Malware Analysis Report

2025-01-03 06:15

Sample ID 241120-x11w9asdqr
Target CryptoFactory.exe
SHA256 06a8dff1d1fba038b6d551d502eca4ff79a471a7f3c46ea4cfc88bce5ba86b62
Tags
stormkitty discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06a8dff1d1fba038b6d551d502eca4ff79a471a7f3c46ea4cfc88bce5ba86b62

Threat Level: Known bad

The file CryptoFactory.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty discovery stealer

StormKitty payload

Stormkitty family

StormKitty

Executes dropped EXE

Loads dropped DLL

.NET Reactor proctector

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 19:22

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 19:19

Reported

2024-11-20 19:25

Platform

win7-20240903-en

Max time kernel

2s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\CryptoFactory.exe
PID 2124 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\CryptoFactory.exe
PID 2124 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\CryptoFactory.exe
PID 2124 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\CryptoFactory.exe
PID 2124 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2124 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2124 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2124 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2676 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 2676 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 2676 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 2676 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe

"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"

C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

"C:\Users\Admin\AppData\Roaming\CryptoFactory.exe"

C:\Users\Admin\AppData\Roaming\Client.exe

"C:\Users\Admin\AppData\Roaming\Client.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 520

Network

Country Destination Domain Proto
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp

Files

memory/2124-0-0x0000000074F51000-0x0000000074F52000-memory.dmp

memory/2124-1-0x0000000074F50000-0x00000000754FB000-memory.dmp

memory/2124-3-0x0000000074F50000-0x00000000754FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

MD5 f5235488b702f4b1575bf4a3c0ef6147
SHA1 2bda5e066040d5a8237051b6c002264c8ac4ad28
SHA256 5cbf590c6d01aa67ce2ac5a9ed5e436dff5e1e75ff6a05218faced3ecb0c3852
SHA512 6a24fbdae06cf4de23d9dd3bc064c201a56e9e89a9ef94a8870238210a70385da154d7613f3ed8b997d0eef2ad1c0f2b4357aadde1affe8e0ed2304f9b281477

C:\Users\Admin\AppData\Roaming\Client.exe

MD5 a66341eb6be2e1497bc12048697b0a1b
SHA1 a721702b08f10d97c9cc1d041b1f147cc269a996
SHA256 c9ee99ccabd3260875974019160063dbbf4bf7bb9d4a9cc9a44ccbaf23ac050a
SHA512 154e60bfc9f29d1d18aa5fbdc36e10c045cd16402191036dc80c7f8a0f6ca4219361668c5a5f5f01d799b2fe1be319432d358593c230e49bf1d608a3bac5508d

memory/2124-18-0x0000000074F50000-0x00000000754FB000-memory.dmp

memory/2816-17-0x0000000072E9E000-0x0000000072E9F000-memory.dmp

memory/2676-19-0x0000000000340000-0x00000000003B2000-memory.dmp

memory/2676-21-0x0000000072E90000-0x000000007357E000-memory.dmp

memory/2816-20-0x00000000001B0000-0x000000000073C000-memory.dmp

memory/2816-22-0x00000000008C0000-0x00000000008C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

MD5 015af0b0f020d555b6aa8954b7e19117
SHA1 c11323f09e800b83f346b4ccfbedbd7919c54b5e
SHA256 9ddabf3b607d6af97bd37b5d5a21bfdfc297e77f869cd75ba189dc79fcc64f33
SHA512 12a8cdc2b122392a440f5d1b53bb8765158958416c8e217573d14f6aa8bf1d587ceb722e09d85a86ebf042ce89dafdd77b1ccf8354c73528285dfc641e90ea9d

\Users\Admin\AppData\Roaming\CryptoFactory.exe

MD5 b8868b8ca49dc243910c548e69ca40f5
SHA1 7d97525e2210ba3ff8a5ea300e4cd95c5827aa39
SHA256 066fa46e73427f2f9e2d7d6128b2a283a1300114d25240a531bbea3f27039d6c
SHA512 809f8d5eb0a1d67416566ad358406a44d839e8336a22c6e489a4d03d250178331091c5c17231d1065df267060d1c3fc1226a1a38cf586944c3d0225cce17c186

memory/2816-28-0x000000000B8D0000-0x000000000C016000-memory.dmp

memory/2816-29-0x0000000000C00000-0x0000000000C06000-memory.dmp

memory/2676-30-0x0000000072E90000-0x000000007357E000-memory.dmp

memory/2816-31-0x0000000072E9E000-0x0000000072E9F000-memory.dmp

memory/2816-33-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

memory/2816-32-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 19:19

Reported

2024-11-20 19:25

Platform

win10v2004-20241007-en

Max time kernel

0s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe

"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"

