Analysis

  • max time kernel
    55s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-04-2024 19:53

General

  • Target

    Client.exe

  • Size

    320KB

  • MD5

    ce8f79dccd060e39d1190c7bf8410022

  • SHA1

    2818e61500ce5d04734d0748b6a6692a252094cd

  • SHA256

    2977e0b05594746088bff548f75d614c92c1f0ba9ecc321f5350388271deec4c

  • SHA512

    3ae28874016865ae1de333706e714f6f5b97aee5fd212cdd3cb93b199c47b73f6e25e174de0c3dd8554dd7b5d89ad4c362cb2be64200ed96c6ba13263cd1b2a5

  • SSDEEP

    6144:bv/Q1Q5Ng68j/svKZIYrFUygWK0tWrcBOvm:bv/Q6P8j/svKPtZB

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 11 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:660
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 1204
      2⤵
      • Program crash
      PID:1140
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 660 -ip 660
    1⤵
      PID:1596
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InitializeNew.png" /ForceBootstrapPaint3D
      1⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4008
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
      1⤵
      • Drops file in System32 directory
      PID:4388
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2304

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Collection

    Data from Local System

    2
    T1005

    Email Collection

    1
    T1114

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\PYDWGGUE\Process.txt
      Filesize

      4KB

      MD5

      fd81a473e0682a3f6d16613c710bd48f

      SHA1

      a133204dd2a0f81afb10c79c96183600d0aff03c

      SHA256

      5ba227a8e00023a1f711680437082a67d4a078bf1d8973e6e0200763fa072d42

      SHA512

      144300702bf2a7ef17a3f22efbf63cca8e62ef85738f61317352eca4f4728f79987e32d64b85461928f2f0c25561b0edfaf4b32aadca7f8b57c4c3f1881558ff

    • memory/660-121-0x00000000052B0000-0x00000000052C0000-memory.dmp
      Filesize

      64KB

    • memory/660-35-0x0000000006960000-0x00000000069C6000-memory.dmp
      Filesize

      408KB

    • memory/660-156-0x0000000074800000-0x0000000074FB0000-memory.dmp
      Filesize

      7.7MB

    • memory/660-33-0x0000000006AF0000-0x0000000007094000-memory.dmp
      Filesize

      5.6MB

    • memory/660-0-0x00000000009F0000-0x0000000000A46000-memory.dmp
      Filesize

      344KB

    • memory/660-1-0x0000000074800000-0x0000000074FB0000-memory.dmp
      Filesize

      7.7MB

    • memory/660-120-0x0000000074800000-0x0000000074FB0000-memory.dmp
      Filesize

      7.7MB

    • memory/660-2-0x00000000052B0000-0x00000000052C0000-memory.dmp
      Filesize

      64KB

    • memory/660-32-0x00000000064A0000-0x0000000006532000-memory.dmp
      Filesize

      584KB

    • memory/4388-168-0x000002482BF40000-0x000002482BF41000-memory.dmp
      Filesize

      4KB

    • memory/4388-161-0x0000024823C60000-0x0000024823C70000-memory.dmp
      Filesize

      64KB

    • memory/4388-170-0x000002482BFC0000-0x000002482BFC1000-memory.dmp
      Filesize

      4KB

    • memory/4388-172-0x000002482BFC0000-0x000002482BFC1000-memory.dmp
      Filesize

      4KB

    • memory/4388-173-0x000002482C050000-0x000002482C051000-memory.dmp
      Filesize

      4KB

    • memory/4388-174-0x000002482C050000-0x000002482C051000-memory.dmp
      Filesize

      4KB

    • memory/4388-175-0x000002482C060000-0x000002482C061000-memory.dmp
      Filesize

      4KB

    • memory/4388-176-0x000002482C060000-0x000002482C061000-memory.dmp
      Filesize

      4KB