stormkitty | hxxps://github[.]com/otaku-codes/StormKitty-API-Fixed/releases/download/stromkitty/Stromkitty[.]By[.]otaku_codes[.]rar

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/otaku-codes/StormKitty-API-Fixed/releases/download/stromkitty/Stromkitty.By.otaku_codes.rar

Score

10^/10

stormkitty discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d38-547.dat	family_stormkitty
behavioral1/memory/1500-550-0x00000000006A0000-0x00000000006B0000-memory.dmp	family_stormkitty
behavioral1/files/0x0007000000023d37-562.dat	family_stormkitty
behavioral1/memory/1368-564-0x0000000000DF0000-0x0000000000E52000-memory.dmp	family_stormkitty
behavioral1/memory/1368-565-0x0000000003020000-0x00000000030A8000-memory.dmp	family_stormkitty
behavioral1/files/0x0007000000023d45-575.dat	family_stormkitty
behavioral1/memory/1036-577-0x00000000009E0000-0x0000000000A10000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	stub.exe

Executes dropped EXE 5 IoCs

pid	Process
1500	StormKittyBuilder.exe
4848	StormKittyBuilder.exe
1368	StormKittyBuild.exe
1036	stub.exe
3216	StormKittyBuilder.exe

Loads dropped DLL 2 IoCs

pid	Process
3216	StormKittyBuilder.exe
3216	StormKittyBuilder.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
54	raw.githubusercontent.com
55	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StormKittyBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StormKittyBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StormKittyBuilder.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3292	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5076	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4980	msedge.exe
4980	msedge.exe
4968	msedge.exe
4968	msedge.exe
1288	identity_helper.exe
1288	identity_helper.exe
4988	msedge.exe
4988	msedge.exe
1368	StormKittyBuild.exe
1368	StormKittyBuild.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1196	7zFM.exe
Token: 35	1196	7zFM.exe
Token: SeSecurityPrivilege	1196	7zFM.exe
Token: SeDebugPrivilege	1368	StormKittyBuild.exe
Token: SeDebugPrivilege	1036	stub.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	1500	StormKittyBuilder.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
1196	7zFM.exe
1196	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4816	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1396	4968	msedge.exe	83
PID 4968 wrote to memory of 1396	4968	msedge.exe	83
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 3712	4968	msedge.exe	84
PID 4968 wrote to memory of 4980	4968	msedge.exe	85
PID 4968 wrote to memory of 4980	4968	msedge.exe	85
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86
PID 4968 wrote to memory of 1376	4968	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/otaku-codes/StormKitty-API-Fixed/releases/download/stromkitty/Stromkitty.By.otaku_codes.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8e6d46f8,0x7ffc8e6d4708,0x7ffc8e6d4718
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,812585974442567029,10166250129470509274,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5616 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2628

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1072

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Stromkitty.By.otaku_codes.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1196

C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuilder.exe
"C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuilder.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuilder.exe
"C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuilder.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4848

C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuild.exe
"C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuild.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Users\Admin\Desktop\Stromkitty By otaku_codes\stub\stub.exe
"C:\Users\Admin\Desktop\Stromkitty By otaku_codes\stub\stub.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp84AC.tmp.bat
  2⤵
  PID:1436
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2000
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM 1036
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\system32\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3292

C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuilder.exe
"C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuilder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\StormKittyBuilder.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d96fad585ebae7bb7393738d34db1b9

SHA1
c0e17aa91b18ad7def2db9a30fbd7dd64aa5f940

SHA256
4a636c7b0dfe5caf7f4e4140b44007bce672bd7a0188367b1218931d2d8092d0

SHA512
2cdb397ce1141a93d0990dc5234459781237aa4e506de95960d8111e8a007082c9ab87f36a50e534442969e56437d70ddd0559cdd8d9757dfa735b855b72d67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
44ec58490adad0967d9b5def2a3f914e

SHA1
8cb1a14765ced7baa9e001966fa580b7a622e572

SHA256
2ef6794a6ca5d1e80b2340f099f7b5e496846fe42dba07ae8698c2c594a1e20d

SHA512
fffb94a7dfce863424cd87878fdb183e9a0737e16f27219a4ab41cc1871c4d9ac1f698d3bb6aa3ad5d575a47c5df4185278ecb803f239e431fb0c940f9710678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b83e5cb29a7b5789695715374a218014

SHA1
3376680b52cd4d20cf44d3b4be61ace810bf8423

SHA256
8c299271112a9df62a60f89e9e236e2fa8c5b2effbfb9e9d716289d18a720e67

SHA512
74cb535636e4aaa33ad5016c92d7ab72be4c86e987162979a4ed417a59f68882966f5b2a7e89ecbcc0ff35bff822d495e028cb6b8017db152414fee9d82a88b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3d44731d43ce862b3aa281cdf52b7b25

SHA1
a73099a9bb90e783534496249dda22992932a3a7

SHA256
d66d3599d0de5766d6e5cab40dba5aab38a0dd66623789732d029d65900eb11c

SHA512
309f089d7279c6c033f69886f461ca28d42653c7df40db8446edc4853ae094f1ffbd74f2340fbb2191dd57b3e470df865cd979c9ef36ab63cfcc33bee733688c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
af3e10826cbe2b4922a3e5dd1f2358ea

