Overview

overview

10

Static

static

3

sccvhost.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sccvhost.exe

  • Size

    40KB

  • Sample

    240412-vrqc2scc55

  • MD5

    b0031898d56e40acd184e475fac4452a

  • SHA1

    2205d8183cc609a974c2bde8476d303cb280c9a5

  • SHA256

    c52435aca4820212d60f1715d1a77ea8e5b69673bdbc1392b2441c0148a3e012

  • SHA512

    8ff1800a975a1a97204f727d4db3a3f32fa0d9d688465fa9eebc3377926dc7f76420d32623f41977be1aa8fbf0bdccff83171fcba359a919ae85c72db9c1d059

  • SSDEEP

    768:kBKLuVaHB2SZ93yrS3Y29WRskU9EIoz1QB6SYK1vrRjdFxY:kBKXerSInM9I1QozK1ljdFxY

Score
10/10
stormkittyevasionpersistencestealer

Malware Config

Targets

    • Target

      sccvhost.exe

    • Size

      40KB

    • MD5

      b0031898d56e40acd184e475fac4452a

    • SHA1

      2205d8183cc609a974c2bde8476d303cb280c9a5

    • SHA256

      c52435aca4820212d60f1715d1a77ea8e5b69673bdbc1392b2441c0148a3e012

    • SHA512

      8ff1800a975a1a97204f727d4db3a3f32fa0d9d688465fa9eebc3377926dc7f76420d32623f41977be1aa8fbf0bdccff83171fcba359a919ae85c72db9c1d059

    • SSDEEP

      768:kBKLuVaHB2SZ93yrS3Y29WRskU9EIoz1QB6SYK1vrRjdFxY:kBKXerSInM9I1QozK1ljdFxY

    Score
    10/10
    stormkittyevasionpersistencestealer

    • Modifies visibility of file extensions in Explorer

      evasion

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

      persistence
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Defense Evasion

Hide Artifacts

3
T1564

Hidden Files and Directories

3
T1564.001

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks