stormkitty | 4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-08-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe
Size

1.4MB
MD5

1a84efb5eddb4512bdc7c5b140c18c2f
SHA1

af26fc2e98a165001b44fd1dae892ed064067966
SHA256

4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52
SHA512

fe36b07006169578644fd4870b801cbdb6714065c6302c371792977eb916d3ec8b85c7982686a84a744b17f1bef2d2a90d74ba439e686e49ab6ca4340f6a15e2
SSDEEP

24576:1/i5WzE1ChTAwoBMNwx4DSSpuTbFwFJ5oOFAoag1HX:VJswoBMstlbFwF5DaQ

Score

10^/10

stormkitty discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/664-35-0x0000000000B40000-0x0000000000BD8000-memory.dmp	family_stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1432 created 3312	1432	Jonathan.pif	53

Executes dropped EXE 2 IoCs

pid	Process
1432	Jonathan.pif
664	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2032	tasklist.exe
2760	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GuestbookServices	4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe
File opened for modification	C:\Windows\ContentsCurrently	4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe
File opened for modification	C:\Windows\BlinkCommitments	4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe
File opened for modification	C:\Windows\SkyAwards	4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe
File opened for modification	C:\Windows\TotalRefuse	4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe
File opened for modification	C:\Windows\StandAnime	4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jonathan.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1432	Jonathan.pif
1432	Jonathan.pif
1432	Jonathan.pif
1432	Jonathan.pif
1432	Jonathan.pif
1432	Jonathan.pif
1432	Jonathan.pif
1432	Jonathan.pif
1432	Jonathan.pif
1432	Jonathan.pif
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe
664	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	tasklist.exe
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	664	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1432	Jonathan.pif
1432	Jonathan.pif
1432	Jonathan.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1432	Jonathan.pif
1432	Jonathan.pif
1432	Jonathan.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
664	RegAsm.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 732	396	4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe	82
PID 396 wrote to memory of 732	396	4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe	82
PID 396 wrote to memory of 732	396	4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe	82
PID 732 wrote to memory of 2032	732	cmd.exe	84
PID 732 wrote to memory of 2032	732	cmd.exe	84
PID 732 wrote to memory of 2032	732	cmd.exe	84
PID 732 wrote to memory of 4772	732	cmd.exe	85
PID 732 wrote to memory of 4772	732	cmd.exe	85
PID 732 wrote to memory of 4772	732	cmd.exe	85
PID 732 wrote to memory of 2760	732	cmd.exe	87
PID 732 wrote to memory of 2760	732	cmd.exe	87
PID 732 wrote to memory of 2760	732	cmd.exe	87
PID 732 wrote to memory of 1988	732	cmd.exe	88
PID 732 wrote to memory of 1988	732	cmd.exe	88
PID 732 wrote to memory of 1988	732	cmd.exe	88
PID 732 wrote to memory of 1088	732	cmd.exe	89
PID 732 wrote to memory of 1088	732	cmd.exe	89
PID 732 wrote to memory of 1088	732	cmd.exe	89
PID 732 wrote to memory of 2884	732	cmd.exe	90
PID 732 wrote to memory of 2884	732	cmd.exe	90
PID 732 wrote to memory of 2884	732	cmd.exe	90
PID 732 wrote to memory of 2152	732	cmd.exe	91
PID 732 wrote to memory of 2152	732	cmd.exe	91
PID 732 wrote to memory of 2152	732	cmd.exe	91
PID 732 wrote to memory of 1432	732	cmd.exe	92
PID 732 wrote to memory of 1432	732	cmd.exe	92
PID 732 wrote to memory of 1432	732	cmd.exe	92
PID 732 wrote to memory of 1944	732	cmd.exe	93
PID 732 wrote to memory of 1944	732	cmd.exe	93
PID 732 wrote to memory of 1944	732	cmd.exe	93
PID 1432 wrote to memory of 664	1432	Jonathan.pif	94
PID 1432 wrote to memory of 664	1432	Jonathan.pif	94
PID 1432 wrote to memory of 664	1432	Jonathan.pif	94
PID 1432 wrote to memory of 664	1432	Jonathan.pif	94
PID 1432 wrote to memory of 664	1432	Jonathan.pif	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3312
- C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe
  "C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Generating Generating.cmd && Generating.cmd && exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4772
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2760
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 349418
      4⤵
      System Location Discovery: System Language Discovery
      PID:1088
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "WorkoutTranslatePropertyManager" Savage
      4⤵
      System Location Discovery: System Language Discovery
      PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Error + ..\Top + ..\Trains + ..\Arrivals + ..\Ok + ..\Declare + ..\Trustee + ..\Authorized + ..\Real + ..\Follows n
      4⤵
      System Location Discovery: System Language Discovery
      PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif
      Jonathan.pif n
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1432
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1944
- C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe

