Analysis

  • max time kernel
    140s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2023 13:21

General

  • Target

    EulenCheat.exe

  • Size

    2.2MB

  • MD5

    e1c2e771756f041829406106d6c64f35

  • SHA1

    fbd385c064784ca0a4252e56aa73ccdfe15004a3

  • SHA256

    98069f38982bcc10318a09792dde1a12d4786b12ee3355cc505ca9f73d8726ea

  • SHA512

    c594256833088c89657bf26564374239a6d5ba9125db4c9285c631e2ea73d393319e21e2d210d968fac6abdad0ad9b2d0399988169739671433a4df29fce2ef0

  • SSDEEP

    49152:04/o7K1lja8Gdq7ZMHbLjSR9SBl5c9Tc+MGlDKVXhWd9/2AATSANne:d/zXjaL4ZMHbLjQElAcfMDz+fNne

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:460
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:2396
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:2256
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:944
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:2292
              • C:\Windows\system32\netsh.exe
                netsh wlan show profile name=65001 key=clear
                3⤵
                  PID:788
                • C:\Windows\system32\findstr.exe
                  findstr Key
                  3⤵
                    PID:2688
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\EulenCheat.exe"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4364
                  • C:\Windows\system32\PING.EXE
                    ping 1.1.1.1 -n 1 -w 3000
                    3⤵
                    • Runs ping.exe
                    PID:824

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/4296-133-0x0000000000400000-0x000000000063C000-memory.dmp

                Filesize

                2.2MB

              • memory/4296-135-0x00007FF99BAA0000-0x00007FF99C561000-memory.dmp

                Filesize

                10.8MB

              • memory/4296-134-0x0000000002920000-0x000000000293A000-memory.dmp

                Filesize

                104KB

              • memory/4296-136-0x0000000002910000-0x0000000002920000-memory.dmp

                Filesize

                64KB

              • memory/4296-139-0x000000001CF40000-0x000000001CFB6000-memory.dmp

                Filesize

                472KB

              • memory/4296-152-0x000000001B900000-0x000000001B912000-memory.dmp

                Filesize

                72KB

              • memory/4296-153-0x000000001BB90000-0x000000001BBCC000-memory.dmp

                Filesize

                240KB

              • memory/4296-155-0x00007FF99BAA0000-0x00007FF99C561000-memory.dmp

                Filesize

                10.8MB