stormkitty | fa0365f999d7e9fb5f06db07c17b64071fcb175780c2f3b596bded52de435def

Analysis

max time kernel
480s
max time network
488s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SilverClient.exe
Size

39KB
MD5

ce605150f3e3659a4aef120756715d57
SHA1

dd041031aed90df236f704812327455d90acc61b
SHA256

fa0365f999d7e9fb5f06db07c17b64071fcb175780c2f3b596bded52de435def
SHA512

d8d671644891d7d9e6725a2cd451b4d3c3557f7451096e1f034943afbcb8b85f14ef1c8c1179034bb3a9b2db4732a726fa63ef1cd5c61f1c014b24a927f25ebf
SSDEEP

768:q2P7BLBW9U/hnvREaKv34+VnWuPlqJ01cGRU7VTXz1QB6S8h1QrSOoQSKTt0bE:JTBYQEaKvpPlH1cGGR1Qonh1ROo5K5GE

Score

10^/10

stormkitty discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3684-25-0x0000000001D30000-0x0000000001D5A000-memory.dmp	family_stormkitty

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

14 discord.com
15 discord.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
14	discord.com
15	discord.com

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SilverClient.exemsedge.exe

pid	process
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
180	msedge.exe
180	msedge.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SilverClient.exe

pid process

3684 SilverClient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exeSilverClient.exe

description	pid	process
Token: SeBackupPrivilege	2024	vssvc.exe
Token: SeRestorePrivilege	2024	vssvc.exe
Token: SeAuditPrivilege	2024	vssvc.exe
Token: SeDebugPrivilege	3684	SilverClient.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

SilverClient.exe

pid	process
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe
3684	SilverClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SilverClient.exe

pid process

3684 SilverClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4600 wrote to memory of 700	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 700	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1912	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 180	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 180	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe
PID 4600 wrote to memory of 1480	4600	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault86f07529h3551h4406h9d4bh05fa8112d0a8
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdf57e46f8,0x7ffdf57e4708,0x7ffdf57e4718
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6176271164177682641,7078900350225980661,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6176271164177682641,7078900350225980661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6176271164177682641,7078900350225980661,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:1480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc4df9ca94e9486a13b1c85567e6f6d7

SHA1
5e8f8878be92ec7b790951c4e1c3aa0853c78d62

SHA256
c3a14bea30eed239b8948203433f6922cf8a1b4990ddaa90ccb8ae22fd9f23dc

SHA512
2ddd06a87360442e07edc1c1aa2a1e6c9fd22b6cfdc84bcde7d6fd938c1eed52050e0e2b202e8b6a0c2c781bfbb4f5484b2c221ac9d9067982d4de55690f6ff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
517b70600d04829c78035ac58ecdfa34

SHA1
30b466431c858851df3ff8c03d156d3938ae9a25

SHA256
f88d26395c35470aa0be7e7c1e2abab074ef7f6e64ef8bb35b44bf4e104e9a90

SHA512
3027a8e73b79854385c3ad10035daa8d7773faafd4035e08095e877938b33efea5f4f1cb9f5ed0d3ef196b1b5202c5f9983a0a7d609a1529c242fc8db9494822

Download Submit
\??\pipe\LOCAL\crashpad_4600_FKEDTNMEGHXHTUQK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3684-16-0x0000000001790000-0x00000000017E6000-memory.dmp

Filesize
344KB

Download
memory/3684-146-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-9-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-2-0x00007FFDF7A30000-0x00007FFDF84F1000-memory.dmp

Filesize
10.8MB

Download
memory/3684-11-0x00000000018F0000-0x0000000001900000-memory.dmp

Filesize
64KB

Download
memory/3684-12-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-14-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-15-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-0-0x00007FFDF7A33000-0x00007FFDF7A35000-memory.dmp

Filesize
8KB

Download
memory/3684-17-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-18-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-19-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-21-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-22-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-23-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-24-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-25-0x0000000001D30000-0x0000000001D5A000-memory.dmp

Filesize
168KB

Download
memory/3684-94-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-28-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-29-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-6-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-5-0x00007FFDF7A33000-0x00007FFDF7A35000-memory.dmp

Filesize
8KB

Download
memory/3684-10-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-7-0x00007FFDF7A30000-0x00007FFDF84F1000-memory.dmp

Filesize
10.8MB

Download
memory/3684-26-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-95-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-96-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-97-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-98-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-99-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-100-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-101-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-103-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-104-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-107-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-108-0x0000000001400000-0x0000000001420000-memory.dmp

Filesize
128KB

Download
memory/3684-109-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-110-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-136-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-137-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-140-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-144-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-145-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download
memory/3684-1-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/3684-147-0x0000000001900000-0x000000000194B000-memory.dmp

Filesize
300KB

Download