Filesize
63KB

MD5
42ab6e035df99a43dbb879c86b620b91

SHA1
c6e116569d17d8142dbb217b1f8bfa95bc148c38

SHA256
53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b

SHA512
2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\349418\n

Filesize
628KB

MD5
1eca45d434b5a362b5a53768a0a7ad5b

SHA1
cca3fd7269d0c8b22e1988e899ffd77ccac68000

SHA256
d3323cc2bb2b10e7c4a19eeb5da95cd3afc401d02a891f5e2df3ed930b8f6ab4

SHA512
cddad62eaaa6a03a33716f0c53c65ce3da85121c4856ecdf3ed66682e54b1235deb0156f8ee983dfba0ced2669bf8f869dfebdea25d11aa1adf50d7bd1a66e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Arrivals

Filesize
66KB

MD5
ceb30d7fd337eab0a7e453320f049c45

SHA1
58feb1a1b8a4ac4698c5fe72ced2172d0584d340

SHA256
968f001e3d93c7f3481831cff2924705bf8ead261bf976fa662d3a6e30b187b7

SHA512
10f550340410f68993b2e70cf36b9ee90dd6acff15ea9ac7f9cd1f012712f0a2e81bc7b7ef359d0bb5d8fd77d8eca4ec7517c0c657dd254c6ed60a18e7b4e647

Download Submit
C:\Users\Admin\AppData\Local\Temp\Authorized

Filesize
53KB

MD5
2ff2c09f6a306e6eac8ec0aacea1c5d1

SHA1
98a72538c59fbe98ff0015d0882ad0101158ba52

SHA256
ae7168959f3c72ce375eb5ab6efe4b8f4a22d00731f5df0839a0786b84baf9dd

SHA512
069a0e35073a9a859b5328661c9f36c44e4d8eee00c471aa0571e09a0e2ee4f43fc9bfefcfb6eac7fa025d3c5b87e1c02367807211c18df7e4b84353248add18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Declare

Filesize
80KB

MD5
e7dfae04a017b361a93c39cef0fd06d8

SHA1
02b70beb9ba9d4e20b430dcbf53752e8d8d72b9e

SHA256
b4a0ff42ac349a2d05eb48b74045a46fc37b7cea378d294b58c21720467c9c5d

SHA512
a42185c7ad43dbf02f82c1ca8e5c2bf94c929a5e7a2f4240cd044bcff7c6bd471e6ed33182b95636b130335fa5c399f4ea6e25e7771882df0988363a974714b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Error

Filesize
90KB

MD5
6acae397533e2504c8dcc22dbcc5ee1b

SHA1
a02c00e37d829ad3ea6974097aa8c66c987701a0

SHA256
cd7f8c9ec8f9116ce23b14cdf371c780aed709c14ec341aa9a97040ac48c90f3

SHA512
b7664ae523061b3adf805cf34948d4f8253656a21716d7f64fa5410b66ac49c94a30a1a41be26e7439288cd1af493c9e32ec1217e7cdf4922051d4ad8682c6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Follows

Filesize
24KB

MD5
9344a1156b1a7dcfc6a721156ddc2a51

SHA1
01bcecb00f58be09fa71ca588172d640359002a8

SHA256
20954126145914bf4fa26f9e307130781fcdfed73d1bb9f96948b287ec31ac5d

SHA512
caa616d7db53ac82e33f7eb4f97d266e6ada1be07f38c3d8b2558eeeaad9ccee9c0d8900f31fbe86569e20dc78d13a813d52b1ea6ba0c97a07190588444950b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Generating

Filesize
21KB

MD5
2fba118aa4e49a942e5047b6753eb8c6

SHA1
a4e251441a81cb56b71884b4e2cbff4912ad0b75

SHA256
c404a7e24563ad8112e1366ab3816f13d994b84cca66ca4ac004d8c836aef84d

SHA512
4412e7ca19780f9d1c970d11be7ffb77cb4525717d1465fe7712b203221b9830b9131d78ec9b85b478bc4400f5cced641f03d505dfed4e0843616932e281c200

