stormkitty | 20c29406f1b8fbbdff8528feaf19df7be1ace4da2ac3e9c1e34b710667cf7ee7

General

Target

XBinderOutput.exe
Size

498KB
MD5

2c8cf21a477d6bfa16bf2e60125f4b93
SHA1

cc7792f9f8fd2b6508437f5ff3f667cc71893bd8
SHA256

20c29406f1b8fbbdff8528feaf19df7be1ace4da2ac3e9c1e34b710667cf7ee7
SHA512

0b5ef6e9a9737357c26840b1b0cfa7b7c4ff706402d40943a5992e2b3049393d8dd20962c4a5e944b349e7e8de0287f56f81cbd3e5dd7b1e630de5f6d3bdcb69
SSDEEP

12288:vM/2474xjEoCVoe3ieEm7MyuSANU22+zPp7QroGhhZL:0O2OU6e3ieEm7M72+9yosl

Score

10^/10

stormkitty execution stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2056-38-0x0000000000A80000-0x0000000000AD6000-memory.dmp	family_stormkitty

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2848 powershell.exe
568 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

llllllll.exesvchosts.exeWinRAR.exeWinRAR.exe

pid process

2124 llllllll.exe
2808 svchosts.exe
2436 WinRAR.exe
2056 WinRAR.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2848 powershell.exe
568 powershell.exe

pid	process
2848	powershell.exe
568	powershell.exe

pid	process
2124	llllllll.exe
2808	svchosts.exe
2436	WinRAR.exe
2056	WinRAR.exe

pid	process
2848	powershell.exe
568	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

llllllll.exesvchosts.exevssvc.exepowershell.exepowershell.exeWinRAR.exeWinRAR.exe

description	pid	process
Token: SeDebugPrivilege	2124	llllllll.exe
Token: SeDebugPrivilege	2808	svchosts.exe
Token: SeBackupPrivilege	2112	vssvc.exe
Token: SeRestorePrivilege	2112	vssvc.exe
Token: SeAuditPrivilege	2112	vssvc.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2436	WinRAR.exe
Token: SeDebugPrivilege	2056	WinRAR.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

XBinderOutput.exellllllll.exetaskeng.exe

description	pid	process	target process
PID 772 wrote to memory of 2124	772	XBinderOutput.exe	llllllll.exe
PID 772 wrote to memory of 2124	772	XBinderOutput.exe	llllllll.exe
PID 772 wrote to memory of 2124	772	XBinderOutput.exe	llllllll.exe
PID 772 wrote to memory of 2808	772	XBinderOutput.exe	svchosts.exe
PID 772 wrote to memory of 2808	772	XBinderOutput.exe	svchosts.exe
PID 772 wrote to memory of 2808	772	XBinderOutput.exe	svchosts.exe
PID 2124 wrote to memory of 2848	2124	llllllll.exe	powershell.exe
PID 2124 wrote to memory of 2848	2124	llllllll.exe	powershell.exe
PID 2124 wrote to memory of 2848	2124	llllllll.exe	powershell.exe
PID 2124 wrote to memory of 568	2124	llllllll.exe	powershell.exe
PID 2124 wrote to memory of 568	2124	llllllll.exe	powershell.exe
PID 2124 wrote to memory of 568	2124	llllllll.exe	powershell.exe
PID 2188 wrote to memory of 2436	2188	taskeng.exe	WinRAR.exe
PID 2188 wrote to memory of 2436	2188	taskeng.exe	WinRAR.exe
PID 2188 wrote to memory of 2436	2188	taskeng.exe	WinRAR.exe
PID 2188 wrote to memory of 2056	2188	taskeng.exe	WinRAR.exe
PID 2188 wrote to memory of 2056	2188	taskeng.exe	WinRAR.exe
PID 2188 wrote to memory of 2056	2188	taskeng.exe	WinRAR.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\AppData\Local\Temp\llllllll.exe
  "C:\Users\Admin\AppData\Local\Temp\llllllll.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WinRAR.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinRAR.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- C:\Users\Admin\AppData\Local\Temp\svchosts.exe
  "C:\Users\Admin\AppData\Local\Temp\svchosts.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\taskeng.exe
taskeng.exe {1CBAFA0D-5968-49E7-95C5-0F6B5499A2A8} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Public\WinRAR.exe
  C:\Users\Public\WinRAR.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Users\Public\WinRAR.exe
  C:\Users\Public\WinRAR.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\llllllll.exe

Filesize
510KB

MD5
342f45e65257fb8d75b1a1896eaf35ac

SHA1
927d528d20c2c388e599b9d103cd52c7ea8821ad

SHA256
dd97980e81b5e1e51eb399defba5db7c2f9efa126fa8423955cd670dcd43da11

SHA512
e9c0f2f7da9cacfcebebcd9e72c486ccee5c395770b1ff12d98fccc203d30158b82bc01ba60528a57594309cacc996768c416c7e3a4fc5d248d77093d712eccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosts.exe

Filesize
220KB

MD5
28b08dae6fe1c1af8921fc682a4d466d

SHA1
abedc3b269168207564d74a422b17dbece9b6a30

SHA256
f69a9632a9f823639d35ddd9c3e8cfb8ee92822812707b98aeb7e01dffc27460

SHA512
3a6b4ba2c38b593a89493646865503005d6b08d1f969989cbbb8767100041e629c3d442bffc106d848b93adae2997e3c4bea1795d65aeccb17ed2ca47f6d9494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6e98ebfd11938741a3e93a8e687183b0

SHA1
9bee953d70a5bb90f7915a8f08811f3579b48ec2

SHA256
d65333299b9dede86d7821b6c1bd1dacd33e7b2e7404b2e0cbf249e254c88561

SHA512
9e24f0a66ee9913f2a2fa9ae36a40e2aa7d9c3017555069e14ec08ad8345992b516e329f77c412f858d868310e9aca6e86ca1a26b9588fa3a8cd17b32771d87d

Download Submit
memory/568-29-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/568-28-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/772-1-0x0000000000E20000-0x0000000000EA2000-memory.dmp

Filesize
520KB

Download
memory/772-0-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmp

Filesize
4KB

Download
memory/772-14-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2056-38-0x0000000000A80000-0x0000000000AD6000-memory.dmp

Filesize
344KB

Download
memory/2124-9-0x0000000000D70000-0x0000000000DF6000-memory.dmp

Filesize
536KB

Download
memory/2124-15-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2124-37-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-35-0x00000000012B0000-0x0000000001336000-memory.dmp

Filesize
536KB

Download
memory/2808-13-0x0000000000110000-0x000000000014E000-memory.dmp

Filesize
248KB

Download
memory/2848-22-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/2848-21-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads