Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
14-08-2023 13:21
Behavioral task
behavioral1
Sample
EulenCheat.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
EulenCheat.exe
Resource
win10v2004-20230703-en
General
-
Target
EulenCheat.exe
-
Size
2.2MB
-
MD5
e1c2e771756f041829406106d6c64f35
-
SHA1
fbd385c064784ca0a4252e56aa73ccdfe15004a3
-
SHA256
98069f38982bcc10318a09792dde1a12d4786b12ee3355cc505ca9f73d8726ea
-
SHA512
c594256833088c89657bf26564374239a6d5ba9125db4c9285c631e2ea73d393319e21e2d210d968fac6abdad0ad9b2d0399988169739671433a4df29fce2ef0
-
SSDEEP
49152:04/o7K1lja8Gdq7ZMHbLjSR9SBl5c9Tc+MGlDKVXhWd9/2AATSANne:d/zXjaL4ZMHbLjQElAcfMDz+fNne
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/2316-54-0x00000000008F0000-0x0000000000B2C000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 EulenCheat.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 EulenCheat.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2284 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2316 EulenCheat.exe 2316 EulenCheat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2316 EulenCheat.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2708 2316 EulenCheat.exe 29 PID 2316 wrote to memory of 2708 2316 EulenCheat.exe 29 PID 2316 wrote to memory of 2708 2316 EulenCheat.exe 29 PID 2708 wrote to memory of 2816 2708 cmd.exe 31 PID 2708 wrote to memory of 2816 2708 cmd.exe 31 PID 2708 wrote to memory of 2816 2708 cmd.exe 31 PID 2708 wrote to memory of 2860 2708 cmd.exe 32 PID 2708 wrote to memory of 2860 2708 cmd.exe 32 PID 2708 wrote to memory of 2860 2708 cmd.exe 32 PID 2708 wrote to memory of 1208 2708 cmd.exe 33 PID 2708 wrote to memory of 1208 2708 cmd.exe 33 PID 2708 wrote to memory of 1208 2708 cmd.exe 33 PID 2316 wrote to memory of 2320 2316 EulenCheat.exe 34 PID 2316 wrote to memory of 2320 2316 EulenCheat.exe 34 PID 2316 wrote to memory of 2320 2316 EulenCheat.exe 34 PID 2320 wrote to memory of 2284 2320 cmd.exe 36 PID 2320 wrote to memory of 2284 2320 cmd.exe 36 PID 2320 wrote to memory of 2284 2320 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe"C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2816
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:2860
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:1208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:2284
-
-