stormkitty | f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe
Size

780KB
MD5

84a5d4f71651972eec48a1f428df8e15
SHA1

2926d1fff5994d2254693c51fd3a70206b7f3a84
SHA256

f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e
SHA512

83276db60a8dac632789b4aa5619126aa17e28e48f05bcdadb347eb3ab64853732c59c9c10b9129a6736f4a3bfa2f396dd03f456ad07ae613354ef5ce1e68d02
SSDEEP

24576:GvVO6KZEW9QB7xmIiIznRlpVawlrWQp+3:vbZi7lzrawlrWV3

Score

10^/10

stormkitty collection spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exe	family_stormkitty
behavioral2/memory/4852-143-0x00000000006F0000-0x000000000079C000-memory.dmp	family_stormkitty
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe	family_stormkitty

Executes dropped EXE 5 IoCs

Processes:

Jucpjvss.exeIvggwxwfnqvw.exeKeyboardserviceutilities.exeKeyboardserviceutilities.exeKeyboardserviceutilities.exe

pid process

2824 Jucpjvss.exe
4852 Ivggwxwfnqvw.exe
2184 Keyboardserviceutilities.exe
4876 Keyboardserviceutilities.exe
5100 Keyboardserviceutilities.exe

pid	process
2824	Jucpjvss.exe
4852	Ivggwxwfnqvw.exe
2184	Keyboardserviceutilities.exe
4876	Keyboardserviceutilities.exe
5100	Keyboardserviceutilities.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exeIvggwxwfnqvw.exeKeyboardserviceutilities.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Ivggwxwfnqvw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Keyboardserviceutilities.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

Keyboardserviceutilities.exeKeyboardserviceutilities.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Keyboardserviceutilities.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Keyboardserviceutilities.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Keyboardserviceutilities.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Keyboardserviceutilities.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Keyboardserviceutilities.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Keyboardserviceutilities.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 icanhazip.com

flow	ioc
17	icanhazip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs

Processes:

Ivggwxwfnqvw.exeKeyboardserviceutilities.exeKeyboardserviceutilities.exe

pid	process
4852	Ivggwxwfnqvw.exe
4852	Ivggwxwfnqvw.exe
4852	Ivggwxwfnqvw.exe
4852	Ivggwxwfnqvw.exe
4852	Ivggwxwfnqvw.exe
4852	Ivggwxwfnqvw.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
5100	Keyboardserviceutilities.exe
5100	Keyboardserviceutilities.exe
5100	Keyboardserviceutilities.exe
5100	Keyboardserviceutilities.exe
5100	Keyboardserviceutilities.exe
5100	Keyboardserviceutilities.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4484 2184 WerFault.exe Keyboardserviceutilities.exe

pid	pid_target	process	target process
4484	2184	WerFault.exe	Keyboardserviceutilities.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Keyboardserviceutilities.exeKeyboardserviceutilities.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Keyboardserviceutilities.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Keyboardserviceutilities.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Keyboardserviceutilities.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Keyboardserviceutilities.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1860 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2656 timeout.exe

pid	process
1860	schtasks.exe

pid	process
2656	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Ivggwxwfnqvw.exeKeyboardserviceutilities.exe

pid	process
4852	Ivggwxwfnqvw.exe
4852	Ivggwxwfnqvw.exe
4852	Ivggwxwfnqvw.exe
4852	Ivggwxwfnqvw.exe
4852	Ivggwxwfnqvw.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe
2184	Keyboardserviceutilities.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4468 msedge.exe
4468 msedge.exe

pid	process
4468	msedge.exe
4468	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Ivggwxwfnqvw.exeKeyboardserviceutilities.exemsiexec.exeKeyboardserviceutilities.exe

description	pid	process
Token: SeDebugPrivilege	4852	Ivggwxwfnqvw.exe
Token: SeDebugPrivilege	2184	Keyboardserviceutilities.exe
Token: SeSecurityPrivilege	1136	msiexec.exe
Token: SeDebugPrivilege	5100	Keyboardserviceutilities.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

4468 msedge.exe
4468 msedge.exe

pid	process
4468	msedge.exe
4468	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exeIvggwxwfnqvw.exeKeyboardserviceutilities.execmd.execmd.execmd.exeKeyboardserviceutilities.execmd.execmd.exemsedge.exe

description	pid	process	target process
PID 4268 wrote to memory of 2824	4268	f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe	Jucpjvss.exe
PID 4268 wrote to memory of 2824	4268	f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe	Jucpjvss.exe
PID 4268 wrote to memory of 2824	4268	f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe	Jucpjvss.exe
PID 4268 wrote to memory of 4852	4268	f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe	Ivggwxwfnqvw.exe
PID 4268 wrote to memory of 4852	4268	f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe	Ivggwxwfnqvw.exe
PID 4268 wrote to memory of 4852	4268	f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe	Ivggwxwfnqvw.exe
PID 4852 wrote to memory of 2184	4852	Ivggwxwfnqvw.exe	Keyboardserviceutilities.exe
PID 4852 wrote to memory of 2184	4852	Ivggwxwfnqvw.exe	Keyboardserviceutilities.exe
PID 4852 wrote to memory of 2184	4852	Ivggwxwfnqvw.exe	Keyboardserviceutilities.exe
PID 2184 wrote to memory of 1312	2184	Keyboardserviceutilities.exe	cmd.exe
PID 2184 wrote to memory of 1312	2184	Keyboardserviceutilities.exe	cmd.exe
PID 2184 wrote to memory of 1312	2184	Keyboardserviceutilities.exe	cmd.exe
PID 1312 wrote to memory of 2656	1312	cmd.exe	timeout.exe
PID 1312 wrote to memory of 2656	1312	cmd.exe	timeout.exe
PID 1312 wrote to memory of 2656	1312	cmd.exe	timeout.exe
PID 1312 wrote to memory of 1860	1312	cmd.exe	schtasks.exe
PID 1312 wrote to memory of 1860	1312	cmd.exe	schtasks.exe
PID 1312 wrote to memory of 1860	1312	cmd.exe	schtasks.exe
PID 2184 wrote to memory of 2936	2184	Keyboardserviceutilities.exe	cmd.exe
PID 2184 wrote to memory of 2936	2184	Keyboardserviceutilities.exe	cmd.exe
PID 2184 wrote to memory of 2936	2184	Keyboardserviceutilities.exe	cmd.exe
PID 2936 wrote to memory of 3704	2936	cmd.exe	chcp.com
PID 2936 wrote to memory of 3704	2936	cmd.exe	chcp.com
PID 2936 wrote to memory of 3704	2936	cmd.exe	chcp.com
PID 2936 wrote to memory of 532	2936	cmd.exe	netsh.exe
PID 2936 wrote to memory of 532	2936	cmd.exe	netsh.exe
PID 2936 wrote to memory of 532	2936	cmd.exe	netsh.exe
PID 2936 wrote to memory of 3808	2936	cmd.exe	findstr.exe
PID 2936 wrote to memory of 3808	2936	cmd.exe	findstr.exe
PID 2936 wrote to memory of 3808	2936	cmd.exe	findstr.exe
PID 2184 wrote to memory of 3056	2184	Keyboardserviceutilities.exe	cmd.exe
PID 2184 wrote to memory of 3056	2184	Keyboardserviceutilities.exe	cmd.exe
PID 2184 wrote to memory of 3056	2184	Keyboardserviceutilities.exe	cmd.exe
PID 3056 wrote to memory of 3424	3056	cmd.exe	chcp.com
PID 3056 wrote to memory of 3424	3056	cmd.exe	chcp.com
PID 3056 wrote to memory of 3424	3056	cmd.exe	chcp.com
PID 3056 wrote to memory of 4140	3056	cmd.exe	netsh.exe
PID 3056 wrote to memory of 4140	3056	cmd.exe	netsh.exe
PID 3056 wrote to memory of 4140	3056	cmd.exe	netsh.exe
PID 5100 wrote to memory of 2584	5100	Keyboardserviceutilities.exe	cmd.exe
PID 5100 wrote to memory of 2584	5100	Keyboardserviceutilities.exe	cmd.exe
PID 5100 wrote to memory of 2584	5100	Keyboardserviceutilities.exe	cmd.exe
PID 5100 wrote to memory of 2152	5100	Keyboardserviceutilities.exe	cmd.exe
PID 5100 wrote to memory of 2152	5100	Keyboardserviceutilities.exe	cmd.exe
PID 5100 wrote to memory of 2152	5100	Keyboardserviceutilities.exe	cmd.exe
PID 2584 wrote to memory of 3276	2584	cmd.exe	chcp.com
PID 2584 wrote to memory of 3276	2584	cmd.exe	chcp.com
PID 2584 wrote to memory of 3276	2584	cmd.exe	chcp.com
PID 2152 wrote to memory of 4460	2152	cmd.exe	chcp.com
PID 2152 wrote to memory of 4460	2152	cmd.exe	chcp.com
PID 2152 wrote to memory of 4460	2152	cmd.exe	chcp.com
PID 2584 wrote to memory of 4456	2584	cmd.exe	netsh.exe
PID 2584 wrote to memory of 4456	2584	cmd.exe	netsh.exe
PID 2584 wrote to memory of 4456	2584	cmd.exe	netsh.exe
PID 2152 wrote to memory of 5044	2152	cmd.exe	netsh.exe
PID 2152 wrote to memory of 5044	2152	cmd.exe	netsh.exe
PID 2152 wrote to memory of 5044	2152	cmd.exe	netsh.exe
PID 2584 wrote to memory of 1804	2584	cmd.exe	findstr.exe
PID 2584 wrote to memory of 1804	2584	cmd.exe	findstr.exe
PID 2584 wrote to memory of 1804	2584	cmd.exe	findstr.exe
PID 5100 wrote to memory of 4364	5100	Keyboardserviceutilities.exe	msedge.exe
PID 5100 wrote to memory of 4364	5100	Keyboardserviceutilities.exe	msedge.exe
PID 4364 wrote to memory of 3376	4364	msedge.exe	msedge.exe
PID 4364 wrote to memory of 3376	4364	msedge.exe	msedge.exe

