Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 14:31

General

  • Target

    Realtek.exe

  • Size

    80KB

  • MD5

    9bcb1a253d07b610da76fd22ad176c9d

  • SHA1

    e5f8196083beab009db092fe891e88551393b247

  • SHA256

    3cf37367797ad61761ab44b22ec80c206d31411a604106d061be6935787b8110

  • SHA512

    1d0729cbff3905f937a59a9e56ed4c65cb805395cc430035b45bb82e1b06d8cfa490466d3661ade18b05e4be74ba642df1b61c03dbf7f22740373687261c5744

  • SSDEEP

    1536:FZno9xptw8VGHE1uWdas6vKPHvfpK3I5hxS9a/voKxjzxtV3wFrD:F+bZPfpK3g69a/voKhzxtdwFn

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Stormkitty family
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Realtek.exe
    "C:\Users\Admin\AppData\Local\Temp\Realtek.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2088 -s 1068
      2⤵
        PID:3008

    Network

    • flag-us
      DNS
      checkip.dyndns.org
      Realtek.exe
      Remote address:
      8.8.8.8:53
      Request
      checkip.dyndns.org
      IN A
      Response
      checkip.dyndns.org
      IN CNAME
      checkip.dyndns.com
      checkip.dyndns.com
      IN A
      132.226.247.73
      checkip.dyndns.com
      IN A
      132.226.8.169
      checkip.dyndns.com
      IN A
      193.122.130.0
      checkip.dyndns.com
      IN A
      158.101.44.242
      checkip.dyndns.com
      IN A
      193.122.6.168
    • flag-br
      GET
      http://checkip.dyndns.org/
      Realtek.exe
      Remote address:
      132.226.247.73:80
      Request
      GET / HTTP/1.1
      Host: checkip.dyndns.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sat, 23 Nov 2024 14:31:53 GMT
      Content-Type: text/html
      Content-Length: 106
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: e0c1a9adae0c44656844534ec846403c
    • 132.226.247.73:80
      http://checkip.dyndns.org/
      http
      Realtek.exe
      298 B
      455 B
      5
      3

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200
    • 8.8.8.8:53
      checkip.dyndns.org
      dns
      Realtek.exe
      64 B
      176 B
      1
      1

      DNS Request

      checkip.dyndns.org

      DNS Response

      132.226.247.73
      132.226.8.169
      193.122.130.0
      158.101.44.242
      193.122.6.168

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2088-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

      Filesize

      4KB

    • memory/2088-1-0x00000000000D0000-0x00000000000E8000-memory.dmp

      Filesize

      96KB

    • memory/2088-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

      Filesize

      9.9MB

    • memory/2088-5-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

      Filesize

      4KB

    • memory/2088-6-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

      Filesize

      9.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.