Overview

overview

10

Static

static

3

c177d70d7e...00.exe

windows7-x64

10

c177d70d7e...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 19:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c177d70d7e3fd9c9499011cce57cc800.exe

  • Size

    1.3MB

  • MD5

    c177d70d7e3fd9c9499011cce57cc800

  • SHA1

    418e8e996d6e2e5e0d58a74276a771492b0e7283

  • SHA256

    9e1dd477999ef5e83ef7e238a8c1df3b1b618c1f5cc72a8a98dd4352b06267a5

  • SHA512

    2055b5f3ab4376c49f5ab055b09ced4c0bf4a484cd6aae94d1b6bbc9dfecc6e28c9d7c57f97ef64588bc9249e5c7cf25c24acbeb5cf5b02a8e44b022b00c7281

  • SSDEEP

    24576:1LF7NWgiaJrPJTLbGi777hcCwJ5sfeKuCdeMj65PJUSJ+QRZKiCoXvHUZC8ur8h9:NthjlpLbGCwJOfrn45prP/0Rur8hfl

Score
10/10
stormkittyevasionstealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c177d70d7e3fd9c9499011cce57cc800.exe
    "C:\Users\Admin\AppData\Local\Temp\c177d70d7e3fd9c9499011cce57cc800.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\c177d70d7e3fd9c9499011cce57cc800.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
      • C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        PID:212
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1356 --field-trial-handle=3136,i,3192284747741020952,1225278682167953346,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2312

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c177d70d7e3fd9c9499011cce57cc800.exe.log
            Filesize

            1KB

            MD5

            e08f822522c617a40840c62e4b0fb45e

            SHA1

            ae516dca4da5234be6676d3f234c19ec55725be7

            SHA256

            bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

            SHA512

            894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe
            Filesize

            42KB

            MD5

            998d4888b99734c60802f93fb2daf940

            SHA1

            297a395d096ca67b885134dea1147c270b402c1a

            SHA256

            d63c4166014d50c6321e82e1c6de7c1a2207b0e09f541d1275d0109aa1d191b5

            SHA512

            2658aab48807606dc83c4b822438b5454a3df19f4db015d30b8b330baab6218a8a259bb33a2e57398e3c6823059ea49477b4d79df63fe383a9f4725359899190

            Download Submit

          • memory/212-66-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/212-65-0x0000000075190000-0x0000000075940000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/212-64-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/212-63-0x0000000075190000-0x0000000075940000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/212-61-0x00000000002F0000-0x0000000000300000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2592-40-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-45-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-50-0x0000000075190000-0x0000000075940000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2592-48-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-46-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-43-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-39-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-37-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-34-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-35-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-33-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-32-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-31-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-30-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-23-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/2592-27-0x0000000075190000-0x0000000075940000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2592-28-0x0000000004E10000-0x0000000004E20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2592-29-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/3052-8-0x0000000005650000-0x00000000056EC000-memory.dmp

            Filesize

            624KB

            Download

          • memory/3052-13-0x0000000005BF0000-0x0000000005C56000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3052-0-0x0000000075190000-0x0000000075940000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3052-18-0x0000000075190000-0x0000000075940000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3052-2-0x0000000007930000-0x0000000007A5E000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3052-7-0x0000000002D90000-0x0000000002D98000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3052-10-0x0000000005410000-0x0000000005420000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3052-5-0x0000000005410000-0x0000000005420000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3052-1-0x0000000000970000-0x0000000000AB8000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3052-12-0x0000000005B20000-0x0000000005BF2000-memory.dmp

            Filesize

            840KB

            Download

          • memory/3052-3-0x0000000008010000-0x00000000085B4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3052-11-0x00000000059F0000-0x0000000005B18000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3052-4-0x0000000007B00000-0x0000000007B92000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3052-9-0x0000000075190000-0x0000000075940000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3052-6-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4556-14-0x0000000000400000-0x00000000004B8000-memory.dmp

            Filesize

            736KB

            Download

          • memory/4556-62-0x0000000075190000-0x0000000075940000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4556-21-0x00000000068E0000-0x000000000699E000-memory.dmp

            Filesize

            760KB

            Download

          • memory/4556-20-0x0000000005460000-0x0000000005474000-memory.dmp

            Filesize

            80KB

            Download

          • memory/4556-17-0x0000000075190000-0x0000000075940000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4556-19-0x0000000005410000-0x0000000005420000-memory.dmp

            Filesize

            64KB

            Download