Overview

overview

10

Static

static

10

04.exe

windows7-x64

10

04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04.exe

  • Size

    310KB

  • MD5

    0443c3768dca6ea9419f767010c6d81e

  • SHA1

    74ccd8aa523196622935ab9ebc16bf2fdffee925

  • SHA256

    2db66ebbd69fe69cc70dea0f98926942f4585dd37cdd13eb4d9232697fffecc6

  • SHA512

    515c5765a237a3f510323f930f56fa2be20c5ef8c4e94c2c1915ea1b4e8cbac06d30511f76614ae9da948c028aa1fe8130b6ddd16a808ce4588fd60d40523a52

  • SSDEEP

    6144:NLbzaxqIKiP92WnTHuGI2esp2mtMviKdrmJR5tkhjMOBQmUElN:dbza19c0LHNzp2mtEiUrmMXQmb

Score
10/10
stormkittycollectionspywarestealervmprotect

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Downloads MZ/PE file
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04.exe
    "C:\Users\Admin\AppData\Local\Temp\04.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:4404
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3224
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:3292
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:1528
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 4404 -s 2216
            2⤵
            • Program crash
            PID:3204
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3752
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:3972
              • C:\Windows\system32\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:4760
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -pss -s 440 -p 4404 -ip 4404
              1⤵
                PID:392
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:116

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
                Filesize

                293KB

                MD5

                7a2d5deab61f043394a510f4e2c0866f

                SHA1

                ca16110c9cf6522cd7bea32895fd0f697442849b

                SHA256

                75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69

                SHA512

                b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
                Filesize

                448KB

                MD5

                6d1c62ec1c2ef722f49b2d8dd4a4df16

                SHA1

                1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

                SHA256

                00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

                SHA512

                c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\StormKitty-Latest.log
                Filesize

                712B

                MD5

                afe01fd1f41cddd1237ed1370fa1dad1

                SHA1

                2260d475b00d2e898366b95c28c14c596ff8dd94

                SHA256

                e3776d38e8bbe275472f38fe0a51c8c907b8d3171347d9685bf3c80a44f76a93

                SHA512

                f43ea3b9681d890c84fcd3d93aebfce25fecfb86134d06ed997cb704c46b866bea8ada6e539597f2741dbd2880fab3455700a1c8afd04b6e8c2866f17308e43f

                Download Submit
              • C:\Users\Admin\AppData\Local\c9d50e8a9411191e69f7a3859b78b833\Admin@UXINIZSV_en-US\Browsers\Firefox\Bookmarks.txt
                Filesize

                105B

                MD5

                2e9d094dda5cdc3ce6519f75943a4ff4

                SHA1

                5d989b4ac8b699781681fe75ed9ef98191a5096c

                SHA256

                c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                SHA512

                d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                Download Submit
              • C:\Users\Admin\AppData\Local\c9d50e8a9411191e69f7a3859b78b833\Admin@UXINIZSV_en-US\System\Process.txt
                Filesize

                759B

                MD5

                92bd40dc974259411187c92f28c3b900

                SHA1

                bc968e4fb9bdb6b42f46667de85df22c61a4ad0d

                SHA256

                9fe09c6d12527c5b4b57c26b4d6188be9f0afe44cc46e66bc3d6b2c25a25eea1

                SHA512

                a106cf1e50a4ea7d15da49d1d1d02d0b7030542308a1cd7ae6f4cd871a8bcb5cf2c3c152dbcf39215c507e9ea4651f9fa97161c2d28435d915f849145d0731e5

                Download Submit
              • C:\Users\Admin\AppData\Local\c9d50e8a9411191e69f7a3859b78b833\Admin@UXINIZSV_en-US\System\Process.txt
                Filesize

                1KB

                MD5

                e09737fb483e046185c7fa36777fcdf5

                SHA1

                b4886a45b9ee529b5f0af17fb48113b49715d59b

                SHA256

                2ba9d0c4d66ac5979b688b32c5307910a3a152cb14b798f32155d98215a863f7

                SHA512

                988d0f7dd67c98904f2ba10629e0e13e08ad33570c04aa85846ce56ca83d2fb026cae91c3b2a6520e6d04218997e701089233a4e56e13a3d36ea1519abab1517

                Download Submit
              • C:\Users\Admin\AppData\Local\c9d50e8a9411191e69f7a3859b78b833\Admin@UXINIZSV_en-US\System\Process.txt
                Filesize

                1KB

                MD5

                ce640b6d0d46e46732e2971e3d141360

                SHA1

                e17d97ddb00fdb54ca9cbf2f9feaa9409693c434

                SHA256

                d78627c0d37bf39a8750dbf24b5fbca98fb219ba08658d99a9c100bb36a40f09

                SHA512

                b68ee32fa555d6ae87400f814ccfeb3ce9ad42912b982bba3ff79c0e064040aa96e243315f977f5776dd41a46c270f14c85114e3b75b899558157c9fa68e706c

                Download Submit
              • C:\Users\Admin\AppData\Local\c9d50e8a9411191e69f7a3859b78b833\Admin@UXINIZSV_en-US\System\Process.txt
                Filesize

                2KB

                MD5

                1b8c7137dd53c991504f99eb7faabacb

                SHA1

                d6e5bd68c5791a9fbfc0b770923f985d59be41c3

                SHA256

                57b6b5eab49455f42e9400e375a5fdc1c7a65cf0e5d5a5942098f3db5d4310ac

                SHA512

                ddbd43dc64ea0fcb0b00ed8219e6705fbeb6dc5bfa3a92cb5fdb2219e8c0f40335fec9dfa2c8ba91bace0c702dd23f55ebe2648fecf3be0674621e464f6a8082

                Download Submit
              • memory/4404-133-0x00000000005E0000-0x0000000000630000-memory.dmp
                Filesize

                320KB

                Download
              • memory/4404-134-0x000000001C1C0000-0x000000001C1D0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4404-138-0x000000001C1C0000-0x000000001C1D0000-memory.dmp
                Filesize

                64KB

                Download