stormkitty | ff84d777db298c70e206a94f1a4a1a5d5536d8cd42eedbd50ffde364daa368a6

Reason

Machine shutdown

General

Target

file01.js
Size

7KB
MD5

8fbf57ab035ec7063b9522e5f30a75f7
SHA1

cd761463221ba82f46b2b28fe56a0e74588c64b9
SHA256

ff84d777db298c70e206a94f1a4a1a5d5536d8cd42eedbd50ffde364daa368a6
SHA512

6fb68c7241c130973c1332a2f1c23c76cdb4640d76e270e1a0538a83001fe7d2aa4397ccb34def80ce88a5050f36d7bbaad7700fd9efa666c26bb0e6c4bc71d6
SSDEEP

96:lUu0CRu5u37arzWruLprCRuzrN+uQ6rgxX4murNdgCRufZQL76mXHNuipdWwp5i6:lUycqnDtjfQxaWpK+l

Score

10^/10

stormkitty xworm discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

as525795.duckdns.org:6980

194.37.97.150:6980

Mutex

wtYmVE2WY2XGhWlO

Attributes

install_file
adobe.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1844-19-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1844-28-0x0000000007A50000-0x0000000007B6E000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

1 3828 wscript.exe

flow	pid	process
1	3828	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

GeUT.exeGeUT.exe

pid process

4964 GeUT.exe
1844 GeUT.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
4964	GeUT.exe
1844	GeUT.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GeUT.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Service.exe"	GeUT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GeUT.exe"	GeUT.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GeUT.exe

description pid process target process

PID 4964 set thread context of 1844 4964 GeUT.exe GeUT.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2392 1844 WerFault.exe GeUT.exe

description	pid	process	target process
PID 4964 set thread context of 1844	4964	GeUT.exe	GeUT.exe

pid	pid_target	process	target process
2392	1844	WerFault.exe	GeUT.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

GeUT.exeGeUT.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GeUT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GeUT.exe

Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings wscript.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

GeUT.exe

pid process

1844 GeUT.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

GeUT.exe

pid process

1844 GeUT.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GeUT.exe

description pid process

Token: SeDebugPrivilege 1844 GeUT.exe
Token: SeDebugPrivilege 1844 GeUT.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GeUT.exe

pid process

1844 GeUT.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	wscript.exe

pid	process
1844	GeUT.exe

pid	process
1844	GeUT.exe

description	pid	process
Token: SeDebugPrivilege	1844	GeUT.exe
Token: SeDebugPrivilege	1844	GeUT.exe

pid	process
1844	GeUT.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

wscript.exeWScript.exeGeUT.exe

description	pid	process	target process
PID 3828 wrote to memory of 4596	3828	wscript.exe	WScript.exe
PID 3828 wrote to memory of 4596	3828	wscript.exe	WScript.exe
PID 4596 wrote to memory of 4964	4596	WScript.exe	GeUT.exe
PID 4596 wrote to memory of 4964	4596	WScript.exe	GeUT.exe
PID 4596 wrote to memory of 4964	4596	WScript.exe	GeUT.exe
PID 4964 wrote to memory of 1844	4964	GeUT.exe	GeUT.exe
PID 4964 wrote to memory of 1844	4964	GeUT.exe	GeUT.exe
PID 4964 wrote to memory of 1844	4964	GeUT.exe	GeUT.exe
PID 4964 wrote to memory of 1844	4964	GeUT.exe	GeUT.exe
PID 4964 wrote to memory of 1844	4964	GeUT.exe	GeUT.exe
PID 4964 wrote to memory of 1844	4964	GeUT.exe	GeUT.exe
PID 4964 wrote to memory of 1844	4964	GeUT.exe	GeUT.exe
PID 4964 wrote to memory of 1844	4964	GeUT.exe	GeUT.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\file01.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OLWJMU.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\GeUT.exe
    "C:\Users\Admin\AppData\Local\Temp\GeUT.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\GeUT.exe
      "C:\Users\Admin\AppData\Local\Temp\GeUT.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 2016
        5⤵
        Program crash
        
        PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1844 -ip 1844
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GeUT.exe.log

Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GeUT.exe

Filesize
58KB

MD5
7284765ca4d2f85c487796f437b01822

SHA1
f1e51f7e021629857369888a16e201fb464b7a61

SHA256
680ed672969ac8f7d533b74b27b152f4608ef9bba02f48935829455190b1e996

SHA512
17d1df0df786d7bfff9ee7618ea0cc442804b03bd6f35f13f8bbe6dd7ffa581c663d724989038a163d9b3b116eedef198ee084a87b6e799a4c97984304469b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\OLWJMU.js

Filesize
1.6MB

MD5
c63888086e1646654a1e162fde69c0ff

SHA1
8580dafbffe4d9b0d7e122127a455682ad2bd30e

SHA256
262fb2e45f9b66956236f89f4cbeac22ee3d011832263a28ed7f632a22ae87d7

SHA512
df2212775d03605673e6420ef74ec6c99fcdbf7e1dde3287c97c634553f66fd084e0f38549134ec9e0fb8cef4033be92013a430aa7955f0c691f7edff02fcb66

Download Submit
memory/1844-26-0x00000000060D0000-0x00000000060DA000-memory.dmp

Filesize
40KB

Download
memory/1844-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1844-24-0x0000000005100000-0x000000000519C000-memory.dmp

Filesize
624KB

Download
memory/1844-25-0x00000000060E0000-0x0000000006172000-memory.dmp

Filesize
584KB

Download
memory/1844-27-0x00000000070A0000-0x0000000007106000-memory.dmp

Filesize
408KB

Download
memory/1844-28-0x0000000007A50000-0x0000000007B6E000-memory.dmp

Filesize
1.1MB

Download
memory/1844-29-0x0000000007BA0000-0x0000000007EF4000-memory.dmp

Filesize
3.3MB

Download
memory/1844-30-0x0000000008080000-0x00000000080CC000-memory.dmp

Filesize
304KB

Download
memory/4964-18-0x0000000004DD0000-0x0000000004DD8000-memory.dmp

Filesize
32KB

Download
memory/4964-17-0x00000000052F0000-0x0000000005894000-memory.dmp

Filesize
5.6MB

Download
memory/4964-16-0x00000000003F0000-0x0000000000404000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads