Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    14-08-2023 13:21

General

  • Target

    StormSpoofer/StormSpoofer.exe

  • Size

    2.0MB

  • MD5

    0071a5ec31891617ed9b292f018987b1

  • SHA1

    82a16959d85bcd1fa2b0becd02e7896e0d297fe3

  • SHA256

    d8533aecec0559761692a9ae4f2b42f9ce45df326edb8a76b90ef6aa60ea2336

  • SHA512

    4d749da4d360449739fe0d6a6e74186ab6cea0e7a73627a947715640014cf3e018cff693a39d39c805ea774a97974aff8e45d7aeed22557fe21678e81bc5f19e

  • SSDEEP

    49152:M4/o7K1lja8Gdq7ZMHbLjSR9SBl5c9Tc+MGlDKVXhWd9/2A:F/zXjaL4ZMHbLjQElAcfMDz

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2968
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:2740
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:2732

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2432-53-0x0000000000EC0000-0x00000000010D2000-memory.dmp

          Filesize

          2.1MB

        • memory/2432-54-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

          Filesize

          9.9MB

        • memory/2432-55-0x00000000005B0000-0x0000000000630000-memory.dmp

          Filesize

          512KB

        • memory/2432-56-0x0000000000160000-0x000000000016A000-memory.dmp

          Filesize

          40KB

        • memory/2432-57-0x0000000000170000-0x000000000018A000-memory.dmp

          Filesize

          104KB

        • memory/2432-60-0x00000000003F0000-0x0000000000416000-memory.dmp

          Filesize

          152KB

        • memory/2432-61-0x0000000000D50000-0x0000000000DE0000-memory.dmp

          Filesize

          576KB

        • memory/2432-74-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

          Filesize

          9.9MB