SHA1
4d6b00ea9c3871d82e918a9ec8902dd5a2abef6a

SHA256
f53c4ed5e51eee31857dfa9305b4a98a3f34b4540e6e854c26cf38f75dca523c

SHA512
d3ff1b46cbf06e82c83a900fa4abc3c012d57d76763561acf993bce34de39637fae0e871776580b601d642f82eb477f59ae30a17b2446b8bc52174cf16afccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84AC.tmp.bat

Filesize
293B

MD5
5a9c06f7c2d3b70c33335449489a70f6

SHA1
c84d706d33092152f758327f0d870136cf034711

SHA256
c5838f3364284b585afaf584be314cffb072aea9be3c6eb4ee842285f911c255

SHA512
3f91910253f241ad5c3f497abe530e02c77d2c3a29c3cff89dfaa1ad08db56a9b28a2ed1d953e1ce718c8ddc4a8b4669c2d83bc4b906c97351d17302c5c3e132

Download Submit
C:\Users\Admin\Desktop\Stromkitty By otaku_codes\Mono.Cecil.dll

Filesize
337KB

MD5
7546acebc5a5213dee2a5ed18d7ebc6c

SHA1
b964d242c0778485322ccb3a3b7c25569c0718b7

SHA256
7744c9c84c28033bc3606f4dfce2adcd6f632e2be7827893c3e2257100f1cf9e

SHA512
30b3a001550dca88c8effc9e8107442560ee1f42e3d2f354cc2813ae9030bf872c76dc211fd12778385387be5937e9bf172ea00c151cab0bca77c8aafdd11f7d

Download Submit
C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuild.exe

Filesize
366KB

MD5
1afedad3b668e4bd8faa5f2d7abda95b

SHA1
99bca8ccac242858184191f64f5da874722442f8

SHA256
3106f3defd63051dd4652582b58c1f030c102f5f6e49a10e3e008df6e7a27fc1

SHA512
2b9eb2ed122e20e82148c2243d25376cb44008d91a2bda41922380955a532fe827503b527d39b3aa96d8a0cd85cfdc942c23203b87568d292313c203c499c0c0

Download Submit
C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuilder.exe

Filesize
40KB

MD5
94e1a4b2c59d68dcf969affa76f2d6e7

SHA1
6a12b3540c13d11fde4637c504438c852635b41b

SHA256
1930c1df6cd383764992b0ef0169d579937bc51e583a2f6e61038fb0745e2b1a

SHA512
9fe95cb55a0dd039730dd668703447ff5c5d8c1d6928fecc200c5a61d9b7060038a3f924d8f1e04abfc6026e27a4f1161514fe299e7332d35459abab2c24e6b7

Download Submit
C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuilder.exe.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Users\Admin\Desktop\Stromkitty By otaku_codes\StormKittyBuilder.pdb

Filesize
51KB

MD5
13ba0f1aa576720c11eabf492b0f5d4d

SHA1
17e048417674c1cc4beec5279b1d8acf8f5434fc

SHA256
20be672d349532c4a262659f6f1c7614a475a82465595e1f44f18ac64cda45d1

SHA512
84f1041bb9167055d26e9e87598e012ff0fb19a2eb787b51d95c0f7936190d2f7dae3e58d8cbea7068683a0ded0f3ceb02fdfa7407269705f41c0d2694550cf1

Download Submit
C:\Users\Admin\Desktop\Stromkitty By otaku_codes\stub\stub.exe

Filesize
175KB

MD5
c2094f09d013f8a5dec6ee34b20351b9

SHA1
c2a751a10624dd1c94fd6c62f508784ed372bc90

SHA256
df51b75aa5ce0e64de9d4bbcf7b0a0f76460b8af8c20564ab9b60b1120e35813

SHA512
f42906031d2970bcd6259e120d4f94be4478cd9e780a440d0bf488d978594b2ec1109294f55742a377fdd4a3f38c1d1ad66d31bb45dc7e30ad9c08203852d067

Download Submit
C:\Users\Admin\Downloads\Stromkitty.By.otaku_codes.rar

Filesize
6.1MB

MD5
3cb13bd98e9698289993b3a0c2d8fea5

SHA1
0a3086f6d2f557c63433e972226bf54357b7d28f

SHA256
ba23be58cb6c4d9aa8cff3e1ee24486ccabec2158dfab3812e42f919812da281

SHA512
fca38d754fe22e5cf71364af49b861d37dbbcc3c9ad30a6aec556398ba5b90998e1831c96d5772903ae1e726e1322ec3a3b0ff9524217e0a0c46ec9e522576f1

Download Submit
memory/1036-577-0x00000000009E0000-0x0000000000A10000-memory.dmp

Filesize
192KB

Download
memory/1368-566-0x0000000001890000-0x0000000001896000-memory.dmp

Filesize
24KB

Download
memory/1368-565-0x0000000003020000-0x00000000030A8000-memory.dmp

Filesize
544KB

Download
memory/1368-564-0x0000000000DF0000-0x0000000000E52000-memory.dmp

Filesize
392KB

Download
memory/1500-550-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/3216-609-0x0000000005910000-0x000000000596A000-memory.dmp

Filesize
360KB

Download