C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

"C:\Users\Admin\AppData\Roaming\CryptoFactory.exe"

C:\Users\Admin\AppData\Roaming\Client.exe

"C:\Users\Admin\AppData\Roaming\Client.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 788

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3976-0-0x0000000074A42000-0x0000000074A43000-memory.dmp

memory/3976-2-0x0000000074A40000-0x0000000074FF1000-memory.dmp

memory/3976-1-0x0000000074A40000-0x0000000074FF1000-memory.dmp

C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

MD5 a711fd416cd5f763a62cf5cea6a3facd
SHA1 7ec788d689eb653d1295bf3836c1a94a29be9da2
SHA256 06b1504869220b6a907a6e4b79a7a0be0df599e25dc2b5e6d1327c9ec0354287
SHA512 108304bc4e36d4b36d5f257458cc06a4d8b7765b863a9b4ad9ba4bc31fbbb637b4997511e407291f6e5ea40659b9bc766f1881e0a73a33cd88b89a8e11f16476

C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

MD5 c50d1ed6d5f20b8deaa2de1d1b093979
SHA1 db1765aad7d201e4538702468f448ca43bb13e15
SHA256 216c3fcf3f7ce041bbe2fe838203a0f58d70f26f179348a30e7f16faa6d62229
SHA512 3174d576d1ae4c6ee676eecf1a76e26648571ae5209607f80f0680472c5d3f8281126de4f6af2fde6a42ef576d622d4e881fc4018b2985b00e6ca309ad93e26c

memory/2592-26-0x0000000071C1E000-0x0000000071C1F000-memory.dmp

memory/4164-30-0x0000000000180000-0x000000000070C000-memory.dmp

memory/4164-31-0x0000000002A00000-0x0000000002A06000-memory.dmp

memory/4164-29-0x0000000071C10000-0x00000000723C0000-memory.dmp

memory/3976-28-0x0000000074A40000-0x0000000074FF1000-memory.dmp

memory/2592-27-0x00000000002E0000-0x0000000000352000-memory.dmp

C:\Users\Admin\AppData\Roaming\Client.exe

MD5 a66341eb6be2e1497bc12048697b0a1b
SHA1 a721702b08f10d97c9cc1d041b1f147cc269a996
SHA256 c9ee99ccabd3260875974019160063dbbf4bf7bb9d4a9cc9a44ccbaf23ac050a
SHA512 154e60bfc9f29d1d18aa5fbdc36e10c045cd16402191036dc80c7f8a0f6ca4219361668c5a5f5f01d799b2fe1be319432d358593c230e49bf1d608a3bac5508d

C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

MD5 e0420dafe77952b8b4e0bf37032aefcb
SHA1 9ecc683ebac8295636271f8bd4d8faa68ab118d6
SHA256 85120662f778f29f57dc144901d69418576835fa015541f91210b6ee98587c74
SHA512 86a51997b18df98bfc45acd7987fc985d35d56a04e8ce8bd79e4ce8ae47b6764ce1fa342177604bbffc49c2fc2e763a1da2186a6e33db01c9d84c25a7e245dab

memory/4164-32-0x0000000008560000-0x0000000008CA6000-memory.dmp

memory/4164-33-0x0000000005060000-0x0000000005082000-memory.dmp

memory/4164-34-0x000000000C290000-0x000000000C296000-memory.dmp

memory/4164-35-0x0000000071C10000-0x00000000723C0000-memory.dmp

memory/4164-36-0x000000000F2A0000-0x000000000F5F4000-memory.dmp

memory/4164-37-0x0000000071C10000-0x00000000723C0000-memory.dmp

memory/4164-39-0x0000000071C10000-0x00000000723C0000-memory.dmp