Overview

overview

10

Static

static

10

FreePhotoS...ks.exe

windows10-2004-x64

10

FreePhotoS...ks.exe

windows10-ltsc_2021-x64

10

FreePhotoS...ks.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    290s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/04/2025, 08:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FreePhotoShop Meme Coin Packs.exe

  • Size

    250KB

  • MD5

    310c1b76fbf1b164cc59a158949d24f3

  • SHA1

    5bedfc6a6bbfbc79ec5a1510a5bb45e48ec9d914

  • SHA256

    138b3883e8ccf6496ae1d5f9499a8dda3e46be499eed57d054d810079b91ecb2

  • SHA512

    1f4451f9af213f4329b3b4b9c4d3069cbdee2fb8a6e82cb7494b361a3b8d907ded7b71261330fc8b21271c1414359c5955fa311c2a229e3b0179a216eb0212a8

  • SSDEEP

    6144:P6AfoFv2O72QFbFB/lkyO4k/v9bdUkbz:SAQFuS2QFhjkysw

Score
10/10
stormkittycollectioncredential_accessdiscoverystealer

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Uses browser remote debugging 2 TTPs 5 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FreePhotoShop Meme Coin Packs.exe
    "C:\Users\Admin\AppData\Local\Temp\FreePhotoShop Meme Coin Packs.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:3668
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Network Configuration Discovery: Wi-Fi Discovery
      PID:2968
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:5492
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:3608
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          3⤵
            PID:2856
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
          2⤵
            PID:2492
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:4460
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:1944
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                2⤵
                • Uses browser remote debugging
                PID:4340
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffce91dcf8,0x7fffce91dd04,0x7fffce91dd10
                  3⤵
                    PID:5448
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1508,i,5372957728669275417,9466373489572883872,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2172 /prefetch:11
                    3⤵
                      PID:3752
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1996,i,5372957728669275417,9466373489572883872,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1992 /prefetch:2
                      3⤵
                        PID:5044
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2412,i,5372957728669275417,9466373489572883872,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2592 /prefetch:13
                        3⤵
                          PID:3688
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3312,i,5372957728669275417,9466373489572883872,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3324 /prefetch:1
                          3⤵
                          • Uses browser remote debugging
                          PID:2480
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3336,i,5372957728669275417,9466373489572883872,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3368 /prefetch:1
                          3⤵
                          • Uses browser remote debugging
                          PID:5388
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4292,i,5372957728669275417,9466373489572883872,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4356 /prefetch:9
                          3⤵
                          • Uses browser remote debugging
                          PID:5704
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,5372957728669275417,9466373489572883872,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4256 /prefetch:1
                          3⤵
                          • Uses browser remote debugging
                          PID:2960
                    • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                      1⤵
                        PID:4548

                      Network

                      MITRE ATT&CK Enterprise v16

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                        Filesize

                        2B

                        MD5

                        d751713988987e9331980363e24189ce

                        SHA1

                        97d170e1550eee4afc0af065b78cda302a97674c

                        SHA256

                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                        SHA512

                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                        Filesize

                        78KB

                        MD5

                        1113adaad2b78564a3ca71fbee597231

                        SHA1

                        73cee24144b1638985df23ba5c40c96917418089

                        SHA256

                        f0ecb52b4cb55138952dd5ec7efd0f91a95813ad8dd485f2212c9c88ab4eac5b

                        SHA512

                        e2470625109e2185bc395490fcd6bc246b072f008366613c9a7b1df091ecaf7b40eae6791b2f3e02b3db6d5cefd94e43e01ba9160cfbe7fb5d56e40b95657e0e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\181.215.176.43\Browsers\Firefox\FirefoxBookmarks.txt
                        Filesize

                        81B

                        MD5

                        ea511fc534efd031f852fcf490b76104

                        SHA1

                        573e5fa397bc953df5422abbeb1a52bf94f7cf00

                        SHA256

                        e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

                        SHA512

                        f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\181.215.176.43\System\Process.txt
                        Filesize

                        4KB

                        MD5

                        fe3e318af7631ac146d59312a0435b17

                        SHA1

                        995207a949a377acf94157d7c866c3d208fe7bcd

                        SHA256

                        1bc9a434e92d19e3fbda55ce54747ceda5f3a719b26821cf35b86224800d17ff

                        SHA512

                        16f9f259545eeafdb8165805a43325f3c022e8be645c337e1cd870f616083953a0bfad926aaf8bcb268a4ba1f5d5c1e74d53ef507621a0e40c1cebdb72cce211

                        Download Submit

                      • memory/3668-4-0x0000000074B60000-0x0000000075311000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3668-7-0x0000000006B50000-0x0000000006BE2000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/3668-6-0x00000000064A0000-0x0000000006506000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/3668-96-0x00000000073A0000-0x0000000007946000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/3668-5-0x0000000005F00000-0x000000000642C000-memory.dmp

                        Filesize

                        5.2MB

                        Download

                      • memory/3668-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3668-3-0x0000000004F80000-0x0000000005142000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/3668-2-0x0000000004D90000-0x0000000004DA2000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/3668-1-0x0000000000340000-0x0000000000384000-memory.dmp

                        Filesize

                        272KB

                        Download

                      • memory/3668-185-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3668-186-0x0000000074B60000-0x0000000075311000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/3668-205-0x0000000074B60000-0x0000000075311000-memory.dmp

                        Filesize

                        7.7MB

                        Download