Malware Analysis Report

2024-09-23 02:08

Sample ID 240626-nr9y5ashpd
Target asd.exe
SHA256 6a2760539d3854cb625c1944d38db86bad833e25d7aa5ae737c706aa6902d46c
Tags
stormkitty stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a2760539d3854cb625c1944d38db86bad833e25d7aa5ae737c706aa6902d46c

Threat Level: Known bad

The file asd.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty stealer

StormKitty payload

StormKitty

Stormkitty family

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-26 11:39

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 11:39

Reported

2024-06-26 11:39

Platform

win10v2004-20240508-en

Max time kernel

30s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\asd.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\asd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3776 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\asd.exe C:\Windows\System32\cmd.exe
PID 3776 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\asd.exe C:\Windows\System32\cmd.exe
PID 1708 wrote to memory of 4876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1708 wrote to memory of 4876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1708 wrote to memory of 2432 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1708 wrote to memory of 2432 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1708 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1708 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\asd.exe

"C:\Users\Admin\AppData\Local\Temp\asd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAA0B.tmp.bat

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\taskkill.exe

TaskKill /F /IM 3776

C:\Windows\system32\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 40.68.123.157:443 tcp

Files

memory/3776-0-0x00007FFEEE1A3000-0x00007FFEEE1A5000-memory.dmp

memory/3776-1-0x0000000000FD0000-0x0000000001030000-memory.dmp

memory/3776-2-0x000000001BC50000-0x000000001BCD6000-memory.dmp

memory/3776-3-0x0000000003080000-0x0000000003086000-memory.dmp

memory/3776-4-0x00007FFEEE1A0000-0x00007FFEEEC61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAA0B.tmp.bat

MD5 ce79c73f9774c69c477bbeb7b28b1a69
SHA1 edc364f2ec1605dbe0db557a900eb450e5e9a4cc
SHA256 0680a3e87883522c042f2895aad11712883fed4b8835ef8eacb28a89790c3148
SHA512 b0d9abca9027d83c5a9981af53a61d389c140b1048744873857bb6a9497e4443bcb2d44ff9f9e4f273a39044bfa0c8f67924504ff0e9138b329b985db398c200

memory/3776-7-0x00007FFEEE1A0000-0x00007FFEEEC61000-memory.dmp