Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 14:31
Behavioral task
behavioral1
Sample
Realtek.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Realtek.exe
Resource
win10v2004-20241007-en
General
-
Target
Realtek.exe
-
Size
80KB
-
MD5
9bcb1a253d07b610da76fd22ad176c9d
-
SHA1
e5f8196083beab009db092fe891e88551393b247
-
SHA256
3cf37367797ad61761ab44b22ec80c206d31411a604106d061be6935787b8110
-
SHA512
1d0729cbff3905f937a59a9e56ed4c65cb805395cc430035b45bb82e1b06d8cfa490466d3661ade18b05e4be74ba642df1b61c03dbf7f22740373687261c5744
-
SSDEEP
1536:FZno9xptw8VGHE1uWdas6vKPHvfpK3I5hxS9a/voKxjzxtV3wFrD:F+bZPfpK3g69a/voKhzxtdwFn
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2088-1-0x00000000000D0000-0x00000000000E8000-memory.dmp disable_win_def -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/2088-1-0x00000000000D0000-0x00000000000E8000-memory.dmp family_stormkitty -
Stormkitty family
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe" Realtek.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2088 Realtek.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2088 wrote to memory of 3008 2088 Realtek.exe 30 PID 2088 wrote to memory of 3008 2088 Realtek.exe 30 PID 2088 wrote to memory of 3008 2088 Realtek.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Realtek.exe"C:\Users\Admin\AppData\Local\Temp\Realtek.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2088 -s 10682⤵PID:3008
-
Network
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A193.122.6.168
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: e0c1a9adae0c44656844534ec846403c
-
298 B 455 B 5 3
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200