Analysis Overview
SHA256
6a2760539d3854cb625c1944d38db86bad833e25d7aa5ae737c706aa6902d46c
Threat Level: Known bad
The file asd.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
StormKitty
Stormkitty family
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-26 11:39
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 11:39
Reported
2024-06-26 11:39
Platform
win10v2004-20240508-en
Max time kernel
30s
Max time network
22s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\asd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\asd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3776 wrote to memory of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\asd.exe | C:\Windows\System32\cmd.exe |
| PID 3776 wrote to memory of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\asd.exe | C:\Windows\System32\cmd.exe |
| PID 1708 wrote to memory of 4876 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 1708 wrote to memory of 4876 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 1708 wrote to memory of 2432 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 1708 wrote to memory of 2432 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 1708 wrote to memory of 2896 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 1708 wrote to memory of 2896 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\asd.exe
"C:\Users\Admin\AppData\Local\Temp\asd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAA0B.tmp.bat
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\taskkill.exe
TaskKill /F /IM 3776
C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp |
Files
memory/3776-0-0x00007FFEEE1A3000-0x00007FFEEE1A5000-memory.dmp
memory/3776-1-0x0000000000FD0000-0x0000000001030000-memory.dmp
memory/3776-2-0x000000001BC50000-0x000000001BCD6000-memory.dmp
memory/3776-3-0x0000000003080000-0x0000000003086000-memory.dmp
memory/3776-4-0x00007FFEEE1A0000-0x00007FFEEEC61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAA0B.tmp.bat
| MD5 | ce79c73f9774c69c477bbeb7b28b1a69 |
| SHA1 | edc364f2ec1605dbe0db557a900eb450e5e9a4cc |
| SHA256 | 0680a3e87883522c042f2895aad11712883fed4b8835ef8eacb28a89790c3148 |
| SHA512 | b0d9abca9027d83c5a9981af53a61d389c140b1048744873857bb6a9497e4443bcb2d44ff9f9e4f273a39044bfa0c8f67924504ff0e9138b329b985db398c200 |
memory/3776-7-0x00007FFEEE1A0000-0x00007FFEEEC61000-memory.dmp