Malware analysis StormKitty .exe Malicious activity | ANY.RUN

Add for printing

File name:	StormKitty .exe
Full analysis:	https://app.any.run/tasks/f6208f35-6865-4346-8ddd-8e0b7f6eb8ff
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 23, 2024, 11:15:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	discord exfiltration stealer xor-url generic ims-api ransomware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	B8036A0C3EBD74949C38BC101160BFFE
SHA1:	96B276F48713B375772A075DBA4263E38B9B222B
SHA256:	9EEB89F878F19BA639ABD2AF83C5FEAF8EFB5D9087CC88F66A94FCCFD2BA7199
SSDEEP:	6144:xl6RStgiI+5kTwKee32P6NlLYMHq9Nx7Y2l8ZRXrditiAcKLkIaQJ2/UhUYdGTqz:xGCl1T2kB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Disables Windows Defender
  - StormKitty .exe (PID: 6320)
- Changes the login/logoff helper path in the registry
  - StormKitty .exe (PID: 6320)
- Deletes shadow copies
  - cmd.exe (PID: 6848)
- UAC/LUA settings modification
  - StormKitty .exe (PID: 6320)
- RANSOMWARE has been detected
  - StormKitty .exe (PID: 6320)
- Renames files like ransomware
  - StormKitty .exe (PID: 6320)
- Changes settings for checking scripts for malicious actions
  - powershell.exe (PID: 4320)
- XORed URL has been found (YARA)
  - StormKitty .exe (PID: 6320)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - StormKitty .exe (PID: 6320)
  - ShellExperienceHost.exe (PID: 6292)
- Query Microsoft Defender preferences
  - StormKitty .exe (PID: 6320)
- Starts CMD.EXE for commands execution
  - StormKitty .exe (PID: 6320)
- Starts POWERSHELL.EXE for commands execution
  - StormKitty .exe (PID: 6320)
- Executes as Windows Service
  - VSSVC.exe (PID: 7048)
- The process connected to a server suspected of theft
  - StormKitty .exe (PID: 6320)
- Possible usage of Discord/Telegram API has been detected (YARA)
  - StormKitty .exe (PID: 6320)
INFO
- Checks supported languages
  - StormKitty .exe (PID: 6320)
  - ShellExperienceHost.exe (PID: 6292)
- Reads the computer name
  - StormKitty .exe (PID: 6320)
  - ShellExperienceHost.exe (PID: 6292)
- Reads the machine GUID from the registry
  - StormKitty .exe (PID: 6320)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 6924)
- Process checks whether UAC notifications are on
  - StormKitty .exe (PID: 6320)
- The process uses the downloaded file
  - powershell.exe (PID: 6452)
  - StormKitty .exe (PID: 6320)
  - powershell.exe (PID: 7012)
  - powershell.exe (PID: 7164)
  - powershell.exe (PID: 5872)
  - powershell.exe (PID: 4052)
  - powershell.exe (PID: 6956)
  - powershell.exe (PID: 4320)
  - powershell.exe (PID: 644)
  - powershell.exe (PID: 6912)
  - powershell.exe (PID: 6096)
- Process checks computer location settings
  - StormKitty .exe (PID: 6320)
- Disables trace logs
  - StormKitty .exe (PID: 6320)
- Reads the software policy settings
  - StormKitty .exe (PID: 6320)
- Checks proxy server information
  - StormKitty .exe (PID: 6320)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 4320)
  - powershell.exe (PID: 7164)
  - powershell.exe (PID: 6956)
  - powershell.exe (PID: 6452)
  - powershell.exe (PID: 7012)
  - powershell.exe (PID: 4052)
  - powershell.exe (PID: 5872)
  - powershell.exe (PID: 644)
  - powershell.exe (PID: 6096)
  - powershell.exe (PID: 6912)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 5872)
  - powershell.exe (PID: 7164)
  - powershell.exe (PID: 6956)
  - powershell.exe (PID: 7012)
  - powershell.exe (PID: 4320)
  - powershell.exe (PID: 4052)
  - powershell.exe (PID: 644)
  - powershell.exe (PID: 6096)
  - powershell.exe (PID: 6912)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

xor-url

(PID) Process(6320) StormKitty .exe

Decrypted-URLs (2)https://cdn.discordapp.com/attachments/1181224049104408630/1181224377279320084/image.png?

