Analysis Overview
SHA256
ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58
Threat Level: Known bad
The file ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58 was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
Stormkitty family
StormKitty
Reads user/profile data of web browsers
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-02 01:10
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-02 01:10
Reported
2024-07-02 01:12
Platform
win7-20231129-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
"C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| NL | 104.97.14.210:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
Files
memory/2344-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp
memory/2344-1-0x00000000000C0000-0x0000000000100000-memory.dmp
memory/2344-2-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp
C:\Users\Admin\AppData\Local\4e4194bf792b11fcee1c8b62e46231db\Admin@SCFGBRBT_en-US\System\Process.txt
| MD5 | 49d5468d6911ae063af03e934dabeb09 |
| SHA1 | 7ff9ca74df83368c2952aef8e11569707bfb244a |
| SHA256 | b1f4a1cfa116725b97eda7eed12e03cdc18d84ec6379ad214d8ac4bba93eddca |
| SHA512 | 4dddc1fee58b2c0ccd27b5ccc1022d6d72bb9df6810bb28ccb31f1b0cea80eb13951bb6419bea099b5d481ba9556438fcfffe47783f22fb81e72c62c371b68cd |
C:\Users\Admin\AppData\Local\4e4194bf792b11fcee1c8b62e46231db\Admin@SCFGBRBT_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/2344-73-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp
C:\Users\Admin\AppData\Local\4e4194bf792b11fcee1c8b62e46231db\Admin@SCFGBRBT_en-US\System\Apps.txt
| MD5 | 41cd827edadbcf3f676580c580c1dc03 |
| SHA1 | 4e99509e7dc0b1ed6cc5306241b58b2ccbc8948b |
| SHA256 | 1d270899f548088968bebea9d32c8c0f23dfe59ff6e61ccc3b38d995cf001389 |
| SHA512 | 087c36e68cfd5bc6898859a194ef1b63156bff6b5cd59f872dd6d48e281b558f2d7aa46a934c4da902315b361bee8cbe1b993525b4f5783e455944a55da89d0b |
C:\Users\Admin\AppData\Local\Temp\StormKitty-Latest.log
| MD5 | 4a99b64c01ed0b6a4b0f64baeb104369 |
| SHA1 | ecd2703b41781d3247c6bfe2e9317d669c1c9bbf |
| SHA256 | 5fdf704d0a3eab008cef143c64fdb8934ba1e9f6a5251c961bd3705ccfc36757 |
| SHA512 | d7d6e47288c61cf39130e41a0867277999ee67d28d61b4c45cb707f3b53cfb2ef069d86f04d3f7228665a2ba295044693d5b0f44baa7f7322787389cee48727b |
memory/2344-153-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp
memory/2344-154-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp
memory/2344-155-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-02 01:10
Reported
2024-07-02 01:12
Platform
win10v2004-20240611-en
Max time kernel
136s
Max time network
127s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe
"C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| DE | 152.199.19.74:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4276-0-0x00000243AC7B0000-0x00000243AC7F0000-memory.dmp
memory/4276-1-0x00007FF8C7A13000-0x00007FF8C7A15000-memory.dmp
memory/4276-2-0x00007FF8C7A10000-0x00007FF8C84D1000-memory.dmp
C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt
| MD5 | 243583fa23f51a2ef931ca1682a9db66 |
| SHA1 | 14c026c80265374c25268e33ad84b455c1ec4c17 |
| SHA256 | 45eba89b49ededf45c6f43a2fcf67cd42c0429341af7c87d7ed2ae4730d7427a |
