Malware Analysis Report

2024-09-23 00:25

Sample ID 240503-v4z31seg84
Target Nursultan Beta.exe
SHA256 211cb177c61f63ca15955c9c3cfb44104f0551714801adc550911b038c2bf368
Tags
stormkitty xworm execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

211cb177c61f63ca15955c9c3cfb44104f0551714801adc550911b038c2bf368

Threat Level: Known bad

The file Nursultan Beta.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty xworm execution persistence rat spyware stealer trojan

Xworm

StormKitty payload

Contains code to disable Windows Defender

Detect Xworm Payload

StormKitty

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-03 17:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 17:33

Reported

2024-05-03 17:35

Platform

win10v2004-20240419-en

Max time kernel

128s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Beta = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Beta.exe" C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan Beta.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan Beta.exe'

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2364 -ip 2364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 2768

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 lesbian-organ.gl.at.ply.gg udp
US 147.185.221.19:38343 lesbian-organ.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 147.185.221.19:38343 lesbian-organ.gl.at.ply.gg tcp
US 147.185.221.19:38343 lesbian-organ.gl.at.ply.gg tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 147.185.221.19:38343 lesbian-organ.gl.at.ply.gg tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2364-0-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-1-0x0000000002C00000-0x0000000002C01000-memory.dmp

memory/2364-2-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

memory/2364-3-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-4-0x0000000007E70000-0x0000000007F0C000-memory.dmp

memory/2364-5-0x0000000007F10000-0x0000000007F76000-memory.dmp

memory/2364-6-0x0000000073A80000-0x0000000074230000-memory.dmp

memory/1144-7-0x0000000005060000-0x0000000005096000-memory.dmp

memory/2364-8-0x0000000000140000-0x0000000000558000-memory.dmp

memory/1144-10-0x0000000073A80000-0x0000000074230000-memory.dmp

memory/1144-9-0x0000000005790000-0x0000000005DB8000-memory.dmp

memory/1144-11-0x0000000005510000-0x0000000005532000-memory.dmp

memory/1144-13-0x0000000005F30000-0x0000000005F96000-memory.dmp

memory/1144-12-0x0000000073A80000-0x0000000074230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iui4yjzc.ouo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1144-24-0x0000000073A80000-0x0000000074230000-memory.dmp

memory/1144-23-0x0000000006010000-0x0000000006364000-memory.dmp

memory/1144-25-0x00000000065F0000-0x000000000660E000-memory.dmp

memory/1144-26-0x0000000006620000-0x000000000666C000-memory.dmp

memory/1144-27-0x00000000075C0000-0x00000000075F2000-memory.dmp

memory/1144-28-0x000000006F250000-0x000000006F29C000-memory.dmp

memory/1144-38-0x0000000073A80000-0x0000000074230000-memory.dmp

memory/1144-40-0x0000000006BB0000-0x0000000006BCE000-memory.dmp

memory/1144-39-0x0000000073A80000-0x0000000074230000-memory.dmp

memory/1144-42-0x0000000073A80000-0x0000000074230000-memory.dmp

memory/1144-41-0x0000000007600000-0x00000000076A3000-memory.dmp

memory/1144-44-0x0000000007910000-0x000000000792A000-memory.dmp

memory/1144-43-0x0000000007F60000-0x00000000085DA000-memory.dmp

memory/1144-45-0x0000000007980000-0x000000000798A000-memory.dmp

memory/1144-46-0x0000000007B90000-0x0000000007C26000-memory.dmp

memory/1144-47-0x0000000007B10000-0x0000000007B21000-memory.dmp

memory/1144-48-0x0000000007B40000-0x0000000007B4E000-memory.dmp

memory/1144-49-0x0000000007B50000-0x0000000007B64000-memory.dmp

memory/1144-50-0x0000000007C50000-0x0000000007C6A000-memory.dmp

memory/1144-51-0x0000000007C30000-0x0000000007C38000-memory.dmp

memory/1144-54-0x0000000073A80000-0x0000000074230000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2160-65-0x0000000006410000-0x0000000006764000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7b28b7cad8d1f96972fa01a47051a911
SHA1 a4689865be424109180c43f3aeeaadd43199d1c4
SHA256 ab0968d055f29e24f7a294ea4a650ef73b5bad237ecfed76d3c2f59a0fac1423
SHA512 fb707bb3fa3c5be21e02774985f61aabd38034adf24ed97eb12a746f6e9f253144369c78d0344a5084c6f609657e405f87e8a00e4daeafb9693c589afd0f944f

memory/2160-67-0x000000006F250000-0x000000006F29C000-memory.dmp

memory/2364-77-0x0000000000140000-0x0000000000558000-memory.dmp

memory/3208-88-0x0000000005460000-0x00000000057B4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8eb18d1e42438cdef79ad11fb112a7e1
SHA1 420e59b30486f75d17b648dc51444a716a2e1d82
SHA256 0fbb79721d49d0c92e5b3228b95b0a6f574b424b818d4d08ad82be8dc90513d9
SHA512 2d39c22c1291ec981e4c686dc4cce2e8a73be6203ea38bd8e6fa8b517f2cd703110703e615a49532a89bd7f47480cc3550b70169ce0e8296aeb52e766e2da47e

memory/3208-90-0x000000006F250000-0x000000006F29C000-memory.dmp

memory/2364-100-0x0000000002C00000-0x0000000002C01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f3faa2aa01099d4d8cc4ce80ca959c76
SHA1 b8e5ee6477b02e51e7f8636765d1e5d56294cadc
SHA256 7e5cc3d45a780ca4dc13c8545c99594048c4c32d521f492def02c5a39ce4d9f4
SHA512 b7e957ded4dc9ced03f0d65ddc2cd6bb6f270fe77db3276b16062ba231f1318ffed2462a2f250cec8f207849a9b4594bd587e096fb664d5076179d81b5280a56

memory/3560-112-0x000000006F250000-0x000000006F29C000-memory.dmp

memory/2364-123-0x000000000A130000-0x000000000A6D4000-memory.dmp

memory/2364-124-0x000000000A6E0000-0x000000000A772000-memory.dmp

memory/2364-125-0x000000000A090000-0x000000000A09A000-memory.dmp

memory/2364-126-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-127-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

memory/2364-128-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-129-0x0000000073A80000-0x0000000074230000-memory.dmp

memory/2364-130-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-131-0x000000000A100000-0x000000000A10C000-memory.dmp

memory/2364-132-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-133-0x000000000B160000-0x000000000B16E000-memory.dmp

memory/2364-134-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-135-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-136-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-137-0x0000000002930000-0x000000000296A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp

MD5 c38b245b97fea00a08141af793a76f87
SHA1 c9c5c786f8e8d3c5670ef64f4f3ae35c556bb640
SHA256 b6647006cf5e920db52c66a2028f2492df03c4deceda32fb021ebe4126bfe261
SHA512 6d4a19aff6c2999f2369ae8831a8208aeefcb6fe7620a86bd8343690a155c055d0327ec4b42af3929fd6997ad5ce28d0e7f9a980567b244f3e373409cf2e5d38

memory/2364-143-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-144-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-145-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-146-0x0000000000140000-0x0000000000558000-memory.dmp

memory/2364-147-0x000000000AA00000-0x000000000AB1E000-memory.dmp

memory/2364-148-0x000000000BE00000-0x000000000C154000-memory.dmp

memory/2364-149-0x000000000AB20000-0x000000000AB6C000-memory.dmp