

                7a2d5deab61f043394a510f4e2c0866f

                SHA1

                ca16110c9cf6522cd7bea32895fd0f697442849b

                SHA256

                75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69

                SHA512

                b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
                Filesize

                448KB

                MD5

                6d1c62ec1c2ef722f49b2d8dd4a4df16

                SHA1

                1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

                SHA256

                00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

                SHA512

                c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\tmpEB9A.tmp.bat
                Filesize

                232B

                MD5

                c7b98f4685471d92e4c566bec7e4858d

                SHA1

                2482d3c82adb909e0dfcdab22a1b449c6d2d4536

                SHA256

                ae34674fc4340059e2199a1a5b55af1cfb91465526691d2b782966ce798e243e

                SHA512

                f54e3d94b508576ee9e1f322133226dbaa7f1044d5eb93bb2cc670473d615010d5cc958808c9c271428316a94276e04ff4969a94b7c4a03101bb714e20cb9f30

                Download Submit
              • memory/808-138-0x0000000000000000-mapping.dmp
                Download
              • memory/960-147-0x0000000000000000-mapping.dmp
                Download
              • memory/1420-135-0x0000000000000000-mapping.dmp
                Download
              • memory/1616-142-0x000000001BDC0000-0x000000001BE36000-memory.dmp
                Filesize

                472KB

                Download
              • memory/1616-132-0x00000000000E0000-0x0000000000130000-memory.dmp
                Filesize

                320KB

                Download
              • memory/1616-143-0x000000001BEC0000-0x000000001BF44000-memory.dmp
                Filesize

                528KB

                Download
              • memory/1616-133-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1616-134-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1616-149-0x00007FF8A1A30000-0x00007FF8A24F1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1796-140-0x0000000000000000-mapping.dmp
                Download
              • memory/2556-136-0x0000000000000000-mapping.dmp
                Download
              • memory/2844-141-0x0000000000000000-mapping.dmp
                Download
              • memory/3944-137-0x0000000000000000-mapping.dmp
                Download
              • memory/4204-139-0x0000000000000000-mapping.dmp
                Download
              • memory/4236-146-0x0000000000000000-mapping.dmp
                Download
              • memory/4544-148-0x0000000000000000-mapping.dmp
                Download
              • memory/5024-144-0x0000000000000000-mapping.dmp
                Download