Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 13:22
Behavioral task
behavioral1
Sample
kittys.exe
Resource
win7-20240221-en
General
-
Target
kittys.exe
-
Size
671KB
-
MD5
941eca130a778ffce73956131c874bd1
-
SHA1
3ef17bcccab78161a0a0b6232e95fa26230c384a
-
SHA256
219d74704d5161e7885512a94bf8c8d01561e1314619147be5daecc6c12f0f3c
-
SHA512
1ee8722506771b03accc17da06593b2524ceb883409a5a70c0d1d9728727ac5a74f0819e0f2e3ff45e7c449edbbd1a20006e3d8e76d5be638bca45c77ad9f652
-
SSDEEP
12288:HLV6BtpmkESwAJ8VAMj6Uf5DwfzcEu54gIdlsI14/uMhrj6zTP3yF2BdY:rApfESwy8V665DwfzcEu54Vn1S3VsL3U
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kittys.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" kittys.exe -
Processes:
kittys.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kittys.exe -
Drops file in Program Files directory 2 IoCs
Processes:
kittys.exedescription ioc process File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe kittys.exe File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe kittys.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2752 schtasks.exe 3308 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
kittys.exepid process 3580 kittys.exe 3580 kittys.exe 3580 kittys.exe 3580 kittys.exe 3580 kittys.exe 3580 kittys.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
kittys.exepid process 3580 kittys.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kittys.exedescription pid process Token: SeDebugPrivilege 3580 kittys.exe Token: SeDebugPrivilege 3580 kittys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
kittys.exedescription pid process target process PID 3580 wrote to memory of 2752 3580 kittys.exe schtasks.exe PID 3580 wrote to memory of 2752 3580 kittys.exe schtasks.exe PID 3580 wrote to memory of 2752 3580 kittys.exe schtasks.exe PID 3580 wrote to memory of 3308 3580 kittys.exe schtasks.exe PID 3580 wrote to memory of 3308 3580 kittys.exe schtasks.exe PID 3580 wrote to memory of 3308 3580 kittys.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kittys.exe"C:\Users\Admin\AppData\Local\Temp\kittys.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFD9A.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2752 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFF31.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:4252
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFD9A.tmpFilesize
1KB
MD52ca7f7b3b2a84ff70a4c8e0db6ef6662
SHA12e7c298ee0ba72b119b691fc071beab10925b3e5
SHA25683f3136dce0c0baa7a52658944206cc4ba7d5efa84038452bff64bbd46023598
SHA512c9f7910f2c720abf833888097982f5834dbb8524039dbaa3145b4fa36db0d11fe1f1dbfbf20def88536523349e94d47dc2c6e5ccf2ed906930a3f8294f983f50
-
C:\Users\Admin\AppData\Local\Temp\tmpFF31.tmpFilesize
1KB
MD50339b45ef206f4becc88be0d65e24b9e
SHA16503a1851f4ccd8c80a31f96bd7ae40d962c9fad
SHA2563d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83
SHA512c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551
-
memory/3580-0-0x00000000746D2000-0x00000000746D3000-memory.dmpFilesize
4KB
-
memory/3580-1-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB
-
memory/3580-2-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB
-
memory/3580-10-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB
-
memory/3580-11-0x00000000746D2000-0x00000000746D3000-memory.dmpFilesize
4KB
-
memory/3580-12-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB
-
memory/3580-13-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB
-
memory/3580-14-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB