Overview

overview

10

Static

static

3

sccvhost.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    296s
  • max time network
    306s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-04-2024 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sccvhost.exe

  • Size

    40KB

  • MD5

    b0031898d56e40acd184e475fac4452a

  • SHA1

    2205d8183cc609a974c2bde8476d303cb280c9a5

  • SHA256

    c52435aca4820212d60f1715d1a77ea8e5b69673bdbc1392b2441c0148a3e012

  • SHA512

    8ff1800a975a1a97204f727d4db3a3f32fa0d9d688465fa9eebc3377926dc7f76420d32623f41977be1aa8fbf0bdccff83171fcba359a919ae85c72db9c1d059

  • SSDEEP

    768:kBKLuVaHB2SZ93yrS3Y29WRskU9EIoz1QB6SYK1vrRjdFxY:kBKXerSInM9I1QozK1ljdFxY

Score
10/10
stormkittyevasionpersistencestealer

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\sccvhost.exe
    "C:\Users\Admin\AppData\Local\Temp\sccvhost.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\scvhost"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:4664
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\scvhost\$77sccvhost.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2436
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD5FD.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3056
      • C:\Users\Admin\AppData\Roaming\scvhost\$77sccvhost.exe
        "C:\Users\Admin\AppData\Roaming\scvhost\$77sccvhost.exe"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Executes dropped EXE
        • Modifies WinLogon
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4756
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks.exe" /query /TN $77sccvhost.exe
          4⤵
            PID:3184
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks.exe" /Create /SC ONCE /TN "$77sccvhost.exe" /TR "C:\Users\Admin\AppData\Roaming\scvhost\$77sccvhost.exe \"\$77sccvhost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:1640
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks.exe" /query /TN $77sccvhost.exe
            4⤵
              PID:216
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4140
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x380
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1584

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Hide Artifacts

      3
      T1564

      Hidden Files and Directories

      3
      T1564.001

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4iipilh.s1n.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpD5FD.tmp.bat
        Filesize

        163B

        MD5

        0b820bab41583a8f3bec26180782a125

        SHA1

        273f3dc5b58470ae13aa0bfa5ac4e8b9ec2b94d2

        SHA256

        3dfd44528859057b0f70a1a6236a926f7115fcc075706cfab61566d62b986b78

        SHA512

        986695b512dfe6f5c9407e83d171678b63f2e9581f7cc50a3bc3df209d032346b4ab190ca561caf63766bb7746ac032211a7c73f4d3a9954e42450e0a57077cf

        Download Submit
      • C:\Users\Admin\AppData\Roaming\scvhost\$77sccvhost.exe
        Filesize

        40KB

        MD5

        b0031898d56e40acd184e475fac4452a

        SHA1

        2205d8183cc609a974c2bde8476d303cb280c9a5

        SHA256

        c52435aca4820212d60f1715d1a77ea8e5b69673bdbc1392b2441c0148a3e012

        SHA512

        8ff1800a975a1a97204f727d4db3a3f32fa0d9d688465fa9eebc3377926dc7f76420d32623f41977be1aa8fbf0bdccff83171fcba359a919ae85c72db9c1d059

        Download Submit
      • memory/804-1-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/804-2-0x0000000001120000-0x0000000001130000-memory.dmp
        Filesize

        64KB

        Download
      • memory/804-4-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/804-9-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/804-0-0x0000000000210000-0x000000000021E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4140-73-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/4140-17-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/4140-18-0x0000020DE66F0000-0x0000020DE6700000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4140-19-0x0000020DE66F0000-0x0000020DE6700000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4140-20-0x0000020DE67E0000-0x0000020DE6802000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4140-23-0x0000020DE6910000-0x0000020DE6986000-memory.dmp
        Filesize

        472KB

        Download
      • memory/4140-59-0x0000020DE66F0000-0x0000020DE6700000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4140-36-0x0000020DE66F0000-0x0000020DE6700000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-74-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/4756-83-0x0000000002E10000-0x0000000002E20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-11-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/4756-75-0x0000000002E10000-0x0000000002E20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-76-0x000000001D2F0000-0x000000001D300000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-77-0x0000000001330000-0x0000000001340000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-78-0x0000000002E10000-0x0000000002E20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-79-0x0000000002E10000-0x0000000002E20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-80-0x0000000002E10000-0x0000000002E20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-81-0x0000000001380000-0x000000000138E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4756-82-0x0000000002E10000-0x0000000002E20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-12-0x0000000002E10000-0x0000000002E20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-84-0x0000000002E10000-0x0000000002E20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-85-0x00000000015D0000-0x00000000015F2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4756-86-0x00000000015F0000-0x0000000001610000-memory.dmp
        Filesize

        128KB

        Download
      • memory/4756-87-0x000000001E7D0000-0x000000001E87A000-memory.dmp
        Filesize

        680KB

        Download
      • memory/4756-93-0x000000001D430000-0x000000001D448000-memory.dmp
        Filesize

        96KB

        Download
      • memory/4756-94-0x0000000000CE0000-0x0000000000CF2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4756-95-0x0000000000CF0000-0x0000000000D00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4756-96-0x0000000000D00000-0x0000000000E86000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/4756-97-0x0000000000E90000-0x0000000000EBA000-memory.dmp
        Filesize

        168KB

        Download
      • memory/4756-98-0x0000000000EC0000-0x0000000000EE0000-memory.dmp
        Filesize

        128KB

        Download
      • memory/4756-99-0x0000000000EE0000-0x0000000000EEE000-memory.dmp
        Filesize

        56KB

        Download