stormkitty | 736f8b467d09e4805d336c56b49ec183355dc433e04b93904d2e8d5876d5b9de

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7acd7ca811c678a92d62d556cae858dc.exe
Size

74KB
MD5

7acd7ca811c678a92d62d556cae858dc
SHA1

b05d0fd47d2d905234db53614f725e3744c93b3e
SHA256

736f8b467d09e4805d336c56b49ec183355dc433e04b93904d2e8d5876d5b9de
SHA512

24fe70950fc092d9de383f5c80c70bdc4bd5e342b927e2fb495752e0036c3d2eb0547f60467ef5019a686fffd2f8057105d13dd566172f9438ffe4434748166b
SSDEEP

1536:rNtW7bvrmSbUMiuidaw6v3ZfXR6/A8Id0FWGV09auvIUxjFxtbm:rzTyXRKA8Iwg9auvIUhFxty

Score

10^/10

stormkitty persistence stealer

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/3656-1-0x00000000006D0000-0x00000000006E8000-memory.dmp	disable_win_def

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3656-1-0x00000000006D0000-0x00000000006E8000-memory.dmp	family_stormkitty

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7acd7ca811c678a92d62d556cae858dc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe"	7acd7ca811c678a92d62d556cae858dc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 checkip.dyndns.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7acd7ca811c678a92d62d556cae858dc.exe

description pid process

Token: SeDebugPrivilege 3656 7acd7ca811c678a92d62d556cae858dc.exe

flow	ioc
1	checkip.dyndns.org

description	pid	process
Token: SeDebugPrivilege	3656	7acd7ca811c678a92d62d556cae858dc.exe

C:\Users\Admin\AppData\Local\Temp\7acd7ca811c678a92d62d556cae858dc.exe
"C:\Users\Admin\AppData\Local\Temp\7acd7ca811c678a92d62d556cae858dc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3656-0-0x00007FFAA9D23000-0x00007FFAA9D25000-memory.dmp

Filesize
8KB

Download
memory/3656-1-0x00000000006D0000-0x00000000006E8000-memory.dmp

Filesize
96KB

Download
memory/3656-2-0x00007FFAA9D20000-0x00007FFAAA7E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-5-0x00007FFAA9D20000-0x00007FFAAA7E1000-memory.dmp

Filesize
10.8MB

Download