| SHA512 | 67b94d14b2c9f350591a9ee743dbc4671cef338997152244d50cc29fc0afa5684ae88d37556e941aea0b9415061094708a92fbefd9a98252294b2cd8197defe8 |
C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt
| MD5 | 3749c742b303ae4df9cbb7e53e0b49a1 |
| SHA1 | f63e269607e7f3534df265dce2c86da6e9af137d |
| SHA256 | bd6b654f2d308142b614b7c4666763c732f8b33a41a6e145ef377b3477c6817e |
| SHA512 | 2e0cf34650abcf3d7c542de14fd4f55680578de8222614281e6b9c1dd9726c7fda24467b4f4e167d9e8e504bf507cf5db9e41de2da78d5bb25d3b0f484a400ba |
C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt
| MD5 | 8178698a4fe7094024ae81071c8710f6 |
| SHA1 | 4f2b16d9c22f117d4627627f61ebaa0b57f2c3f8 |
| SHA256 | c71574177c1e036627590325d6c5b0dcd9d664badbf54469e74e1a97b75eb07d |
| SHA512 | 43c63121dd4465fd8cc74661b1d96cce3cc65135924aae3a523f2e3c3bd2e09eaa3568e02aba51cb686b9dfc24bfa84d0805b1b3e6b562d1879bb51856d10698 |
C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt
| MD5 | b7cb32d9d4141c2d3b67eeeac03c6382 |
| SHA1 | fe35612e2948d87c56330ac5b8fa4727ee135a8b |
| SHA256 | 7c3020f6713ec1e89fb19fece424108361012bc9fa1e4eca95849e39b04e53b3 |
| SHA512 | 3df787941bc78fa4636b9ffd74e4790bd6b7334802bbacb86b95ddeb0700b87687f3b6f66b07d4b462929a8b3191e863dc01382d1c18e8484f442539cbc79ad5 |
C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt
| MD5 | 0773273db68558d21f5bd0ff0c3771a3 |
| SHA1 | 680b009a35745a9efcecfd535316fb8c1c64e159 |
| SHA256 | fdce76c850ec081b1bed996e20f540f8534ceeba0e1ca987be0be3a3b9a48f77 |
| SHA512 | 651d90e975610522ee1034a22453e2ee902dca68e3796dd61d344e8574d945795d7bb22c080fde8a9ef1ce166e00e0ba9f3ee73ec116683cd5f293cfff8fc981 |
C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt
| MD5 | 03a4d9d7e66d1a3f16c307a708896b2a |
| SHA1 | ad0b59c8e9138b5a658c93130ae6b2be8490fb53 |
| SHA256 | 60ac48f811a537aab7f0c5d7465f8bb8664158627104797887cd840f05fc3509 |
| SHA512 | 063a4edf61a4d48a6ef387a2ce1d460bfcb142661ebf3f9ea97d73db5c15ae10466bdcdb96f35d4952931d0b171992017f2c8a982bbdcc67cb392b8a5383a5ff |
C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Apps.txt
| MD5 | c0b8f9d397a62c492089d0913a138476 |
| SHA1 | dd41932ecda410510ab37d5ed7b633be8bbfef90 |
| SHA256 | 1727d9e8a9397c8c8a542220f42260a7d97fe01d0de100e88cb0749e2a5f3467 |
| SHA512 | 3096905c344beeb5d76ff6284ec20a00935fdda8378149760ea3f90b386acdf8e145580f6120e484c1fe853989c10bf67c95e39a9260aba03bfb36904a0f643c |
C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Apps.txt
| MD5 | 2e0726a4d0f38a48e1469e4879120db9 |
| SHA1 | a7e6368993cc6ddc27199c94362372887c73f1dc |
| SHA256 | aa79767f15d3dff6a5de5f13127511613ff02eb642c12c2e676a73b8e62e4e98 |
| SHA512 | c477a33ba1e8817a4fa126f6d6a47d04d800c2a263187101f7715507ed7725dd1edf790d3ee3fbf07ba2ee03c496dbc95f6cfafb09401179f392cc19f9d0e3cc |
C:\Users\Admin\AppData\Local\Temp\StormKitty-Latest.log
| MD5 | 10f854ff6b32f7a31c7fe863796d18e5 |
| SHA1 | 95c2b60956fc1b3eddde4f2e33f354594c67efc0 |
| SHA256 | 1c9a2bda9cadc8246cf02a3926fdd7e29a361e47d9278294ede65682e58a6c17 |
| SHA512 | df371b27f80235c4bffdbadafe6a2a66bc57a1831f5bf38aa30c77fbf65902871e687799e540508c605d50a72063f4622c253c15921db29c84e54b9d8156d5e2 |
memory/4276-231-0x00007FF8C7A13000-0x00007FF8C7A15000-memory.dmp
memory/4276-232-0x00007FF8C7A10000-0x00007FF8C84D1000-memory.dmp