https://discord.com/api/webhooks/1181224104334991400/FvuIiNoEm_UgkGzYaLlGon6q38zd2AJLz8_M9xjYAoUwVkgssqrpnkTFJtHBo36iPJY-

ims-api

(PID) Process(6320) StormKitty .exe

Discord-Webhook-Tokens (1)1181224104334991400/FvuIiNoEm_UgkGzYaLlGon6q38zd2AJLz8_M9xjYAoUwVkgssqrpnkTFJtHBo36iPJY-

Discord-Info-Links

1181224104334991400/FvuIiNoEm_UgkGzYaLlGon6q38zd2AJLz8_M9xjYAoUwVkgssqrpnkTFJtHBo36iPJY-

Get Webhook Infohttps://discord.com/api/webhooks/1181224104334991400/FvuIiNoEm_UgkGzYaLlGon6q38zd2AJLz8_M9xjYAoUwVkgssqrpnkTFJtHBo36iPJY-

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2102:05:14 05:43:30+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	48
CodeSize:	593408
InitializedDataSize:	5632
UninitializedDataSize:	-
EntryPoint:	0x92c2e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	BlackoutWare
FileVersion:	1.0.0.0
InternalName:	BlackoutWare.exe
LegalCopyright:	Copyright © 2023
LegalTrademarks:	-
OriginalFileName:	BlackoutWare.exe
ProductName:	BlackoutWare
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

157

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

644

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

StormKitty .exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1468

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3144

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4052

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

StormKitty .exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

4320

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

StormKitty .exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

4716

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4764

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5872

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

StormKitty .exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6096

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

StormKitty .exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6172

"C:\Users\admin\AppData\Local\Temp\ StormKitty .exe"

C:\Users\admin\AppData\Local\Temp\ StormKitty .exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

BlackoutWare

Exit code:

3221226540

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\ stormkitty .exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

Add for printing

Total events

65 424

Read events

65 399

Write events

Delete events

Modification events


(PID) Process:	(6320) StormKitty .exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features
Operation:	write	Name:	TamperProtection
Value: 0
(PID) Process:	(6320) StormKitty .exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	write	Name:	DisableAntiSpyware
Value: 1
(PID) Process:	(6320) StormKitty .exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableBehaviorMonitoring
Value: 1
(PID) Process:	(6320) StormKitty .exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableOnAccessProtection
Value: 1
(PID) Process:	(6320) StormKitty .exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:	write	Name:	DisableScanOnRealtimeEnable
Value: 1
(PID) Process:	(6320) StormKitty .exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	DisableTaskMgr
Value: 1
(PID) Process:	(6320) StormKitty .exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	ShellExperience
Value: "ShellExperience.exe"
(PID) Process:	(6320) StormKitty .exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	EnableLUA
Value: 0
(PID) Process:	(6320) StormKitty .exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Userinit
Value: C:\windows\system32\userinit.exe,C:\Users\admin\AppData\Local\Temp\ StormKitty .exe,
(PID) Process:	(6292) ShellExperienceHost.exe	Key:	\REGISTRY\A\{062bca17-7043-9002-7dfe-205e52bb0608}\LocalState
Operation:	write	Name:	PeekBadges
Value: 5B005D000000E5DA78032C55DB01