outlook_office_path 1 IoCs

Processes:

Keyboardserviceutilities.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Keyboardserviceutilities.exe

outlook_win_path 1 IoCs

Processes:

Keyboardserviceutilities.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Keyboardserviceutilities.exe

C:\Users\Admin\AppData\Local\Temp\f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe
"C:\Users\Admin\AppData\Local\Temp\f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\Jucpjvss.exe
"C:\Users\Admin\AppData\Local\Temp\Jucpjvss.exe"
2⤵
- Executes dropped EXE
PID:2824

C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exe
"C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852

C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe
"C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBE92.tmp.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\timeout.exe
timeout 4
5⤵
- Delays execution with timeout.exe
PID:2656

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /f /sc MINUTE /mo 1 /tn "Modes Visual Studio ver6.70" /tr "'C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe"'
5⤵
- Creates scheduled task(s)
PID:1860

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
4⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:3704

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
5⤵
PID:532

C:\Windows\SysWOW64\findstr.exe
findstr All
5⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 2020
4⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
4⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:3424

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
5⤵
PID:4140

C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe
"C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe"
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2184 -ip 2184
1⤵
PID:2840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe
"C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5100

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:3276

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
3⤵
PID:4456

C:\Windows\SysWOW64\findstr.exe
findstr All
3⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
2⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4460

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
3⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa10c746f8,0x7ffa10c74708,0x7ffa10c74718
3⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://127.0.0.1:14184
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa10c746f8,0x7ffa10c74708,0x7ffa10c74718
3⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4790309883997896232,8003714326950473501,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
3⤵
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4790309883997896232,8003714326950473501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
3⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4790309883997896232,8003714326950473501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
3⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4790309883997896232,8003714326950473501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
3⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4790309883997896232,8003714326950473501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
3⤵
PID:228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CFFD99D0A92C5917C47D
Filesize
282B

MD5
1c6b09b85ac82aa187202e6cd8f1662e

SHA1
5fbc2f7663245ede2c0b8b634f0c77e28a859151

SHA256
1cb5964eff4d83d423c2f9bffe9f1aeba7bc9c912549b99d224647eb09ebb0b4

SHA512
4bfdb5c3bebb8a8e12c78be5dc7e74cb407bc403975720d7e705ace945438cc12577ebb4c082988d68c35976578d060d9a951497ad509eb594122958e4b6d44f

Download Submit
C:\Users\Admin\AppData\Local\CFFD99D0A92C5917C47D
Filesize
20B

MD5
a4c301793da751db358f8429a91b564d

SHA1
abf568085d2389755419c467c33709c171b64ec9

SHA256
f64d9fb7a6bfaad6c29f0089fe66644428a155d55110ee7b6e6c7f80424f8ca4

SHA512
cbde04ada630c3b58a91f4d8fa18a373b7663e04a3fc85b73b07d735c84c5eaaf9a6081ba8f5f2b8cda6804137116de0f446b00cf8885750960f607cc152198c

Download Submit
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Keyboardserviceutilities.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jucpjvss.exe
Filesize
172KB

MD5
4e288f438a0ef8a258f56dc24b6c6a6f

SHA1
0f53f19712ac703f15763eef7ce88eef53b486ee

SHA256
03544a96cd68984cdea793aed35fbc7c87183909b5037b1850c7065c29eb477a

SHA512
ca282f188b81fff1f0f950cc1eefe140da4836d38f134b35000db4d5debdb05898f6b88e5b4f66ef34016c272a879d206af1e49bfbb977d6f2531a4fa8ff87c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jucpjvss.exe
Filesize
172KB

MD5
4e288f438a0ef8a258f56dc24b6c6a6f

SHA1
0f53f19712ac703f15763eef7ce88eef53b486ee

SHA256
03544a96cd68984cdea793aed35fbc7c87183909b5037b1850c7065c29eb477a

SHA512
ca282f188b81fff1f0f950cc1eefe140da4836d38f134b35000db4d5debdb05898f6b88e5b4f66ef34016c272a879d206af1e49bfbb977d6f2531a4fa8ff87c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE92.tmp.cmd
Filesize
307B

