stormkitty | 1179583d5b06240bdfbd61745abeb7706e4b75d2d42a561b71f39d8e6edb9e7e

Analysis

max time kernel
133s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.py.exe
Size

44KB
MD5

aacd79d677898cf5c143ee144aeacdba
SHA1

1f6bbacd1373226e2ef53cca19754be6b8d73619
SHA256

1179583d5b06240bdfbd61745abeb7706e4b75d2d42a561b71f39d8e6edb9e7e
SHA512

f3a144841980da5fb5105731033c596d2e96e68a663af4790fa0009b58e479d6dcf4a7f69aff2a4ae56f4e28ee86b00cce3dac24739826ec980ab699a338e46a
SSDEEP

768:/0yUbkms0JqxXAsvfgf3okU2jCp/J7X+F+R9pP46vOChQbWL6h:/0/bkt0JqhAmfU5U2jG/FOF09R46vOCK

Score

10^/10

stormkitty xworm credential_access discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

coming-park.gl.at.ply.gg:2444

Mutex

RaGFrRd5XNdQrnY7

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/2008-97-0x0000000002B60000-0x0000000002B6E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2008-1-0x00000000009D0000-0x00000000009E2000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2008-61-0x000000001EA20000-0x000000001EB3E000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1532	powershell.exe
4580	powershell.exe
3564	powershell.exe
652	powershell.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	main.py.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4564	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	main.py.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.lnk	main.py.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.lnk	main.py.exe

Loads dropped DLL 1 IoCs

pid	Process
2008	main.py.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\AppData\\Roaming\\main.py"	main.py.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3316	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2008	main.py.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
652	powershell.exe
652	powershell.exe
652	powershell.exe
2008	main.py.exe
2008	main.py.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	main.py.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	2008	main.py.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2008	main.py.exe
316	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1532	2008	main.py.exe	97
PID 2008 wrote to memory of 1532	2008	main.py.exe	97
PID 2008 wrote to memory of 4580	2008	main.py.exe	99
PID 2008 wrote to memory of 4580	2008	main.py.exe	99
PID 2008 wrote to memory of 3564	2008	main.py.exe	102
PID 2008 wrote to memory of 3564	2008	main.py.exe	102
PID 2008 wrote to memory of 652	2008	main.py.exe	104
PID 2008 wrote to memory of 652	2008	main.py.exe	104
PID 2008 wrote to memory of 3316	2008	main.py.exe	106
PID 2008 wrote to memory of 3316	2008	main.py.exe	106
PID 2008 wrote to memory of 4564	2008	main.py.exe	115
PID 2008 wrote to memory of 4564	2008	main.py.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\main.py.exe
"C:\Users\Admin\AppData\Local\Temp\main.py.exe"
1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\main.py.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'main.py.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\main.py'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'main.py'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "main" /tr "C:\Users\Admin\AppData\Roaming\main.py"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3316
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4856,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
1⤵
PID:4836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe "C:\Users\Admin\AppData\Roaming\main.py"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aeceee3981c528bdc5e1c635b65d223d

SHA1
de9939ed37edca6772f5cdd29f6a973b36b7d31b

SHA256
b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

SHA512
df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1c09764a32d5e64417eeee04c0aa8f03

SHA1
708741c6707654c00fd9dad84fab859e3c195c33

SHA256
49bc1dd65d79931c5ed1f50b89ca5eb8d941574880a17f7655aa7f4b3a2080de

SHA512
cd493aeaab5e8007362986cf8ad85a185cdf71fa6636f89fd7097412ffc631b325184029fa43c8ab8ec240fc90b69c98c6e3167170d6ef58f52ca5d33edaf655

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_24g5rtvq.554.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp784E.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/1532-13-0x00007FF889260000-0x00007FF889D21000-memory.dmp

Filesize
10.8MB

Download
memory/1532-12-0x00000202ED6F0000-0x00000202ED712000-memory.dmp

Filesize
136KB

Download
memory/1532-18-0x00007FF889260000-0x00007FF889D21000-memory.dmp

Filesize
10.8MB

Download
memory/1532-14-0x00007FF889260000-0x00007FF889D21000-memory.dmp

Filesize
10.8MB

Download
memory/1532-15-0x00007FF889260000-0x00007FF889D21000-memory.dmp

Filesize
10.8MB

Download
memory/2008-52-0x00007FF889263000-0x00007FF889265000-memory.dmp

Filesize
8KB

Download
memory/2008-2-0x00007FF889260000-0x00007FF889D21000-memory.dmp

Filesize
10.8MB

Download
memory/2008-0-0x00007FF889263000-0x00007FF889265000-memory.dmp

Filesize
8KB

Download
memory/2008-57-0x00007FF889260000-0x00007FF889D21000-memory.dmp

Filesize
10.8MB

Download
memory/2008-58-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/2008-60-0x000000001E6D0000-0x000000001EA20000-memory.dmp

Filesize
3.3MB

Download
memory/2008-61-0x000000001EA20000-0x000000001EB3E000-memory.dmp

Filesize
1.1MB

Download
memory/2008-97-0x0000000002B60000-0x0000000002B6E000-memory.dmp

Filesize
56KB

Download
memory/2008-98-0x000000001BC70000-0x000000001BCAA000-memory.dmp

Filesize
232KB

Download
memory/2008-1-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/2008-103-0x000000001E140000-0x000000001E176000-memory.dmp

Filesize
216KB

Download