Overview

overview

10

Static

static

3

SilverClient.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    149s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    14-02-2025 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SilverClient.exe

  • Size

    37KB

  • MD5

    776fac12ea695a8f220fc086ac25be69

  • SHA1

    dd90c8b3f18da5c7791a0a1d023fc829e8e6fc71

  • SHA256

    4d42a51d71daae6e4fcf09e5030cce2f9d220a0d4106fca7e0bee974b0fbff0c

  • SHA512

    d6c468d337013025106913092a3c1863acdcdcd1811e5caf6327ab06538cbbf193f1354e836e41495a0dcbc1fd049478765bfdfb39ecb586750452e7dacd7b73

  • SSDEEP

    768:z98X+6AlPNHIcSHLgBaRJGw9I9YB6SPMTtvsGvJE:x8Xhj5j93ofTtUGvJE

Score
10/10
stormkittydiscoveryexecutionstealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
    "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E75.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2704
      • C:\Users\Admin\Discord\$77Discord.exe
        "C:\Users\Admin\Discord\$77Discord.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:416
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2140
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUVCMzYzRkQtMjNFNC00RUNGLUI5MEUtOEQ0NTE3RUIxRkMxfSIgdXNlcmlkPSJ7NDJBRjM0ODEtRjA0Ni00MkZELTk4QTQtQTZFMEQwM0RBMUNGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzEyMjMwRTItOTIxQy00RDBCLTlBQUEtQkVCNDBEOTg2NTA0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjcwMTc2IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5NzIxMjIwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDg3MTI5OTExOCIvPjwvYXBwPjwvcmVxdWVzdD4
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:1112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnmxcjpp.d0u.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp8E75.tmp.bat
    Filesize

    146B

    MD5

    fdc919b3fb3ac306bc22500fa4124dcc

    SHA1

    0498cd25415bcfe1136e6e68eb0c2a6e141443d5

    SHA256

    718a3ef26a8f1ef6453e589cdf3537c6fdfa6a16442cee8f63b708bc9c0946a0

    SHA512

    2060cdb94d657d214be4f7b498d2543fd8b59f2390572dab1d0c0eb8ac67474dcd4d1c01fc15bd83bb211b8857ce7e7f23353034ff25f5cd280ce4de4afadce0

    Download Submit

  • C:\Users\Admin\Discord\$77Discord.exe
    Filesize

    37KB

    MD5

    776fac12ea695a8f220fc086ac25be69

    SHA1

    dd90c8b3f18da5c7791a0a1d023fc829e8e6fc71

    SHA256

    4d42a51d71daae6e4fcf09e5030cce2f9d220a0d4106fca7e0bee974b0fbff0c

    SHA512

    d6c468d337013025106913092a3c1863acdcdcd1811e5caf6327ab06538cbbf193f1354e836e41495a0dcbc1fd049478765bfdfb39ecb586750452e7dacd7b73

    Download Submit

  • memory/416-12-0x00007FFC95440000-0x00007FFC95F02000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/416-13-0x00007FFC95440000-0x00007FFC95F02000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/416-26-0x00007FFC95440000-0x00007FFC95F02000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/416-28-0x000000001E890000-0x000000001E8BA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2140-23-0x0000022FF51A0000-0x0000022FF51C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3620-0-0x00007FFC95A23000-0x00007FFC95A25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3620-1-0x0000000000150000-0x000000000015E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3620-2-0x00007FFC95A20000-0x00007FFC964E2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3620-8-0x00007FFC95A20000-0x00007FFC964E2000-memory.dmp

    Filesize

    10.8MB

    Download