Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 03:11
Behavioral task
behavioral1
Sample
PussyKiller.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
PussyKiller.exe
Resource
win10v2004-20240709-en
General
-
Target
PussyKiller.exe
-
Size
74KB
-
MD5
7acd7ca811c678a92d62d556cae858dc
-
SHA1
b05d0fd47d2d905234db53614f725e3744c93b3e
-
SHA256
736f8b467d09e4805d336c56b49ec183355dc433e04b93904d2e8d5876d5b9de
-
SHA512
24fe70950fc092d9de383f5c80c70bdc4bd5e342b927e2fb495752e0036c3d2eb0547f60467ef5019a686fffd2f8057105d13dd566172f9438ffe4434748166b
-
SSDEEP
1536:rNtW7bvrmSbUMiuidaw6v3ZfXR6/A8Id0FWGV09auvIUxjFxtbm:rzTyXRKA8Iwg9auvIUhFxty
Malware Config
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/3208-1-0x0000000000BF0000-0x0000000000C08000-memory.dmp disable_win_def C:\Users\Admin\AppData\Local\NVIDIA Local Drivers\DriversUpdateProcess_x64.exe disable_win_def -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3208-1-0x0000000000BF0000-0x0000000000C08000-memory.dmp family_stormkitty C:\Users\Admin\AppData\Local\NVIDIA Local Drivers\DriversUpdateProcess_x64.exe family_stormkitty -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PussyKiller.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe" PussyKiller.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 checkip.dyndns.org -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
taskmgr.exepid process 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
PussyKiller.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 3208 PussyKiller.exe Token: SeDebugPrivilege 1376 taskmgr.exe Token: SeSystemProfilePrivilege 1376 taskmgr.exe Token: SeCreateGlobalPrivilege 1376 taskmgr.exe Token: 33 1376 taskmgr.exe Token: SeIncBasePriorityPrivilege 1376 taskmgr.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
Processes:
taskmgr.exepid process 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe -
Suspicious use of SendNotifyMessage 41 IoCs
Processes:
taskmgr.exepid process 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe 1376 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PussyKiller.exe"C:\Users\Admin\AppData\Local\Temp\PussyKiller.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\NVIDIA Local Drivers\DriversUpdateProcess_x64.exeFilesize
74KB
MD57acd7ca811c678a92d62d556cae858dc
SHA1b05d0fd47d2d905234db53614f725e3744c93b3e
SHA256736f8b467d09e4805d336c56b49ec183355dc433e04b93904d2e8d5876d5b9de
SHA51224fe70950fc092d9de383f5c80c70bdc4bd5e342b927e2fb495752e0036c3d2eb0547f60467ef5019a686fffd2f8057105d13dd566172f9438ffe4434748166b
-
memory/1376-17-0x0000020A62BA0000-0x0000020A62BA1000-memory.dmpFilesize
4KB
-
memory/1376-18-0x0000020A62BA0000-0x0000020A62BA1000-memory.dmpFilesize
4KB
-
memory/1376-12-0x0000020A62BA0000-0x0000020A62BA1000-memory.dmpFilesize
4KB
-
memory/1376-6-0x0000020A62BA0000-0x0000020A62BA1000-memory.dmpFilesize
4KB
-
memory/1376-7-0x0000020A62BA0000-0x0000020A62BA1000-memory.dmpFilesize
4KB
-
memory/1376-8-0x0000020A62BA0000-0x0000020A62BA1000-memory.dmpFilesize
4KB
-
memory/1376-14-0x0000020A62BA0000-0x0000020A62BA1000-memory.dmpFilesize
4KB
-
memory/1376-13-0x0000020A62BA0000-0x0000020A62BA1000-memory.dmpFilesize
4KB
-
memory/1376-15-0x0000020A62BA0000-0x0000020A62BA1000-memory.dmpFilesize
4KB
-
memory/1376-16-0x0000020A62BA0000-0x0000020A62BA1000-memory.dmpFilesize
4KB
-
memory/3208-1-0x0000000000BF0000-0x0000000000C08000-memory.dmpFilesize
96KB
-
memory/3208-2-0x00007FF8E66B0000-0x00007FF8E7171000-memory.dmpFilesize
10.8MB
-
memory/3208-5-0x00007FF8E66B0000-0x00007FF8E7171000-memory.dmpFilesize
10.8MB
-
memory/3208-0-0x00007FF8E66B3000-0x00007FF8E66B5000-memory.dmpFilesize
8KB