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6320	StormKitty .exe	C:\Users\admin\Desktop\bostonstars.png		binary
		MD5:694C9483B1D5CDD4321BF734D623B8B1	SHA256:58D268CB1F9D9146B9A6A42B943A978B9DD19C12E96FC3E6C823012C067D39C9
6320	StormKitty .exe	C:\Users\admin\Desktop\artistmonday.png		binary
		MD5:390BB0DF2D31EAC2C695E0EC4CB85C26	SHA256:7468BAD2E2457D190D86D29279819E6C639E34E512BDBA990CB34F3B74679E8A
6320	StormKitty .exe	C:\Users\admin\Desktop\bostonstars.png.blo		binary
		MD5:694C9483B1D5CDD4321BF734D623B8B1	SHA256:58D268CB1F9D9146B9A6A42B943A978B9DD19C12E96FC3E6C823012C067D39C9
6320	StormKitty .exe	C:\Users\admin\Desktop\identry.rtf		binary
		MD5:501639A09BAB4B67D8DD75DB35843291	SHA256:54D5359EB46744CDFAEBBC6D4BF6702D437CE6AD03EBA990E2568D208EF03F68
6452	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rdgjz4be.cyg.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6320	StormKitty .exe	C:\Users\admin\Desktop\channelcase.png.blo		fli
		MD5:B8F46882D2D16665FF6522CDE4EF7A27	SHA256:8CCB8E893B15B6D097FD79828460519806BA0D9C5B28585FB6DD4CA7B069D200
6320	StormKitty .exe	C:\Users\admin\Desktop\fixedminister.png		binary
		MD5:3E681F4E304C215DE0DCB737F24C9429	SHA256:E26C93B63F44A3F3E4B131D42CDB32CF1E3C80F7795A5D3D2E3C825F2738FA4C
6320	StormKitty .exe	C:\Users\admin\Desktop\creativeparts.jpg		binary
		MD5:E2B5059ECA35DC40CAD7757C279B2AE0	SHA256:7A5B7F0736F85AA78CDAA7D6A3DC0B938E2C569F7BC80B48787AED5F0EA33CD1
6320	StormKitty .exe	C:\Users\admin\Desktop\fixedminister.png.blo		binary
		MD5:3E681F4E304C215DE0DCB737F24C9429	SHA256:E26C93B63F44A3F3E4B131D42CDB32CF1E3C80F7795A5D3D2E3C825F2738FA4C
6320	StormKitty .exe	C:\Users\admin\Desktop\peradditional.rtf		binary
		MD5:BBCFA93A041066448FB5AD8147641B4D	SHA256:D5DD9E8940634146FDE1DDBE4663996E8D971217FA2B70EAF2E2903A5C1008A1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3220	svchost.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3220	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7992	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7992	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4708	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3220	svchost.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3220	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5064	SearchApp.exe	92.123.104.43:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
google.com	142.250.184.238	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
www.bing.com	92.123.104.43 92.123.104.32 92.123.104.21 92.123.104.47 92.123.104.34 92.123.104.33 92.123.104.31 92.123.104.40 92.123.104.59	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
login.live.com	20.190.160.22 40.126.32.74 40.126.32.76 40.126.32.140 20.190.160.20 20.190.160.14 20.190.160.17 40.126.32.133	whitelisted
discord.com	162.159.135.232 162.159.138.232 162.159.128.233 162.159.137.232 162.159.136.232	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
—	—	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
—	—	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord

Add for printing

No debug info

General Info

StormKitty .exe

B8036A0C3EBD74949C38BC101160BFFE

96B276F48713B375772A075DBA4263E38B9B222B

9EEB89F878F19BA639ABD2AF83C5FEAF8EFB5D9087CC88F66A94FCCFD2BA7199

6144:xl6RStgiI+5kTwKee32P6NlLYMHq9Nx7Y2l8ZRXrditiAcKLkIaQJ2/UhUYdGTqz:xGCl1T2kB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Disables Windows Defender

Changes the login/logoff helper path in the registry

Deletes shadow copies

UAC/LUA settings modification

RANSOMWARE has been detected

Renames files like ransomware

Changes settings for checking scripts for malicious actions

XORed URL has been found (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Query Microsoft Defender preferences

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Executes as Windows Service

The process connected to a server suspected of theft

Possible usage of Discord/Telegram API has been detected (YARA)

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Process checks whether UAC notifications are on

The process uses the downloaded file

Process checks computer location settings

Disables trace logs

Reads the software policy settings

Checks proxy server information

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Malware configuration

xor-url

ims-api

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections