Analysis Overview
SHA256
c694da935086f4ca6eab6310aa7f1c3e3a598c29d30c32efcf4a40083f1fb0cd
Threat Level: Known bad
The file Hybris Cheats 2.0.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
Stormkitty family
StormKitty
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-05 02:08
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 02:08
Reported
2024-07-05 02:10
Platform
win10v2004-20240704-en
Max time kernel
4s
Max time network
12s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\Hybris Cheats 2.0.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.toptal.com | udp |
| US | 104.18.29.213:443 | www.toptal.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 213.29.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 193.122.6.168:80 | tcp |
Files
memory/3604-0-0x0000000000EC0000-0x00000000010EA000-memory.dmp
memory/3604-1-0x00007FFA74263000-0x00007FFA74265000-memory.dmp
memory/3604-2-0x0000000001910000-0x000000000191A000-memory.dmp
memory/3604-3-0x0000000003330000-0x000000000334A000-memory.dmp
memory/3604-4-0x00007FFA74260000-0x00007FFA74D21000-memory.dmp
memory/3604-8-0x000000001C360000-0x000000001C386000-memory.dmp
memory/3604-7-0x000000001D360000-0x000000001D3D6000-memory.dmp
memory/3604-9-0x000000001CAF0000-0x000000001CB80000-memory.dmp