Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
11/03/2024, 19:59
General
-
Target
c177d70d7e3fd9c9499011cce57cc800.exe
-
Size
1.3MB
-
MD5
c177d70d7e3fd9c9499011cce57cc800
-
SHA1
418e8e996d6e2e5e0d58a74276a771492b0e7283
-
SHA256
9e1dd477999ef5e83ef7e238a8c1df3b1b618c1f5cc72a8a98dd4352b06267a5
-
SHA512
2055b5f3ab4376c49f5ab055b09ced4c0bf4a484cd6aae94d1b6bbc9dfecc6e28c9d7c57f97ef64588bc9249e5c7cf25c24acbeb5cf5b02a8e44b022b00c7281
-
SSDEEP
24576:1LF7NWgiaJrPJTLbGi777hcCwJ5sfeKuCdeMj65PJUSJ+QRZKiCoXvHUZC8ur8h9:NthjlpLbGCwJOfrn45prP/0Rur8hfl
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c177d70d7e3fd9c9499011cce57cc800.exe"C:\Users\Admin\AppData\Local\Temp\c177d70d7e3fd9c9499011cce57cc800.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c177d70d7e3fd9c9499011cce57cc800.exe"{path}"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe"C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5998d4888b99734c60802f93fb2daf940
SHA1297a395d096ca67b885134dea1147c270b402c1a
SHA256d63c4166014d50c6321e82e1c6de7c1a2207b0e09f541d1275d0109aa1d191b5
SHA5122658aab48807606dc83c4b822438b5454a3df19f4db015d30b8b330baab6218a8a259bb33a2e57398e3c6823059ea49477b4d79df63fe383a9f4725359899190
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
736KB
-
Filesize
6.9MB
-
Filesize
760KB
-
Filesize
80KB
-
Filesize
736KB
-
Filesize
736KB
-
Filesize
736KB
-
Filesize
736KB
-
Filesize
736KB
-
Filesize
6.9MB
-
Filesize
736KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
1.3MB
-
Filesize
6.9MB
-
Filesize
840KB
-
Filesize
1.2MB
-
Filesize
32KB
-
Filesize
256KB
-
Filesize
1.2MB
-
Filesize
256KB
-
Filesize
6.9MB