stormkitty | a6b304da706f65520019273d5f35dc9ede582febfe9e9a1d87c482eb46433256

Analysis

max time kernel
103s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283.exe
Size

83KB
MD5

299057a5ffbb5e70f8514df5f9796b9e
SHA1

c9eb1364dd1220c074af581343b636995eea4288
SHA256

5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283
SHA512

7b898cce4b6b252fa8b7bb5be36fcf98c191e59de655fcb2733f5263adc53ad06c0fb094d7df29d6cb872825c2e0d92ca1b2509519ce9ab317804bf949ece4c2
SSDEEP

1536:yAMfrTX01OrGpRZNdbv66Claewnph6Nu3qdMhXWxZiXQv6Qd+FUf9bfNhExjDkOc:ZDewnphbwxfrff9bHEhDkOed

Score

10^/10

stormkitty persistence stealer

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral22/memory/2476-1-0x00000000001D0000-0x00000000001EA000-memory.dmp	disable_win_def

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral22/memory/2476-1-0x00000000001D0000-0x00000000001EA000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe"	5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	checkip.dyndns.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2476	5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283.exe
2476	5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283.exe

C:\Users\Admin\AppData\Local\Temp\5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283.exe
"C:\Users\Admin\AppData\Local\Temp\5ac2fcc4daab08132ad947ffedcf88286f2af526a260111f3ae00de9ba0a6283.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\NVIDIA Local Drivers\DriversUpdateProcess_x64.exe
1⤵
PID:1416

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2476-0-0x00007FFCCA203000-0x00007FFCCA205000-memory.dmp

Filesize
8KB

Download
memory/2476-1-0x00000000001D0000-0x00000000001EA000-memory.dmp

Filesize
104KB

Download
memory/2476-2-0x00007FFCCA200000-0x00007FFCCACC1000-memory.dmp

Filesize
10.8MB

Download
memory/2476-5-0x00007FFCCA200000-0x00007FFCCACC1000-memory.dmp

Filesize
10.8MB

Download