stormkitty | 9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 01:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe
Size

1.5MB
MD5

ff83471ce09ebbe0da07d3001644b23c
SHA1

672aa37f23b421e4afba46218735425f7acc29c2
SHA256

9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba
SHA512

179c724558065de4b7ea11dd75588df51a3fce737db3ebc77c8fdc0b3a432f6f1fdcc5acd2e2706ab0f088c35a3310c9e638de92ce0a644322eae46729aea259
SSDEEP

24576:nK7tMGUfQtpOdk3xWBq0qWH6JubmMTzfZwLDC4pZylqUAc2:JQ7AkiqQaJjMHWvlpOqUt2

Score

10^/10

stormkitty discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral1/memory/784-37-0x0000000000130000-0x00000000001C8000-memory.dmp	family_stormkitty
behavioral1/memory/784-40-0x0000000000130000-0x00000000001C8000-memory.dmp	family_stormkitty
behavioral1/memory/784-39-0x0000000000130000-0x00000000001C8000-memory.dmp	family_stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2380 created 1116	2380	Optimum.pif	20

Executes dropped EXE 2 IoCs

pid	Process
2380	Optimum.pif
784	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2856	cmd.exe
2380	Optimum.pif
784	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2760	tasklist.exe
2644	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CheckingReliable	9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe
File opened for modification	C:\Windows\ConferencesInto	9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe
File opened for modification	C:\Windows\GamblingCedar	9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe
File opened for modification	C:\Windows\AnchorAnnotated	9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Optimum.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	Optimum.pif
2380	Optimum.pif
2380	Optimum.pif
2380	Optimum.pif
2380	Optimum.pif
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe
784	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	2644	tasklist.exe
Token: SeDebugPrivilege	784	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2380	Optimum.pif
2380	Optimum.pif
2380	Optimum.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2380	Optimum.pif
2380	Optimum.pif
2380	Optimum.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
784	RegAsm.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2856	1620	9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe	30
PID 1620 wrote to memory of 2856	1620	9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe	30
PID 1620 wrote to memory of 2856	1620	9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe	30
PID 1620 wrote to memory of 2856	1620	9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe	30
PID 2856 wrote to memory of 2760	2856	cmd.exe	32
PID 2856 wrote to memory of 2760	2856	cmd.exe	32
PID 2856 wrote to memory of 2760	2856	cmd.exe	32
PID 2856 wrote to memory of 2760	2856	cmd.exe	32
PID 2856 wrote to memory of 2728	2856	cmd.exe	33
PID 2856 wrote to memory of 2728	2856	cmd.exe	33
PID 2856 wrote to memory of 2728	2856	cmd.exe	33
PID 2856 wrote to memory of 2728	2856	cmd.exe	33
PID 2856 wrote to memory of 2644	2856	cmd.exe	35
PID 2856 wrote to memory of 2644	2856	cmd.exe	35
PID 2856 wrote to memory of 2644	2856	cmd.exe	35
PID 2856 wrote to memory of 2644	2856	cmd.exe	35
PID 2856 wrote to memory of 2968	2856	cmd.exe	36
PID 2856 wrote to memory of 2968	2856	cmd.exe	36
PID 2856 wrote to memory of 2968	2856	cmd.exe	36
PID 2856 wrote to memory of 2968	2856	cmd.exe	36
PID 2856 wrote to memory of 2820	2856	cmd.exe	37
PID 2856 wrote to memory of 2820	2856	cmd.exe	37
PID 2856 wrote to memory of 2820	2856	cmd.exe	37
PID 2856 wrote to memory of 2820	2856	cmd.exe	37
PID 2856 wrote to memory of 2936	2856	cmd.exe	38
PID 2856 wrote to memory of 2936	2856	cmd.exe	38
PID 2856 wrote to memory of 2936	2856	cmd.exe	38
PID 2856 wrote to memory of 2936	2856	cmd.exe	38
PID 2856 wrote to memory of 2616	2856	cmd.exe	39
PID 2856 wrote to memory of 2616	2856	cmd.exe	39
PID 2856 wrote to memory of 2616	2856	cmd.exe	39
PID 2856 wrote to memory of 2616	2856	cmd.exe	39
PID 2856 wrote to memory of 2380	2856	cmd.exe	40
PID 2856 wrote to memory of 2380	2856	cmd.exe	40
PID 2856 wrote to memory of 2380	2856	cmd.exe	40
PID 2856 wrote to memory of 2380	2856	cmd.exe	40
PID 2856 wrote to memory of 1892	2856	cmd.exe	41
PID 2856 wrote to memory of 1892	2856	cmd.exe	41
PID 2856 wrote to memory of 1892	2856	cmd.exe	41
PID 2856 wrote to memory of 1892	2856	cmd.exe	41
PID 2380 wrote to memory of 784	2380	Optimum.pif	43
PID 2380 wrote to memory of 784	2380	Optimum.pif	43
PID 2380 wrote to memory of 784	2380	Optimum.pif	43
PID 2380 wrote to memory of 784	2380	Optimum.pif	43
PID 2380 wrote to memory of 784	2380	Optimum.pif	43
PID 2380 wrote to memory of 784	2380	Optimum.pif	43
PID 2380 wrote to memory of 784	2380	Optimum.pif	43
PID 2380 wrote to memory of 784	2380	Optimum.pif	43
PID 2380 wrote to memory of 784	2380	Optimum.pif	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1116
- C:\Users\Admin\AppData\Local\Temp\9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe
  "C:\Users\Admin\AppData\Local\Temp\9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2760
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2644
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 719580
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "copehebrewinquireinnocent" Corpus
      4⤵
      System Location Discovery: System Language Discovery
      PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Utilize + ..\Verzeichnis + ..\Built + ..\Vessels + ..\Cradle + ..\Jaguar + ..\Comics + ..\Flux + ..\Liberal f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif
      Optimum.pif f
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2380
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1892
- C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\719580\f

