Overview

overview

10

Static

static

10

sample1.exe

windows7-x64

10

sample1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1558s
  • max time network
    1559s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2024 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample1.exe

  • Size

    45KB

  • MD5

    d4e300eb8ed5bc378b50c2c0fa73dd82

  • SHA1

    de0f866207fa8d5018a82aa75261a65b7d6697bd

  • SHA256

    80e3e1b6447f2f22593ca40b29a153060c2c92bb5e237d2932a275f87dc16146

  • SHA512

    ffaeba3bd79aed5b1f812dcb07efdddf27ec38c788a042f78c57d3caabb363a8c6720df2d0cf9b830b8c73dea2d8350e5e700408c4e831ce3287793aed9b5a8f

  • SSDEEP

    768:+Dl1L0/tSsg+vpZzXOC/5G6hKCJmt02XtRkbyh2M3qQYHzYOahWlte:wzL01rrzXOCRthKCJa0wkby0LYOawHe

Score
10/10
stormkittyxwormdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.16:40164

147.185.221.20:40164
Attributes
  • install_file

    System Volume Information Prefetch.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample1.exe
    "C:\Users\Admin\AppData\Local\Temp\sample1.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF030.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF030.tmp.bat
    Filesize

    159B

    MD5

    43bed6fb808bbf4a74002c2cef8f6900

    SHA1

    44e2d245fa293aa222e8d62316a45bcedd276676

    SHA256

    f553dca488255c388b59be9ad6b947e676ad21b28bfb2f6641aee532df038d54

    SHA512

    869d80cd6a4970598d26f8ef0497affa58faa452afdbd4c2819c3bfc3d5df6490588e13499c3f1b7018b1b3a1ee588983bd5c7a72956c533ca5083c978f21dd1

    Download Submit

  • memory/1304-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1304-1-0x00000000008F0000-0x0000000000902000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1304-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1304-3-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1304-4-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1304-5-0x000000001CF70000-0x000000001D2C0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1304-6-0x000000001B720000-0x000000001B83E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1304-38-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

    Filesize

    9.9MB

    Download