Overview

overview

10

Static

static

10

-.exe

windows7-x64

10

-.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2024 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    -.exe

  • Size

    310KB

  • MD5

    4c7c52e95b8c9c16cb9e79e477147ea9

  • SHA1

    05c27eb4f35f04a463d6d7a24bc01b932086a472

  • SHA256

    b139b5f0a9d2144720c249bd412b68cada81c96b03a6ecf6a64a9f5f1bca7395

  • SHA512

    9ef5449a778419b636adcce125ca89dbf5fd08b03ab260653da474ab4ddd1b547fb3df457c6c1abb14214aa41b4331ec2a648b5e702b598a0f3c2e711bbed951

  • SSDEEP

    6144:jeDD/pKSXx9AtjU6azN6dBVZXPTWziYkbylTXqVlN:jePhhzAtVazNKBvfOSOqX

Score
10/10
stormkittystealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\-.exe
    "C:\Users\Admin\AppData\Local\Temp\-.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5520.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4564
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM 1944
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4004
        • C:\Windows\system32\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:2228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp5520.tmp.bat
      Filesize

      230B

      MD5

      caa80a0b8a8b8c0e30f21c6bcafd470d

      SHA1

      6de98c12bc58fb233f0c57ff50d9183b232380d0

      SHA256

      830f0658e367ddbaf802d14d7ee9d118bd06ea5539a9c7f6b3e0cf9c81e42b35

      SHA512

      3246c7a1006b4bfb7aacd115511d06c5bf886791ed9fec5ae2ce4f1af40c3f3978de43d527f0ddfb7e3dc4cd4db8a183d4dec03df46960864820ecdfd9a21c7d

      Download Submit

    • memory/1944-0-0x00007FFE06703000-0x00007FFE06705000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1944-1-0x0000000000810000-0x0000000000860000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1944-2-0x00000000015F0000-0x0000000001664000-memory.dmp

      Filesize

      464KB

      Download

    • memory/1944-3-0x0000000001660000-0x0000000001666000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1944-4-0x00007FFE06700000-0x00007FFE071C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1944-12-0x00007FFE06703000-0x00007FFE06705000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1944-13-0x00007FFE06700000-0x00007FFE071C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1944-17-0x00007FFE06700000-0x00007FFE071C1000-memory.dmp

      Filesize

      10.8MB

      Download