Malware Analysis Report

2025-01-03 06:16

Sample ID 241120-xy39la1enf
Target CryptoFactory.exe
SHA256 06a8dff1d1fba038b6d551d502eca4ff79a471a7f3c46ea4cfc88bce5ba86b62
Tags
stormkitty discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06a8dff1d1fba038b6d551d502eca4ff79a471a7f3c46ea4cfc88bce5ba86b62

Threat Level: Known bad

The file CryptoFactory.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty discovery stealer

StormKitty payload

StormKitty

Stormkitty family

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

.NET Reactor proctector

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 19:16

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 19:16

Reported

2024-11-20 19:17

Platform

win7-20241023-en

Max time kernel

26s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Client.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\CryptoFactory.exe
PID 2940 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\CryptoFactory.exe
PID 2940 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\CryptoFactory.exe
PID 2940 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\CryptoFactory.exe
PID 2940 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2940 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2940 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2940 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2960 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 2960 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 2960 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 2960 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe

"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"

C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

"C:\Users\Admin\AppData\Roaming\CryptoFactory.exe"

C:\Users\Admin\AppData\Roaming\Client.exe

"C:\Users\Admin\AppData\Roaming\Client.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 520

Network

Country Destination Domain Proto
RU 46.23.96.107:3001 tcp
RU 46.23.96.107:3001 tcp

Files

memory/2940-0-0x0000000074ED1000-0x0000000074ED2000-memory.dmp

memory/2940-1-0x0000000074ED0000-0x000000007547B000-memory.dmp

memory/2940-2-0x0000000074ED0000-0x000000007547B000-memory.dmp

\Users\Admin\AppData\Roaming\CryptoFactory.exe

MD5 b8868b8ca49dc243910c548e69ca40f5
SHA1 7d97525e2210ba3ff8a5ea300e4cd95c5827aa39
SHA256 066fa46e73427f2f9e2d7d6128b2a283a1300114d25240a531bbea3f27039d6c
SHA512 809f8d5eb0a1d67416566ad358406a44d839e8336a22c6e489a4d03d250178331091c5c17231d1065df267060d1c3fc1226a1a38cf586944c3d0225cce17c186

\Users\Admin\AppData\Roaming\Client.exe

MD5 a66341eb6be2e1497bc12048697b0a1b
SHA1 a721702b08f10d97c9cc1d041b1f147cc269a996
SHA256 c9ee99ccabd3260875974019160063dbbf4bf7bb9d4a9cc9a44ccbaf23ac050a
SHA512 154e60bfc9f29d1d18aa5fbdc36e10c045cd16402191036dc80c7f8a0f6ca4219361668c5a5f5f01d799b2fe1be319432d358593c230e49bf1d608a3bac5508d

memory/2248-17-0x0000000072DFE000-0x0000000072DFF000-memory.dmp

memory/2940-18-0x0000000074ED0000-0x000000007547B000-memory.dmp

memory/2960-20-0x0000000072DF0000-0x00000000734DE000-memory.dmp

memory/2960-19-0x00000000008E0000-0x0000000000952000-memory.dmp

memory/2248-21-0x00000000010F0000-0x000000000167C000-memory.dmp

memory/2248-22-0x00000000002F0000-0x00000000002F6000-memory.dmp

memory/2248-28-0x000000000BA10000-0x000000000C156000-memory.dmp

memory/2248-29-0x0000000000800000-0x0000000000806000-memory.dmp

memory/2960-30-0x0000000072DF0000-0x00000000734DE000-memory.dmp

memory/2248-31-0x0000000072DFE000-0x0000000072DFF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 19:16

Reported

2024-11-20 19:17

Platform

win10v2004-20241007-en

Max time kernel

46s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Client.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\CryptoFactory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe

"C:\Users\Admin\AppData\Local\Temp\CryptoFactory.exe"

C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

"C:\Users\Admin\AppData\Roaming\CryptoFactory.exe"

C:\Users\Admin\AppData\Roaming\Client.exe

"C:\Users\Admin\AppData\Roaming\Client.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3632 -ip 3632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 788

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 69.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 46.23.96.107:3001 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp

Files

memory/2768-0-0x00000000753C2000-0x00000000753C3000-memory.dmp

memory/2768-1-0x00000000753C0000-0x0000000075971000-memory.dmp

memory/2768-2-0x00000000753C0000-0x0000000075971000-memory.dmp

C:\Users\Admin\AppData\Roaming\CryptoFactory.exe

MD5 b8868b8ca49dc243910c548e69ca40f5
SHA1 7d97525e2210ba3ff8a5ea300e4cd95c5827aa39
SHA256 066fa46e73427f2f9e2d7d6128b2a283a1300114d25240a531bbea3f27039d6c
SHA512 809f8d5eb0a1d67416566ad358406a44d839e8336a22c6e489a4d03d250178331091c5c17231d1065df267060d1c3fc1226a1a38cf586944c3d0225cce17c186

C:\Users\Admin\AppData\Roaming\Client.exe

MD5 a66341eb6be2e1497bc12048697b0a1b
SHA1 a721702b08f10d97c9cc1d041b1f147cc269a996
SHA256 c9ee99ccabd3260875974019160063dbbf4bf7bb9d4a9cc9a44ccbaf23ac050a
SHA512 154e60bfc9f29d1d18aa5fbdc36e10c045cd16402191036dc80c7f8a0f6ca4219361668c5a5f5f01d799b2fe1be319432d358593c230e49bf1d608a3bac5508d

memory/2768-26-0x00000000753C0000-0x0000000075971000-memory.dmp

memory/3632-27-0x000000007259E000-0x000000007259F000-memory.dmp

memory/3632-28-0x0000000000A10000-0x0000000000A82000-memory.dmp

memory/632-29-0x0000000072590000-0x0000000072D40000-memory.dmp

memory/632-30-0x00000000003E0000-0x000000000096C000-memory.dmp

memory/632-31-0x0000000005290000-0x0000000005296000-memory.dmp

memory/632-32-0x00000000087B0000-0x0000000008EF6000-memory.dmp

memory/632-33-0x0000000008EF0000-0x0000000008F12000-memory.dmp

memory/632-34-0x000000000C4F0000-0x000000000C4F6000-memory.dmp

memory/632-35-0x0000000072590000-0x0000000072D40000-memory.dmp

memory/632-36-0x000000000E500000-0x000000000E854000-memory.dmp

memory/632-37-0x0000000072590000-0x0000000072D40000-memory.dmp