Analysis

  • max time kernel
    124s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2023 13:21

General

  • Target

    StormSpoofer/StormSpoofer.exe

  • Size

    2.0MB

  • MD5

    0071a5ec31891617ed9b292f018987b1

  • SHA1

    82a16959d85bcd1fa2b0becd02e7896e0d297fe3

  • SHA256

    d8533aecec0559761692a9ae4f2b42f9ce45df326edb8a76b90ef6aa60ea2336

  • SHA512

    4d749da4d360449739fe0d6a6e74186ab6cea0e7a73627a947715640014cf3e018cff693a39d39c805ea774a97974aff8e45d7aeed22557fe21678e81bc5f19e

  • SSDEEP

    49152:M4/o7K1lja8Gdq7ZMHbLjSR9SBl5c9Tc+MGlDKVXhWd9/2A:F/zXjaL4ZMHbLjQElAcfMDz

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3792
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:1324
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:3648
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:648
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:4320
              • C:\Windows\system32\netsh.exe
                netsh wlan show profile name=65001 key=clear
                3⤵
                  PID:4208
                • C:\Windows\system32\findstr.exe
                  findstr Key
                  3⤵
                    PID:1668

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2852-133-0x0000000000AC0000-0x0000000000CD2000-memory.dmp

                Filesize

                2.1MB

              • memory/2852-134-0x0000000002EA0000-0x0000000002EBA000-memory.dmp

                Filesize

                104KB

              • memory/2852-135-0x00007FFA12E30000-0x00007FFA138F1000-memory.dmp

                Filesize

                10.8MB

              • memory/2852-136-0x000000001BA80000-0x000000001BA90000-memory.dmp

                Filesize

                64KB

              • memory/2852-139-0x000000001D630000-0x000000001D6A6000-memory.dmp

                Filesize

                472KB

              • memory/2852-152-0x000000001C1C0000-0x000000001C1D2000-memory.dmp

                Filesize

                72KB

              • memory/2852-153-0x000000001C220000-0x000000001C25C000-memory.dmp

                Filesize

                240KB

              • memory/2852-155-0x00007FFA12E30000-0x00007FFA138F1000-memory.dmp

                Filesize

                10.8MB