Overview

overview

10

Static

static

10

-.exe

windows7-x64

10

-.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2024 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    -.exe

  • Size

    310KB

  • MD5

    4c7c52e95b8c9c16cb9e79e477147ea9

  • SHA1

    05c27eb4f35f04a463d6d7a24bc01b932086a472

  • SHA256

    b139b5f0a9d2144720c249bd412b68cada81c96b03a6ecf6a64a9f5f1bca7395

  • SHA512

    9ef5449a778419b636adcce125ca89dbf5fd08b03ab260653da474ab4ddd1b547fb3df457c6c1abb14214aa41b4331ec2a648b5e702b598a0f3c2e711bbed951

  • SSDEEP

    6144:jeDD/pKSXx9AtjU6azN6dBVZXPTWziYkbylTXqVlN:jePhhzAtVazNKBvfOSOqX

Score
10/10
stormkittystealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 3 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\-.exe
    "C:\Users\Admin\AppData\Local\Temp\-.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3CD6.tmp.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1284
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM 2840
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2416
        • C:\Windows\system32\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab9C9F.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar9CB2.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp3CD6.tmp.bat
      Filesize

      230B

      MD5

      45252167e6d71d406e28ed71ae8ccb41

      SHA1

      c26a6a70e1e5e2dfdf719c8ecc7884d40eacd931

      SHA256

      52fefaaab9e200e249eb5d27fb50061b3f8fe6794324ca3e786e1dd848d5f4d3

      SHA512

      146f3aca52e5d560264ff99292098d597666e78b511e6d65041ecbd263a1a8521334afb259f168a87b200b980023cc56128c2831e1446e9e6e116731a3378883

      Download Submit

    • \Users\Admin\AppData\Local\Temp\-.exe
      Filesize

      310KB

      MD5

      4c7c52e95b8c9c16cb9e79e477147ea9

      SHA1

      05c27eb4f35f04a463d6d7a24bc01b932086a472

      SHA256

      b139b5f0a9d2144720c249bd412b68cada81c96b03a6ecf6a64a9f5f1bca7395

      SHA512

      9ef5449a778419b636adcce125ca89dbf5fd08b03ab260653da474ab4ddd1b547fb3df457c6c1abb14214aa41b4331ec2a648b5e702b598a0f3c2e711bbed951

      Download Submit

    • memory/2840-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-1-0x000000013F170000-0x000000013F1C0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2840-2-0x0000000002240000-0x00000000022B4000-memory.dmp

      Filesize

      464KB

      Download

    • memory/2840-3-0x0000000000740000-0x0000000000746000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2840-4-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2840-171-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-175-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2840-179-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

      Filesize

      9.9MB

      Download