Analysis Overview
SHA256
54977b912c095aad3344503a6ac190ff9371bb22bb9d71e28aceec66dda8b777
Threat Level: Known bad
The file Hazard-Nuker.rar was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
StormKitty payload
Stormkitty family
StormKitty
Adds Run key to start application
Looks up external IP address via web service
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-08 17:58
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-08 17:58
Reported
2023-08-08 18:28
Platform
win10v2004-20230703-en
Max time kernel
1794s
Max time network
1506s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe" | C:\Users\Admin\AppData\Local\Temp\Hazard-Nuker.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Hazard-Nuker.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Hazard-Nuker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Hazard-Nuker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Hazard-Nuker.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Hazard-Nuker.exe
"C:\Users\Admin\AppData\Local\Temp\Hazard-Nuker.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2228 -ip 2228
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2228 -s 1528
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.6.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.252.72.23.in-addr.arpa | udp |
Files
memory/2228-133-0x0000000000710000-0x0000000000756000-memory.dmp
memory/2228-134-0x00007FFED4110000-0x00007FFED4BD1000-memory.dmp
memory/2228-135-0x0000000002830000-0x0000000002840000-memory.dmp
memory/2228-138-0x00007FFED4110000-0x00007FFED4BD1000-memory.dmp
memory/2228-139-0x0000000002830000-0x0000000002840000-memory.dmp
memory/2228-140-0x00007FFED4110000-0x00007FFED4BD1000-memory.dmp