Analysis
-
max time kernel
83s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 14:37
Behavioral task
behavioral1
Sample
04.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
04.exe
Resource
win10v2004-20230221-en
General
-
Target
04.exe
-
Size
310KB
-
MD5
0443c3768dca6ea9419f767010c6d81e
-
SHA1
74ccd8aa523196622935ab9ebc16bf2fdffee925
-
SHA256
2db66ebbd69fe69cc70dea0f98926942f4585dd37cdd13eb4d9232697fffecc6
-
SHA512
515c5765a237a3f510323f930f56fa2be20c5ef8c4e94c2c1915ea1b4e8cbac06d30511f76614ae9da948c028aa1fe8130b6ddd16a808ce4588fd60d40523a52
-
SSDEEP
6144:NLbzaxqIKiP92WnTHuGI2esp2mtMviKdrmJR5tkhjMOBQmUElN:dbza19c0LHNzp2mtEiUrmMXQmb
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4404-133-0x00000000005E0000-0x0000000000630000-memory.dmp family_stormkitty -
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll vmprotect -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
04.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 04.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 04.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 04.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 45 icanhazip.com 31 ip-api.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3204 4404 WerFault.exe 04.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
04.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 04.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 04.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
04.exepid process 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe 4404 04.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
04.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4404 04.exe Token: SeSecurityPrivilege 116 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
04.execmd.execmd.exedescription pid process target process PID 4404 wrote to memory of 1640 4404 04.exe cmd.exe PID 4404 wrote to memory of 1640 4404 04.exe cmd.exe PID 1640 wrote to memory of 3224 1640 cmd.exe chcp.com PID 1640 wrote to memory of 3224 1640 cmd.exe chcp.com PID 1640 wrote to memory of 3292 1640 cmd.exe netsh.exe PID 1640 wrote to memory of 3292 1640 cmd.exe netsh.exe PID 1640 wrote to memory of 1528 1640 cmd.exe findstr.exe PID 1640 wrote to memory of 1528 1640 cmd.exe findstr.exe PID 4404 wrote to memory of 3752 4404 04.exe cmd.exe PID 4404 wrote to memory of 3752 4404 04.exe cmd.exe PID 3752 wrote to memory of 3972 3752 cmd.exe chcp.com PID 3752 wrote to memory of 3972 3752 cmd.exe chcp.com PID 3752 wrote to memory of 4760 3752 cmd.exe netsh.exe PID 3752 wrote to memory of 4760 3752 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
04.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 04.exe -
outlook_win_path 1 IoCs
Processes:
04.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 04.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04.exe"C:\Users\Admin\AppData\Local\Temp\04.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\system32\findstr.exefindstr All3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4404 -s 22162⤵
- Program crash
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 4404 -ip 44041⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dllFilesize
293KB
MD57a2d5deab61f043394a510f4e2c0866f
SHA1ca16110c9cf6522cd7bea32895fd0f697442849b
SHA25675db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
448KB
MD56d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
C:\Users\Admin\AppData\Local\Temp\StormKitty-Latest.logFilesize
712B
MD5afe01fd1f41cddd1237ed1370fa1dad1
SHA12260d475b00d2e898366b95c28c14c596ff8dd94
SHA256e3776d38e8bbe275472f38fe0a51c8c907b8d3171347d9685bf3c80a44f76a93
SHA512f43ea3b9681d890c84fcd3d93aebfce25fecfb86134d06ed997cb704c46b866bea8ada6e539597f2741dbd2880fab3455700a1c8afd04b6e8c2866f17308e43f
-
C:\Users\Admin\AppData\Local\c9d50e8a9411191e69f7a3859b78b833\Admin@UXINIZSV_en-US\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\c9d50e8a9411191e69f7a3859b78b833\Admin@UXINIZSV_en-US\System\Process.txtFilesize
759B
MD592bd40dc974259411187c92f28c3b900
SHA1bc968e4fb9bdb6b42f46667de85df22c61a4ad0d
SHA2569fe09c6d12527c5b4b57c26b4d6188be9f0afe44cc46e66bc3d6b2c25a25eea1
SHA512a106cf1e50a4ea7d15da49d1d1d02d0b7030542308a1cd7ae6f4cd871a8bcb5cf2c3c152dbcf39215c507e9ea4651f9fa97161c2d28435d915f849145d0731e5
-
C:\Users\Admin\AppData\Local\c9d50e8a9411191e69f7a3859b78b833\Admin@UXINIZSV_en-US\System\Process.txtFilesize
1KB
MD5e09737fb483e046185c7fa36777fcdf5
SHA1b4886a45b9ee529b5f0af17fb48113b49715d59b
SHA2562ba9d0c4d66ac5979b688b32c5307910a3a152cb14b798f32155d98215a863f7
SHA512988d0f7dd67c98904f2ba10629e0e13e08ad33570c04aa85846ce56ca83d2fb026cae91c3b2a6520e6d04218997e701089233a4e56e13a3d36ea1519abab1517
-
C:\Users\Admin\AppData\Local\c9d50e8a9411191e69f7a3859b78b833\Admin@UXINIZSV_en-US\System\Process.txtFilesize
1KB
MD5ce640b6d0d46e46732e2971e3d141360
SHA1e17d97ddb00fdb54ca9cbf2f9feaa9409693c434
SHA256d78627c0d37bf39a8750dbf24b5fbca98fb219ba08658d99a9c100bb36a40f09
SHA512b68ee32fa555d6ae87400f814ccfeb3ce9ad42912b982bba3ff79c0e064040aa96e243315f977f5776dd41a46c270f14c85114e3b75b899558157c9fa68e706c
-
C:\Users\Admin\AppData\Local\c9d50e8a9411191e69f7a3859b78b833\Admin@UXINIZSV_en-US\System\Process.txtFilesize
2KB
MD51b8c7137dd53c991504f99eb7faabacb
SHA1d6e5bd68c5791a9fbfc0b770923f985d59be41c3
SHA25657b6b5eab49455f42e9400e375a5fdc1c7a65cf0e5d5a5942098f3db5d4310ac
SHA512ddbd43dc64ea0fcb0b00ed8219e6705fbeb6dc5bfa3a92cb5fdb2219e8c0f40335fec9dfa2c8ba91bace0c702dd23f55ebe2648fecf3be0674621e464f6a8082
-
memory/4404-133-0x00000000005E0000-0x0000000000630000-memory.dmpFilesize
320KB
-
memory/4404-134-0x000000001C1C0000-0x000000001C1D0000-memory.dmpFilesize
64KB
-
memory/4404-138-0x000000001C1C0000-0x000000001C1D0000-memory.dmpFilesize
64KB