Overview
overview
10Static
static
10Bunifu.Licensing.dll
windows10-2004-x64
1Bunifu.UI....on.dll
windows10-2004-x64
1Bunifu.UI....ox.dll
windows10-2004-x64
1Bunifu.UI....el.dll
windows10-2004-x64
1Bunifu.UI....el.dll
windows10-2004-x64
1Bunifu.UI....el.dll
windows10-2004-x64
1Bunifu.UI....ox.dll
windows10-2004-x64
1Bunifu.UI....el.dll
windows10-2004-x64
1Bunifu.UI....ox.dll
windows10-2004-x64
1DragAssembly.dll
windows10-2004-x64
1Mono.Cecil.Mdb.dll
windows10-2004-x64
1Mono.Cecil.Pdb.dll
windows10-2004-x64
1Mono.Cecil.Rocks.dll
windows10-2004-x64
1Mono.Cecil.dll
windows10-2004-x64
1Prynt Stea...ed.exe
windows10-2004-x64
10Siticone.UI.dll
windows10-2004-x64
1stub/DotNetZip.dll
windows10-2004-x64
1stub/DotNetZip_.dll
windows10-2004-x64
1stub/build.exe
windows10-2004-x64
10stub/stub4.5.1.exe
windows10-2004-x64
10stub/stub4.5.exe
windows10-2004-x64
10Analysis
-
max time kernel
55s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 05:28
Behavioral task
behavioral1
Sample
Bunifu.Licensing.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
Bunifu.UI.WinForms.BunifuButton.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Bunifu.UI.WinForms.BunifuCheckBox.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral4
Sample
Bunifu.UI.WinForms.BunifuGradientPanel.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Bunifu.UI.WinForms.BunifuLabel.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
Bunifu.UI.WinForms.BunifuPanel.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Bunifu.UI.WinForms.BunifuPictureBox.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral8
Sample
Bunifu.UI.WinForms.BunifuShadowPanel.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Bunifu.UI.WinForms.BunifuTextbox.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
DragAssembly.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Mono.Cecil.Mdb.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral12
Sample
Mono.Cecil.Pdb.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
Mono.Cecil.Rocks.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
Mono.Cecil.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
Prynt Stealer 5.6fixed.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral16
Sample
Siticone.UI.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
stub/DotNetZip.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral18
Sample
stub/DotNetZip_.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
stub/build.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral20
Sample
stub/stub4.5.1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
stub/stub4.5.exe
Resource
win10v2004-20230220-en
General
-
Target
stub/stub4.5.exe
-
Size
251KB
-
MD5
787c59882e9b7c46a800f44f6bb56a52
-
SHA1
92bfffef47597329479dd636d8aa0613740a7e6f
-
SHA256
3897171f1a25fa0d42e7658b72479e2089dbb51ad36658f2481326f4a9c13544
-
SHA512
282ba558ef4adf6e011233919389f5a7936b955621062fc9169eb72f83b307bdc4707fa5dec7550658ebbb097f20159e5458722c6c829840e504792ac068438e
-
SSDEEP
6144:tpksnd7X45m9bQf3FcSEuNYnMuBAnLzuyvwWoSF:t2snJihFEuNYB8z1wWo4
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral21/memory/3736-133-0x000002135A2F0000-0x000002135A334000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
stub4.5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation stub4.5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 400 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2084 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
stub4.5.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3736 stub4.5.exe Token: SeDebugPrivilege 2084 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
stub4.5.execmd.exedescription pid process target process PID 3736 wrote to memory of 4488 3736 stub4.5.exe cmd.exe PID 3736 wrote to memory of 4488 3736 stub4.5.exe cmd.exe PID 4488 wrote to memory of 3448 4488 cmd.exe chcp.com PID 4488 wrote to memory of 3448 4488 cmd.exe chcp.com PID 4488 wrote to memory of 2084 4488 cmd.exe taskkill.exe PID 4488 wrote to memory of 2084 4488 cmd.exe taskkill.exe PID 4488 wrote to memory of 400 4488 cmd.exe timeout.exe PID 4488 wrote to memory of 400 4488 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\stub\stub4.5.exe"C:\Users\Admin\AppData\Local\Temp\stub\stub4.5.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp74B8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp74B8.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3448
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 37363⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:400
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp74B8.tmp.batFilesize
119B
MD55983cc5db026a789a707f72613e5d20e
SHA1d9c1d28261c1b4f2d48acdc8b3b7f5b1da16de7a
SHA256e7076b1cb85dafb72384bb5416daa9e11c87529a6ce7d814f77b8068e79776e1
SHA512f495e71351c6d132efbc87a8c5a23ef3dadd077b7cc9f997c7ff8aee7091d28e1aa8a72be81949ff4481d453815bc7b5ec236e8939908c4192b8b41f7945a7eb
-
memory/3736-133-0x000002135A2F0000-0x000002135A334000-memory.dmpFilesize
272KB
-
memory/3736-135-0x00000213754C0000-0x00000213754D0000-memory.dmpFilesize
64KB