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ok

Filesize
56KB

MD5
de7c228bec1a2349469fac7ff35b6426

SHA1
45c9437428a204a108c6b19b23590123b18de3f6

SHA256
f17ef9d2c6c25f46a4bbdd4a50c025c3ee95aa6b72403d16b34b6a75da191c09

SHA512
16597e12652295740f93fdaa371fb51b8dc426d02b506655f9b94c23c8776192c8e2fce58f9ccc731690259dda2c52539ba961e1468c3aee52f468c983d74ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Real

Filesize
63KB

MD5
18584252a54fb18f4edaf293ae302dc2

SHA1
c32ec72e6d3524bd428612164d056847aa99408f

SHA256
3df93840384ebd06e02812e5dc5b4638a00488a5a7f8c34c473b0833f8043252

SHA512
ddefa98f1cc82cfcd2202d7ea0f503ee162b33d279958ce2f44eb65dcd74265c07b4c9d905620468b1994deb1331a99c9e0398d91cd3cc88f0207e08b6229dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resorts

Filesize
871KB

MD5
66168ac43906ee81db71a613b4124ffe

SHA1
6d470e88eb2d34265e7e2a14b8687c055c4eb602

SHA256
80282cb7b875b7465fc4bfd797adc4cb7ba59addbc84e0ee8c0a1af2f17ea814

SHA512
7b54805e313de0a141c3a9e64fd46f7378d64fa8d3914688b3a4f0cd4b52bb2fb3837cd12d81f670d9e308344de9d97e6942ffe0a41438aa7d4b58494dcbbd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Savage

Filesize
988B

MD5
9e714120340fe1ee3338928be0c55d9b

SHA1
5a2c58c33d5f3111d25416b3e64cf6c6cef88f38

SHA256
802f09110fc3b9a8a0903f8723a80c2b3bcf36f2ca5bf29a76f2b9bf4f2ed7f1

SHA512
ea2c718ac1104f1d8f18be6130e780aaaa3d1112219ed2ebd9cb035ae38070f49f9455cd33589f5c31bc8c1d184a4bb997070879d5808263a1b12355606044a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Top

Filesize
66KB

MD5
cb39a85b5401d9bd5f6735150229f5f4

SHA1
be66caf7dcf5dbce6732d583f050509be5512f9b

SHA256
ff6480b420095b8b2a9bd090d0c193cf6c206c5766aec01dbc36653f19dc244c

SHA512
1e7e79f146cd329971a350e9b524068b9fd7bfd97053018f9ee4792277673dc35b867d18731cbd3c0462f0f224a181ddfcc17762bcfdf1f158130d16fb4ce781

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trains

Filesize
63KB

MD5
1767f4c13631e8bb9e3a3f260a3063b0

SHA1
d5db66c99ecad70420163f69bf167677e4b8fdfc

SHA256
e6bea29fb4e262cf4b2a9df8e6ea015e37e6363a6c44a3e00472824c7d442299

SHA512
c90bf304859a174d6a8c58c56b47263e21b45807a4eb8ea0df4efc3da470adaa8e57d839ba798c922f2af8b6f2948d89aae96587ccf722c7ec40fd5d1ad488ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trustee

Filesize
67KB

MD5
a874970ff59977efaf4f49a452589034

SHA1
25aad1717e0da502ea94e9c74322f138e4e0e494

SHA256
5e9d0155a1be633b54b6cc49033642f7cd37d63bda9b4c34ee8eb51546f2911d

SHA512
c4ed114392327dae0eae00cd64d6e371d0abfeb925e21a2e3327e5c95bb4c4326016580cb9a7c6f55947be73da2312bb0594dc6786099fe8a5ac8286d4bbc57d

Download Submit
memory/664-35-0x0000000000B40000-0x0000000000BD8000-memory.dmp

Filesize
608KB

Download
memory/664-38-0x0000000005840000-0x0000000005DE6000-memory.dmp

Filesize
5.6MB

Download
memory/664-39-0x0000000005190000-0x00000000051F6000-memory.dmp

Filesize
408KB

Download
memory/664-41-0x0000000006210000-0x00000000062A2000-memory.dmp

Filesize
584KB

Download
memory/664-42-0x00000000061C0000-0x00000000061CA000-memory.dmp

Filesize
40KB

Download
memory/664-43-0x0000000006480000-0x000000000651C000-memory.dmp

Filesize
624KB

Download