Overview

overview

10

Static

static

10

build2.exe

windows7-x64

10

build2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    73s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2023, 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build2.exe

  • Size

    585KB

  • MD5

    cbfca6bac76bae78506b23ef0c5f2a20

  • SHA1

    ec0998d7e46b457432a4de49b3dc8330ae892254

  • SHA256

    15fedc86e87841c141b113efa635ef5b7d28f7cf906597a60354cd2d3ba85e3b

  • SHA512

    a5d1b700184e4c2412315ee092ae2086985f013c684c843e489080cd4460f020957d8e4553eff36aef58a1b83416a84cd262c448038522987fb8bf60db956375

  • SSDEEP

    12288:q5uHsKs5FNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1cT:q5GTD+b

Score
10/10
stormkittypersistencespywarestealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\build2.exe
    "C:\Users\Admin\AppData\Local\Temp\build2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "updater" /tr '"C:\Users\Admin\updater.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "updater" /tr '"C:\Users\Admin\updater.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:296
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD00C.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1544
      • C:\Users\Admin\updater.exe
        "C:\Users\Admin\updater.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1528

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\CrashpadMetrics-active.pma
    Filesize

    1024KB

    MD5

    03c4f648043a88675a920425d824e1b3

    SHA1

    b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d

    SHA256

    f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450

    SHA512

    2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\chrome_shutdown_ms.txt
    Filesize

    4B

    MD5

    183308301a5186ac3c54d84355a6e965

    SHA1

    adc77644c521da4fcd8d2336e4a77c0b17b3ece7

    SHA256

    a0f1a24c83018f8acaa963f6f069919e3da2a423d77100a06a9bd7dea9e8841e

    SHA512

    c96c7765b9dd7a40a1daae725d99568758b6038b0bcfc6c75cfabbfdfdcacec51468ce71b64f9d350397b0dc8694fbb481e6f1b4c2ecf9a6cb4a5ce8abe0febe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpD00C.tmp.bat
    Filesize

    135B

    MD5

    f570be7683bc52b2ae6bec5ed2080025

    SHA1

    031438d855a4c4a605c0a122d31260c5539863cb

    SHA256

    e4caab56d8d56299aa98be43c25594deb826901e9994c8fda2dd7974cf9d6e3d

    SHA512

    3d3e1bb6fac821157dedf5d594ccd0f1cc72bcaa0535dd435a2b8843b24613e8d5b479cc3d44b68aad3cfb98ffe09d7b290350f7e9822e7ef07c779be554966a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpD00C.tmp.bat
    Filesize

    135B

    MD5

    f570be7683bc52b2ae6bec5ed2080025

    SHA1

    031438d855a4c4a605c0a122d31260c5539863cb

    SHA256

    e4caab56d8d56299aa98be43c25594deb826901e9994c8fda2dd7974cf9d6e3d

    SHA512

    3d3e1bb6fac821157dedf5d594ccd0f1cc72bcaa0535dd435a2b8843b24613e8d5b479cc3d44b68aad3cfb98ffe09d7b290350f7e9822e7ef07c779be554966a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\PERTHE563456HGRSEG674RSGE\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
    Filesize

    48KB

    MD5

    79852fb32098bd81dafebd05f53bf2ee

    SHA1

    fcb335cd0bc204d81e329003f0060fdf3d5ae2d6

    SHA256

    f0b0a0b7ba6597d45762b0b8da19b7dcd01b80c5aad052d41aecb96ee231170e

    SHA512

    7ae44121e14ddf8cff08eaf8a37b9eda5a2e6283034eaaa95ecf3f7388ecaa9fc059461528467e93f0b0628fce57db100a0bdcffd9877319e1282cb4817ad348

    Download Submit

  • C:\Users\Admin\updater.exe
    Filesize

    585KB

    MD5

    cbfca6bac76bae78506b23ef0c5f2a20

    SHA1

    ec0998d7e46b457432a4de49b3dc8330ae892254

    SHA256

    15fedc86e87841c141b113efa635ef5b7d28f7cf906597a60354cd2d3ba85e3b

    SHA512

    a5d1b700184e4c2412315ee092ae2086985f013c684c843e489080cd4460f020957d8e4553eff36aef58a1b83416a84cd262c448038522987fb8bf60db956375

    Download Submit

  • C:\Users\Admin\updater.exe
    Filesize

    585KB

    MD5

    cbfca6bac76bae78506b23ef0c5f2a20

    SHA1

    ec0998d7e46b457432a4de49b3dc8330ae892254

    SHA256

    15fedc86e87841c141b113efa635ef5b7d28f7cf906597a60354cd2d3ba85e3b

    SHA512

    a5d1b700184e4c2412315ee092ae2086985f013c684c843e489080cd4460f020957d8e4553eff36aef58a1b83416a84cd262c448038522987fb8bf60db956375

    Download Submit

  • memory/1528-70-0x00000000002F0000-0x0000000000388000-memory.dmp

    Filesize

    608KB

    Download

  • memory/1528-71-0x000000001B330000-0x000000001B3B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1528-112-0x000000001B330000-0x000000001B3B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1528-113-0x000000001B330000-0x000000001B3B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1704-54-0x0000000000300000-0x0000000000398000-memory.dmp

    Filesize

    608KB

    Download

  • memory/1704-55-0x000000001A800000-0x000000001A880000-memory.dmp

    Filesize

    512KB

    Download