Filesize
619KB

MD5
43ca848d3a9ee13623e355d9ee71b515

SHA1
944f72b5cc721b44bf50c0013b4b10151972074d

SHA256
3d4000a64c1b7be8fcefe59e8f39f1ae12ef1fcd9d30a39158f83b26ee189831

SHA512
e52336e652a69b34c41aa9283d8e2e8e795c5734507b23050f48aa25be4423eafcc416f38bf23463de0602c20a24f0fd75629ec23214119b4c4a98025be8513f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built

Filesize
58KB

MD5
0a91386341f9d1a371bc735576b276a4

SHA1
a02598ef42cef1443cc94a8310a6c02df07119d4

SHA256
7b857693641ff1ff59e69422b09299a5580d20677acd530c27c7fbc9e3ee3b92

SHA512
b492508575c01689c982a8eb57fac2b5759e4c843c92f99d231b63c25ab4c82fa7fece9d4e9c2cc436a3232b4ed7947baecf2a06aafbf1a3cf243395af71e96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Comics

Filesize
66KB

MD5
4a3aab84dbfdaf25ae909ac736489f4b

SHA1
76663cb1186f29fed429863013600c9d69355d36

SHA256
2caa4849a4353ca50dfdbc860412e95b783fdcc7e60d8756c9b4bdf2915e1923

SHA512
1c2b0ffa8783bb9e9082eae4214547d8ced58121e717b57884a56042a7ef70c55e702d7f018dea72ca95aa40170c6f24ccec7d56fa3b160237969b5c0473bea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Corpus

Filesize
236B

MD5
148febc94e0f8036a074350ef338b007

SHA1
1be93210e5348f9409fe4162599dfaad797a2ade

SHA256
849892bc358956ee263db6cbddd4a9cca0e1564d6caefe44e2e998d559e610a0

SHA512
72b83e8cb35bf6fe295f1cb84197f3ffb4944e19b9ece9f6664ed2bc4aca40c9c912debf260e891c80feebb4c84935da4c2996b9a100ce94cde177928f31fa92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cradle

Filesize
78KB

MD5
8c59dae352a159e484b0de9603dabc11

SHA1
34992e582081635abf736ec18f1492ae40ca4925

SHA256
3ab028b25bd6bd3ba48a92c4198dd8ff07fe71b4b41c785469d79da422f2fe46

SHA512
cf041cc9470ac479702c19714d875868a5168940a8d56715a98ae3d52f0363ffab160566d7c364b1bd9e8cb263b7e2b60e6719dbac7b6ad12e5f6a87e4f57d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flux

