stormkitty | 6c3d0aec1057e3783db453fb638ad9dd3cb72051326e09b4396921b1b85074c2

Analysis

max time kernel
29s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc.exe
Size

323KB
MD5

eeec1c5bad5802d01834153e7df20a96
SHA1

c35f1072cab375b246d254a475b4ee617cdfedcf
SHA256

903c15b544940978f54c8add35edb4dfac62f4da00e0afe5b9979834cc9ad469
SHA512

6daac35e6428b4cf3c6758e5b45453fb5a201b831ca3d5a52c83032e8363655e0b043c3d2b8a527393ba948139f13fb4d749a0fd0ce79ce4d0ad780313c189dc
SSDEEP

6144:bR/N1Q5Ng+8j/svwt+IsOU9UzoprcBOJ+X:bR/N6r8j/svw1U9XuB

Score

10^/10

stormkitty collection credential_access discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral7/memory/4712-1-0x0000000000D00000-0x0000000000D56000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cc.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cc.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cc.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	C:\ProgramData\OARDHGDN\FileGrabber\Pictures\Camera Roll\desktop.ini	cc.exe
File created	C:\ProgramData\OARDHGDN\FileGrabber\Documents\desktop.ini	cc.exe
File created	C:\ProgramData\OARDHGDN\FileGrabber\Downloads\desktop.ini	cc.exe
File created	C:\ProgramData\OARDHGDN\FileGrabber\Pictures\desktop.ini	cc.exe
File created	C:\ProgramData\OARDHGDN\FileGrabber\Pictures\Saved Pictures\desktop.ini	cc.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	api.ipify.org
50	ip-api.com
6	freegeoip.app
9	freegeoip.app
48	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	cc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	cc.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe
4712	cc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4712	cc.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cc.exe

C:\Users\Admin\AppData\Local\Temp\cc.exe
"C:\Users\Admin\AppData\Local\Temp\cc.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OARDHGDN\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Desktop\ApproveLimit.txt

Filesize
1.7MB

MD5
55c269f00d495ef8c62793b10ae5da79

SHA1
0cd70cde1cf03ec6f26ceb5c19d64e31735b320b

SHA256
15fb06fbbfeed7dd13dd3d8d5d988c4f7544bc794c55bc1e3c6975cbb7ebdf92

SHA512
3fe8c5859b5c2ec90a34a2a6b4bcaa132160118f1eb35dba5af0410dcf9fefce7b4b9b57527417c5856ede7571144f88ac945332589948184c94d4c4e9bfbc05

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Documents\BackupApprove.doc

Filesize
810KB

MD5
cd34a1596e6852627e0e1722ed53d8af

SHA1
18dffcdcd61e1bc3005efe125498d83516ebfe8c

SHA256
dc9a54bdd20d31f45c7475537f6c45139e76e5d7f56031e09c3d2e93066a049c

SHA512
3e0a42a6201e8752f0e18a3d05249488817e9a8fce6ed3b7ab769bf06eb1d1034654648ff1665438b2711651b103275b7e8b055ed3341bace7d44721c784db40

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Downloads\ProtectSync.svg

Filesize
581KB

MD5
17b5bf8ba4cbf96b66362776822e74d8

SHA1
e2da94878cc9f1b62ad093cf621feb05883101a1

SHA256
5b00050d874e372c7299e5c2d66cec2a9a84c19600f666fe35a60d839fc9e92b

SHA512
a2def2529ca4bc668af2c09f6672d0dcd12eb84911572219e3692e90625311e6c370f82b393c983cee8870fc5917ef67ed5ec44da6d7fb44a542104cf7da1753

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Downloads\PublishUse.js

Filesize
354KB

MD5
1e8a98f70b673163970cd0bdfb295622

SHA1
8e13eb45e46b9f8fc7e454f87ec85b5608a8516d

SHA256
9aa21d1d7e92ccddd8906fc3ef829642ac456e2e9f886b54ae54e1e88f126bb7

SHA512
1b56b017e52e42f65ee850cc7ddccb9af023aefc1e693a02546bb8c1caa87b43886ca90b5424542c6ca1ee0e7d40f4540faf0422d7bcc387eefa669cecc58723

