Malware Analysis Report

2024-09-23 02:22

Sample ID 240619-qvnw6s1ena
Target Project Al Ain (Hilli & Al Fou’ah) Parks.vbe
SHA256 6513f2777a217402f9fa6196dacc31c948dfdde0680ccba57879b1c8d2cd11f8
Tags
stormkitty xworm rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6513f2777a217402f9fa6196dacc31c948dfdde0680ccba57879b1c8d2cd11f8

Threat Level: Known bad

The file Project Al Ain (Hilli & Al Fou’ah) Parks.vbe was found to be: Known bad.

Malicious Activity Summary

stormkitty xworm rat stealer trojan

StormKitty

Detect Xworm Payload

Xworm

StormKitty payload

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 13:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 13:35

Reported

2024-06-19 13:37

Platform

win7-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Project Al Ain (Hilli & Al Fou’ah) Parks.vbe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1704 set thread context of 1696 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 1704 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 2796 wrote to memory of 1704 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 2796 wrote to memory of 1704 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 2796 wrote to memory of 1704 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Project Al Ain (Hilli & Al Fou’ah) Parks.vbe"

C:\Users\Admin\AppData\Local\Temp\x.exe

"C:\Users\Admin\AppData\Local\Temp\x.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

Network

Country Destination Domain Proto
DE 193.161.193.99:22849 tcp

Files

C:\Users\Admin\AppData\Local\Temp\x.exe

MD5 457eb489d5963eaeaae9c822dccaa34e
SHA1 c29da6a29955ea363d2084cf374ad35e225dea28
SHA256 8af889d616db6a411b4cbb7729acd8d2e64b96841e44e9dd9760302f5c1e878f
SHA512 f5dc88d6a8efd33fc280945a39f64055de251b902396ea2ee3b92c26695666147c1cd4136af68fe7bdc20300cd2d17ceea535617f9f398774d76fa9ab7ad957d

memory/1704-6-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

memory/1704-7-0x0000000001340000-0x000000000137A000-memory.dmp

memory/1696-8-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1696-13-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1696-10-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1696-15-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1696-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1696-19-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1696-17-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1696-12-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1696-20-0x000000007473E000-0x000000007473F000-memory.dmp

memory/1696-21-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/1696-22-0x0000000006580000-0x000000000669E000-memory.dmp

memory/1696-46-0x000000007473E000-0x000000007473F000-memory.dmp

memory/1696-47-0x0000000074730000-0x0000000074E1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 13:35

Reported

2024-06-19 13:37

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Project Al Ain (Hilli & Al Fou’ah) Parks.vbe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3428 set thread context of 2108 N/A C:\Users\Admin\AppData\Local\Temp\x.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Project Al Ain (Hilli & Al Fou’ah) Parks.vbe"

C:\Users\Admin\AppData\Local\Temp\x.exe

"C:\Users\Admin\AppData\Local\Temp\x.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2108 -ip 2108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2596 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 96.16.110.114:80 tcp
DE 193.161.193.99:22849 tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\x.exe

MD5 457eb489d5963eaeaae9c822dccaa34e
SHA1 c29da6a29955ea363d2084cf374ad35e225dea28
SHA256 8af889d616db6a411b4cbb7729acd8d2e64b96841e44e9dd9760302f5c1e878f
SHA512 f5dc88d6a8efd33fc280945a39f64055de251b902396ea2ee3b92c26695666147c1cd4136af68fe7bdc20300cd2d17ceea535617f9f398774d76fa9ab7ad957d

memory/3428-11-0x000000007531E000-0x000000007531F000-memory.dmp

memory/3428-12-0x0000000000310000-0x000000000034A000-memory.dmp

memory/2108-13-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2108-15-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/2108-16-0x0000000005720000-0x00000000057BC000-memory.dmp

memory/2108-17-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/2108-18-0x0000000005E10000-0x0000000005E76000-memory.dmp

memory/2108-19-0x0000000006920000-0x00000000069B2000-memory.dmp

memory/2108-20-0x0000000006F70000-0x0000000007514000-memory.dmp

memory/2108-21-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/2108-22-0x0000000006DF0000-0x0000000006F0E000-memory.dmp

memory/2108-23-0x0000000007520000-0x0000000007874000-memory.dmp

memory/2108-24-0x0000000007D40000-0x0000000007D8C000-memory.dmp

memory/2108-60-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/2108-61-0x0000000075310000-0x0000000075AC0000-memory.dmp