Filesize
92KB

MD5
523fea93bbf3f0b9ddd4d1a432b624c9

SHA1
578ccd6f97455881ca61fddf068695ab0daa8918

SHA256
f4e881ea8495c993e2f008e9b5fc082bc2cea97812fe944dda293f3b02fb60b0

SHA512
633474c0d83e92171d09ab5849b83a9bcd613f630ec54ee44ad42ac8102d25c987f9e3ec71ea6c2d3542bcc9919ded6e37c3754a8f074aeea9704f16770692f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folding

Filesize
872KB

MD5
67ff730b62d42030058393ab3f0dafd1

SHA1
79215f079836dd43b4f7b1e66739bd7dab9fb6a3

SHA256
95d53427ef46fb44354a0253a611e342a30428101acaf83215f5b21432afbff1

SHA512
6e7d6f12686b0b30c96eebe01546e4aee1adee39a7467409e8f41de9a37c65daa010ebcefa6c452d4849e7ba0bec9be55be1b38250420b40e2956c151478d973

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jaguar

Filesize
93KB

MD5
fdadac1c5944e618315f608ad2f02714

SHA1
debe3ccc5a4abc326dbcb4a86ec8074671a3417f

SHA256
49687025dce701973b47fb6caba71f1443471e64551f41967a6a3275ce1e93d5

SHA512
92d7da5ef3625157acb00752b74fcfb80c588bc3ddf8b7fda488f68d0a6cf332aade539ee92139a26c5dc3549c8a69471ca24fcb1568068d5293b8988bbbab58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Liberal

Filesize
38KB

MD5
524c0177830e8a3624062be7eddfa277

SHA1
0a830e50e9433d530094edf3577b7ec5c5d1c5f5

SHA256
aacfabd8f6dde87949cbafa8eab7536dc5377e726064445e62824d10584eaec5

SHA512
79ed8be7d451a885befb7001c52a9f0db3977be8e16abd7db9f7742d520270a650ac77ed72e512a377d8f888bf05643f6bce3fea2d4dba8f37c7fff73a70d0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Surrey

Filesize
14KB

MD5
721cde52d197da4629a6792103404e23

SHA1
1f5bac364c6b9546ba0501f41766bb25df98b32b

SHA256
66627eef98fb038f1d22f620bc8d85430a442d08313602eb02f0b158b5471812

SHA512
63a6786227915bc450ea9ca4df4962126b4194a1fd5c68fe3c686da8175726d4efdda5e88aedea7b8e4e758816b9b31981fa79e37dbe51028650def5042ccac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utilize

Filesize
83KB

MD5
4bb39f0bce8a4f7b640ba76ecccaf87b

SHA1
c0c7feca88b0fc3fc1f20d1963ae25388a1f4c12

SHA256
96af995b201e5392293f2d7272b1c9a3f0eb671d62aeafffb4b0bbbfed0e3560

SHA512
ad2752281067584233cc19b3d0bbd0178dc3907af71c8dc3c37afe35f417afe1b1fc4d9ad2d99506d53100afde8ddb692e93669b8c9398782cb03dc22a04e1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Verzeichnis

Filesize
61KB

MD5
6a5ab833602af088d60d3d7f89b77229

SHA1
32f9fe7c6ba035993a627a78491651f02d0dfc97

SHA256
41586643456496d40c3279839a1cb1528428c19deefb4c702bd58f1467a1a1d0

SHA512
0598b2b38270a8d282ae2325330420b467be203047dffc2e85626fd78e78f81c5084487eebfbefbcb36115732a6670a9857655c18803388c02e37fbcf51aaa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vessels

Filesize
50KB

MD5
d64ef3bbcca2c221c0bcc85a7b6d5209

SHA1
5c3cf9d492c7021e19e103fa14ab3965fd1c6ba3

SHA256
c8c35545936faa3b0e00aa1b907952e97fffd9c1958045253863b4c2fad7f295

SHA512
2b6713646373b5b233295930a46fefbd499b607a94051c6294d3dce12f58b187c98f22f7f0b1243f22611a82c659b1d95f70a7858247b8f0853a1765d449e611

Download Submit
\Users\Admin\AppData\Local\Temp\719580\Optimum.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/784-37-0x0000000000130000-0x00000000001C8000-memory.dmp

Filesize
608KB

Download
memory/784-40-0x0000000000130000-0x00000000001C8000-memory.dmp

Filesize
608KB

Download
memory/784-39-0x0000000000130000-0x00000000001C8000-memory.dmp

Filesize
608KB

Download