Malware Analysis Report

2024-09-23 03:21

Sample ID 240705-ck2tdssdmg
Target Hybris Cheats 2.0.exe
SHA256 c694da935086f4ca6eab6310aa7f1c3e3a598c29d30c32efcf4a40083f1fb0cd
Tags
stormkitty persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c694da935086f4ca6eab6310aa7f1c3e3a598c29d30c32efcf4a40083f1fb0cd

Threat Level: Known bad

The file Hybris Cheats 2.0.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty persistence privilege_escalation spyware stealer

StormKitty payload

Stormkitty family

StormKitty

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-05 02:08

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 02:08

Reported

2024-07-05 02:10

Platform

win10v2004-20240704-en

Max time kernel

4s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe C:\Windows\SYSTEM32\cmd.exe
PID 3604 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe C:\Windows\SYSTEM32\cmd.exe
PID 2128 wrote to memory of 4148 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2128 wrote to memory of 4148 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2128 wrote to memory of 2540 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2128 wrote to memory of 2540 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2128 wrote to memory of 2984 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2128 wrote to memory of 2984 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 3604 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe C:\Windows\SYSTEM32\cmd.exe
PID 3604 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe C:\Windows\SYSTEM32\cmd.exe
PID 1540 wrote to memory of 2484 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1540 wrote to memory of 2484 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1540 wrote to memory of 1524 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1540 wrote to memory of 1524 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1540 wrote to memory of 5080 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1540 wrote to memory of 5080 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile name=65001 key=clear

C:\Windows\system32\findstr.exe

findstr Key

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 www.toptal.com udp
US 104.18.29.213:443 www.toptal.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 213.29.18.104.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 193.122.6.168:80 tcp

Files

memory/3604-0-0x0000000000EC0000-0x00000000010EA000-memory.dmp

memory/3604-1-0x00007FFA74263000-0x00007FFA74265000-memory.dmp

memory/3604-2-0x0000000001910000-0x000000000191A000-memory.dmp

memory/3604-3-0x0000000003330000-0x000000000334A000-memory.dmp

memory/3604-4-0x00007FFA74260000-0x00007FFA74D21000-memory.dmp

memory/3604-8-0x000000001C360000-0x000000001C386000-memory.dmp

memory/3604-7-0x000000001D360000-0x000000001D3D6000-memory.dmp

memory/3604-9-0x000000001CAF0000-0x000000001CB80000-memory.dmp