stormkitty | e4ce533707f9e1945dffa512023c4c9d4b9343a6e6218844bf8fac3e957b9260

Analysis

max time kernel
55s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub/build.exe
Size

250KB
MD5

efaaca4cae6d960c91f279ac977d645f
SHA1

97f455488bef96429253dd4e24c055470780143b
SHA256

62a71deb9d259ea7b259bbfc9a254f382a695d89702d5ba02328a67eed23c6b4
SHA512

a595ae55a0c7ffea98b0ef31b58c701d4f582ed2db01a89ce00dc9f947099cdbd3f261efccae4d68e31da70bb40c9ac947bed58fb9e9e500e02bdb5d82b55d79
SSDEEP

6144:MDfJCTwQvNm9bQdK1FcSEuNYnMuBAnLzuyvwWoSF:sRCTwcEFEuNYB8z1wWo4

Score

10^/10

stormkitty stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral19/memory/768-133-0x00000269D1280000-0x00000269D12C4000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

build.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation build.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2552 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4160 taskkill.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

build.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 768 build.exe
Token: SeDebugPrivilege 4160 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	build.exe

pid	process
2552	timeout.exe

pid	process
4160	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	768	build.exe
Token: SeDebugPrivilege	4160	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

build.execmd.exe

description	pid	process	target process
PID 768 wrote to memory of 3244	768	build.exe	cmd.exe
PID 768 wrote to memory of 3244	768	build.exe	cmd.exe
PID 3244 wrote to memory of 2016	3244	cmd.exe	chcp.com
PID 3244 wrote to memory of 2016	3244	cmd.exe	chcp.com
PID 3244 wrote to memory of 4160	3244	cmd.exe	taskkill.exe
PID 3244 wrote to memory of 4160	3244	cmd.exe	taskkill.exe
PID 3244 wrote to memory of 2552	3244	cmd.exe	timeout.exe
PID 3244 wrote to memory of 2552	3244	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\stub\build.exe
"C:\Users\Admin\AppData\Local\Temp\stub\build.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8477.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8477.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2016
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM 768
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4160
- - C:\Windows\system32\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8477.tmp.bat

Filesize
116B

MD5
4d354ae856258dd89bef3f365b4660ad

SHA1
c94239f0766218061228242f3ff7a9c621d57d3b

SHA256
7e5907e9bddc911a16365a4f95f4b09c4931cbcc4707cf300076a22a107c00ce

SHA512
077155ed742524fd962cd582c11ae96ee9af6aa7fb834d9b3310d443008cdfdb0d9f320ff393e3bb616ab39d044531b9d51e7c49b076179da83f9718efa333d3

Download Submit
memory/768-133-0x00000269D1280000-0x00000269D12C4000-memory.dmp

Filesize
272KB

Download
memory/768-134-0x00000269EB840000-0x00000269EB850000-memory.dmp

Filesize
64KB

Download