stormkitty | b32401f4a1ac0bf0a8c81dc6e7ac5a11c2125d2055f2224cafba44df740684fe

Analysis

max time kernel
63s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a0a33df99b129a04317cda6f9ee8450N.exe
Size

87KB
MD5

1a0a33df99b129a04317cda6f9ee8450
SHA1

6c24864e71f40523418cb273dd2f647686f524f8
SHA256

b32401f4a1ac0bf0a8c81dc6e7ac5a11c2125d2055f2224cafba44df740684fe
SHA512

5473aab64e531ffe53352b8c17fc4dda775f79b3fe900624918a60153727a6111a01b9d10a270149b17f4a3b9399c75fd5c4c85f2f82b956710e879cd3115187
SSDEEP

1536:MexIYG53x/8XNYK5rJx93o8lg/x/G9apbbp3gITPTFO:MeaYG53x/8Xpx9gZ+spbbp3gIrxO

Score

10^/10

stormkitty credential_access discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/1096-1-0x0000000000050000-0x000000000006C000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Deletes itself 1 IoCs

pid	Process
2872	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2700	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2700	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1096	1a0a33df99b129a04317cda6f9ee8450N.exe
1096	1a0a33df99b129a04317cda6f9ee8450N.exe
1096	1a0a33df99b129a04317cda6f9ee8450N.exe
1096	1a0a33df99b129a04317cda6f9ee8450N.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	1a0a33df99b129a04317cda6f9ee8450N.exe
Token: SeIncreaseQuotaPrivilege	2892	wmic.exe
Token: SeSecurityPrivilege	2892	wmic.exe
Token: SeTakeOwnershipPrivilege	2892	wmic.exe
Token: SeLoadDriverPrivilege	2892	wmic.exe
Token: SeSystemProfilePrivilege	2892	wmic.exe
Token: SeSystemtimePrivilege	2892	wmic.exe
Token: SeProfSingleProcessPrivilege	2892	wmic.exe
Token: SeIncBasePriorityPrivilege	2892	wmic.exe
Token: SeCreatePagefilePrivilege	2892	wmic.exe
Token: SeBackupPrivilege	2892	wmic.exe
Token: SeRestorePrivilege	2892	wmic.exe
Token: SeShutdownPrivilege	2892	wmic.exe
Token: SeDebugPrivilege	2892	wmic.exe
Token: SeSystemEnvironmentPrivilege	2892	wmic.exe
Token: SeRemoteShutdownPrivilege	2892	wmic.exe
Token: SeUndockPrivilege	2892	wmic.exe
Token: SeManageVolumePrivilege	2892	wmic.exe
Token: 33	2892	wmic.exe
Token: 34	2892	wmic.exe
Token: 35	2892	wmic.exe
Token: SeIncreaseQuotaPrivilege	2892	wmic.exe
Token: SeSecurityPrivilege	2892	wmic.exe
Token: SeTakeOwnershipPrivilege	2892	wmic.exe
Token: SeLoadDriverPrivilege	2892	wmic.exe
Token: SeSystemProfilePrivilege	2892	wmic.exe
Token: SeSystemtimePrivilege	2892	wmic.exe
Token: SeProfSingleProcessPrivilege	2892	wmic.exe
Token: SeIncBasePriorityPrivilege	2892	wmic.exe
Token: SeCreatePagefilePrivilege	2892	wmic.exe
Token: SeBackupPrivilege	2892	wmic.exe
Token: SeRestorePrivilege	2892	wmic.exe
Token: SeShutdownPrivilege	2892	wmic.exe
Token: SeDebugPrivilege	2892	wmic.exe
Token: SeSystemEnvironmentPrivilege	2892	wmic.exe
Token: SeRemoteShutdownPrivilege	2892	wmic.exe
Token: SeUndockPrivilege	2892	wmic.exe
Token: SeManageVolumePrivilege	2892	wmic.exe
Token: 33	2892	wmic.exe
Token: 34	2892	wmic.exe
Token: 35	2892	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2892	1096	1a0a33df99b129a04317cda6f9ee8450N.exe	30
PID 1096 wrote to memory of 2892	1096	1a0a33df99b129a04317cda6f9ee8450N.exe	30
PID 1096 wrote to memory of 2892	1096	1a0a33df99b129a04317cda6f9ee8450N.exe	30
PID 1096 wrote to memory of 2872	1096	1a0a33df99b129a04317cda6f9ee8450N.exe	33
PID 1096 wrote to memory of 2872	1096	1a0a33df99b129a04317cda6f9ee8450N.exe	33
PID 1096 wrote to memory of 2872	1096	1a0a33df99b129a04317cda6f9ee8450N.exe	33
PID 2872 wrote to memory of 2700	2872	cmd.exe	35
PID 2872 wrote to memory of 2700	2872	cmd.exe	35
PID 2872 wrote to memory of 2700	2872	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\1a0a33df99b129a04317cda6f9ee8450N.exe
"C:\Users\Admin\AppData\Local\Temp\1a0a33df99b129a04317cda6f9ee8450N.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tmp9251.tmp.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9251.tmp.bat

Filesize
170B

MD5
f8727fa1fc939a0f629a2f78f7aef501

SHA1
0abe12adf095b4cbf939aad62138eaf33b0632ed

SHA256
3b48fa9e32188f6d72bd2301372ae3640a0a7d2d7c969da92c8e7374d74a45e6

SHA512
7d91fbf40c4865f4dcebf14b7cabae331de5917671ff39818871826fcdb509806a9b43750c09176b0c325484fc3656290360306c290f42b23d8d6c0d6d6bc662

Download Submit
memory/1096-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/1096-1-0x0000000000050000-0x000000000006C000-memory.dmp

Filesize
112KB

Download
memory/1096-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/1096-20-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download