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Downloads\RedoUpdate.txt

Filesize
411KB

MD5
76ec729eb36005574d7ac49ac83bdde8

SHA1
e57d43a46dcdcee76bb462f3e38bc0e038d945eb

SHA256
e899d263ca791a911d9f8caef0433ec2310c5e1fa7a807a0c98619e1a7304ac1

SHA512
800a6ad9fc7f00b301de00d132de2091da3d0d10f92de1284f7ebea2af788ffe26b6660728ee3049146a14c2158cea04329e907ad30e403310d2bee8dc4b0afe

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Downloads\UnpublishTrace.css

Filesize
496KB

MD5
42a65c0528defb56f4b9e97ab2567769

SHA1
f37214caa83e07cebf3f2418773668b8654a2184

SHA256
6f7e3582075cdf27fe7b9dabf8168b51e58b87c89c5edf71f321ae2e33424d0b

SHA512
683a513baf1d06502f510a7aaedc36d40564d1f39c7622b0859ace36153be496cbb8c245f42318b145ea300e9351798f320ff57e0dca36f3399b7204e816196b

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Pictures\LimitStep.jpg

Filesize
203KB

MD5
97067a8e35f426bb62e96d8f3685df16

SHA1
53b693fc831f89d36d0dc00b1178cb9bf0bf281b

SHA256
1cc3dd5b6a152aa9475f979d70bcd31c9569b255224eab1626fa3b5dec43c20b

SHA512
60e8094fa5b4d7ad8ed4ddbfee843ef01c7518f8e0e40c23eb1af8910a2a2d6664e9eac424ed9e47ea0854a85fe137a0dcd6d011cd1b3c593a0ce2a25f972991

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Pictures\PublishLimit.bmp

Filesize
190KB

MD5
1a09cf3a6043ca4a4791c75689005324

SHA1
233e13727aa943dc28ab051951c1f53ea77c2981

SHA256
943e8ef839652a3b4bc35f971cff2159a3833e0eedab4bddf67302f4690973da

SHA512
91fdbeb4286bf192cefc18f590c8ffa7456d9642241c33774900c837f3bcb34b8fab68c0b7320a10f67dc8d65bc4cdf2c3a400a06655d86000e7cf3ee3850738

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Pictures\SwitchFormat.bmp

Filesize
330KB

MD5
55ef7ed4f61758991d9391927dcca1ec

SHA1
46f6f4c0dc2ee30f8922844bac9480e04cc4965e

SHA256
43a3d6b9469db88459a3461ac895c1d1c3706e9360976b3b8b82c11a119809e7

SHA512
ab6b97956c5e6cf02e3643678753cf84ed512e3ec8b1d1909c3eba707fc7c86802cbad0c5f34163638f72774658ba9a7a05ae2a25ec53ecf412be0c690ed9d04

Download Submit
C:\ProgramData\OARDHGDN\Process.txt

Filesize
4KB

MD5
fd6d94e81317a7c10438510963c36048

SHA1
00e0988ad785fe324027fb69f6feaa142fb4e0b6

SHA256
ccc206f701c7e791be3542aed31d12c1b4f1ee4b69b43a6d1c2ff8b37903b891

SHA512
6cac86d028920d36ec8e415b0249083983f0f8518688f6a7f2be2f93e934f70074aea587f984e9ba455e6d4ad15b9178bed4e5d27d6ac0c979e6b392da27235d

Download Submit
memory/4712-62-0x0000000005D10000-0x0000000005DA2000-memory.dmp

Filesize
584KB

Download
memory/4712-0-0x000000007478E000-0x000000007478F000-memory.dmp

Filesize
4KB

Download
memory/4712-1-0x0000000000D00000-0x0000000000D56000-memory.dmp

Filesize
344KB

Download
memory/4712-7-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4712-63-0x0000000006F30000-0x00000000074D4000-memory.dmp

Filesize
5.6MB

Download
memory/4712-68-0x0000000006DD0000-0x0000000006E36000-memory.dmp

Filesize
408KB

Download
memory/4712-245-0x000000007478E000-0x000000007478F000-memory.dmp

Filesize
4KB

Download
memory/4712-246-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download