Analysis Overview
SHA256
b0a4e447d41c4e1fe3b1105125814d4210332c70c743bef134077b7000bf1701
Threat Level: Known bad
The file StormSpoofer.rar was found to be: Known bad.
Malicious Activity Summary
Stormkitty family
StormKitty
StormKitty payload
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-14 13:21
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-14 13:21
Reported
2023-08-14 13:24
Platform
win10v2004-20230703-en
Max time kernel
117s
Max time network
152s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8c7eaf13-fbd6-4ed8-ac79-fb12fcd71326}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8c7eaf13-fbd6-4ed8-ac79-fb12fcd71326} | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\StormSpoofer\HwidSpoof.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-08-14 13:21
Reported
2023-08-14 13:24
Platform
win7-20230712-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\SpoofB10S.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-14 13:21
Reported
2023-08-14 13:24
Platform
win7-20230712-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\StormSpoofer\HwidSpoof.dll
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-08-14 13:21
Reported
2023-08-14 13:24
Platform
win10v2004-20230703-en
Max time kernel
140s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\SpoofB10S.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3264 -ip 3264
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3264 -s 332
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.131.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.132.255.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-08-14 13:21
Reported
2023-08-14 13:24
Platform
win7-20230712-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoof.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-08-14 13:21
Reported
2023-08-14 13:24
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoof.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2023-08-14 13:21
Reported
2023-08-14 13:24
Platform
win7-20230712-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | www.toptal.com | udp |
| US | 104.18.28.213:443 | www.toptal.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
memory/2432-53-0x0000000000EC0000-0x00000000010D2000-memory.dmp
memory/2432-54-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp
memory/2432-55-0x00000000005B0000-0x0000000000630000-memory.dmp
memory/2432-56-0x0000000000160000-0x000000000016A000-memory.dmp
memory/2432-57-0x0000000000170000-0x000000000018A000-memory.dmp
memory/2432-60-0x00000000003F0000-0x0000000000416000-memory.dmp
memory/2432-61-0x0000000000D50000-0x0000000000DE0000-memory.dmp
memory/2432-74-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-08-14 13:21
Reported
2023-08-14 13:24
Platform
win10v2004-20230703-en
Max time kernel
124s
Max time network
130s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\StormSpoofer\StormSpoofer.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.130.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.toptal.com | udp |
| US | 104.18.28.213:443 | www.toptal.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.28.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 242.44.101.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.132.255.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/2852-133-0x0000000000AC0000-0x0000000000CD2000-memory.dmp
memory/2852-134-0x0000000002EA0000-0x0000000002EBA000-memory.dmp
memory/2852-135-0x00007FFA12E30000-0x00007FFA138F1000-memory.dmp
memory/2852-136-0x000000001BA80000-0x000000001BA90000-memory.dmp
memory/2852-139-0x000000001D630000-0x000000001D6A6000-memory.dmp
memory/2852-152-0x000000001C1C0000-0x000000001C1D2000-memory.dmp
memory/2852-153-0x000000001C220000-0x000000001C25C000-memory.dmp
memory/2852-155-0x00007FFA12E30000-0x00007FFA138F1000-memory.dmp