Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 13:22
Behavioral task
behavioral1
Sample
kittys.exe
Resource
win7-20240221-en
General
-
Target
kittys.exe
-
Size
671KB
-
MD5
941eca130a778ffce73956131c874bd1
-
SHA1
3ef17bcccab78161a0a0b6232e95fa26230c384a
-
SHA256
219d74704d5161e7885512a94bf8c8d01561e1314619147be5daecc6c12f0f3c
-
SHA512
1ee8722506771b03accc17da06593b2524ceb883409a5a70c0d1d9728727ac5a74f0819e0f2e3ff45e7c449edbbd1a20006e3d8e76d5be638bca45c77ad9f652
-
SSDEEP
12288:HLV6BtpmkESwAJ8VAMj6Uf5DwfzcEu54gIdlsI14/uMhrj6zTP3yF2BdY:rApfESwy8V665DwfzcEu54Vn1S3VsL3U
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kittys.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe" kittys.exe -
Processes:
kittys.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kittys.exe -
Drops file in Program Files directory 2 IoCs
Processes:
kittys.exedescription ioc process File created C:\Program Files (x86)\NAS Host\nashost.exe kittys.exe File opened for modification C:\Program Files (x86)\NAS Host\nashost.exe kittys.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2212 schtasks.exe 3048 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
kittys.exepid process 2820 kittys.exe 2820 kittys.exe 2820 kittys.exe 2820 kittys.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
kittys.exepid process 2820 kittys.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kittys.exedescription pid process Token: SeDebugPrivilege 2820 kittys.exe Token: SeDebugPrivilege 2820 kittys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
kittys.exedescription pid process target process PID 2820 wrote to memory of 2212 2820 kittys.exe schtasks.exe PID 2820 wrote to memory of 2212 2820 kittys.exe schtasks.exe PID 2820 wrote to memory of 2212 2820 kittys.exe schtasks.exe PID 2820 wrote to memory of 2212 2820 kittys.exe schtasks.exe PID 2820 wrote to memory of 3048 2820 kittys.exe schtasks.exe PID 2820 wrote to memory of 3048 2820 kittys.exe schtasks.exe PID 2820 wrote to memory of 3048 2820 kittys.exe schtasks.exe PID 2820 wrote to memory of 3048 2820 kittys.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kittys.exe"C:\Users\Admin\AppData\Local\Temp\kittys.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp256B.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NAS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2618.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp256B.tmpFilesize
1KB
MD52ca7f7b3b2a84ff70a4c8e0db6ef6662
SHA12e7c298ee0ba72b119b691fc071beab10925b3e5
SHA25683f3136dce0c0baa7a52658944206cc4ba7d5efa84038452bff64bbd46023598
SHA512c9f7910f2c720abf833888097982f5834dbb8524039dbaa3145b4fa36db0d11fe1f1dbfbf20def88536523349e94d47dc2c6e5ccf2ed906930a3f8294f983f50
-
C:\Users\Admin\AppData\Local\Temp\tmp2618.tmpFilesize
1KB
MD59f554f602c22cfc20079e966d177fadb
SHA1789baa3425849bf239e47c6bcf352e6693a8c337
SHA2564c760d5fe0c06cf4bf554170870f41181c61a217c37eb826903094dda86dd1f1
SHA512b83e3e97dbe38ec4c64d9bef65e2521416f2d7434d78d05e66f729a2e0fbfea3f9bc6f6c4abaf76555af89a9565dfc0853d99067be9042dd66ed6246696eecbb
-
memory/2820-0-0x0000000074C51000-0x0000000074C52000-memory.dmpFilesize
4KB
-
memory/2820-1-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2820-2-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2820-10-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB