Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    14-08-2023 13:21

General

  • Target

    EulenCheat.exe

  • Size

    2.2MB

  • MD5

    e1c2e771756f041829406106d6c64f35

  • SHA1

    fbd385c064784ca0a4252e56aa73ccdfe15004a3

  • SHA256

    98069f38982bcc10318a09792dde1a12d4786b12ee3355cc505ca9f73d8726ea

  • SHA512

    c594256833088c89657bf26564374239a6d5ba9125db4c9285c631e2ea73d393319e21e2d210d968fac6abdad0ad9b2d0399988169739671433a4df29fce2ef0

  • SSDEEP

    49152:04/o7K1lja8Gdq7ZMHbLjSR9SBl5c9Tc+MGlDKVXhWd9/2AATSANne:d/zXjaL4ZMHbLjQElAcfMDz+fNne

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2816
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:2860
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:1208
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2320
            • C:\Windows\system32\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              3⤵
              • Runs ping.exe
              PID:2284

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2316-54-0x00000000008F0000-0x0000000000B2C000-memory.dmp

          Filesize

          2.2MB

        • memory/2316-55-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

          Filesize

          9.9MB

        • memory/2316-56-0x000000001B050000-0x000000001B0D0000-memory.dmp

          Filesize

          512KB

        • memory/2316-57-0x00000000002D0000-0x00000000002DA000-memory.dmp

          Filesize

          40KB

        • memory/2316-58-0x00000000002E0000-0x00000000002FA000-memory.dmp

          Filesize

          104KB

        • memory/2316-61-0x0000000000860000-0x0000000000886000-memory.dmp

          Filesize

          152KB

        • memory/2316-62-0x00000000022D0000-0x0000000002360000-memory.dmp

          Filesize

          576KB

        • memory/2316-75-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

          Filesize

          9.9MB