MD5
3de9ccdf4364f171018b7b01c2c1037f

SHA1
939277d6503771969f7a9fdccacbb290c57c1ccc

SHA256
944ae1ca17b154163fce37d231e6a29541a71963f268fcf6c509da29960b8503

SHA512
bb83bd9f886bc96df882f630816edd40a207e2c6b4ec5d4679e54eb66177234cefacf0af0b3db4ffcbc8d122fea74d6c93af5e8a814a1079916ccbdb8b8c9645

Download Submit
\??\pipe\LOCAL\crashpad_4468_KGSLCJIAUVTJCLZB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-199-0x0000000000000000-mapping.dmp

Download
memory/532-171-0x0000000000000000-mapping.dmp

Download
memory/1312-151-0x0000000000000000-mapping.dmp

Download
memory/1804-185-0x0000000000000000-mapping.dmp

Download
memory/1860-154-0x0000000000000000-mapping.dmp

Download
memory/2112-191-0x0000000000000000-mapping.dmp

Download
memory/2152-180-0x0000000000000000-mapping.dmp

Download
memory/2184-166-0x00000000065E0000-0x00000000066E0000-memory.dmp

Filesize
1024KB

Download
memory/2184-161-0x00000000065E0000-0x00000000066E0000-memory.dmp

Filesize
1024KB

Download
memory/2184-147-0x0000000000000000-mapping.dmp

Download
memory/2184-155-0x00000000053F9000-0x00000000053FF000-memory.dmp

Filesize
24KB

Download
memory/2184-156-0x00000000053F9000-0x00000000053FF000-memory.dmp

Filesize
24KB

Download
memory/2184-157-0x00000000065E0000-0x00000000066E0000-memory.dmp

Filesize
1024KB

Download
memory/2184-158-0x00000000065E0000-0x00000000066E0000-memory.dmp

Filesize
1024KB

Download
memory/2184-168-0x00000000065E0000-0x00000000066E0000-memory.dmp

Filesize
1024KB

Download
memory/2184-160-0x00000000065E0000-0x00000000066E0000-memory.dmp

Filesize
1024KB

Download
memory/2184-167-0x00000000065E0000-0x00000000066E0000-memory.dmp

Filesize
1024KB

Download
memory/2184-162-0x00000000065E0000-0x00000000066E0000-memory.dmp

Filesize
1024KB

Download
memory/2184-163-0x00000000065E0000-0x00000000066E0000-memory.dmp

Filesize
1024KB

Download
memory/2184-164-0x00000000065E0000-0x00000000066E0000-memory.dmp

Filesize
1024KB

Download
memory/2184-165-0x00000000065E0000-0x00000000066E0000-memory.dmp

Filesize
1024KB

Download
memory/2220-192-0x0000000000000000-mapping.dmp

Download
memory/2584-179-0x0000000000000000-mapping.dmp

Download
memory/2656-153-0x0000000000000000-mapping.dmp

Download
memory/2824-144-0x00000000050A0000-0x000000000513C000-memory.dmp

Filesize
624KB

Download
memory/2824-145-0x0000000005340000-0x0000000005396000-memory.dmp

Filesize
344KB

Download
memory/2824-136-0x0000000000000000-mapping.dmp

Download
memory/2824-141-0x00000000007B0000-0x00000000007E0000-memory.dmp

Filesize
192KB

Download
memory/2936-169-0x0000000000000000-mapping.dmp

Download
memory/3028-197-0x0000000000000000-mapping.dmp

Download
memory/3056-173-0x0000000000000000-mapping.dmp

Download
memory/3276-181-0x0000000000000000-mapping.dmp

Download
memory/3376-187-0x0000000000000000-mapping.dmp

Download
memory/3424-174-0x0000000000000000-mapping.dmp

Download
memory/3508-189-0x0000000000000000-mapping.dmp

Download
memory/3704-170-0x0000000000000000-mapping.dmp

Download
memory/3808-172-0x0000000000000000-mapping.dmp

Download
memory/4140-175-0x0000000000000000-mapping.dmp

Download
memory/4180-195-0x0000000000000000-mapping.dmp

Download
memory/4268-135-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/4268-134-0x0000000004A10000-0x0000000004AA2000-memory.dmp

Filesize
584KB

Download
memory/4268-132-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4268-133-0x0000000004AC0000-0x0000000005064000-memory.dmp

Filesize
5.6MB

Download
memory/4364-186-0x0000000000000000-mapping.dmp

Download
memory/4456-183-0x0000000000000000-mapping.dmp

Download
memory/4460-182-0x0000000000000000-mapping.dmp

Download
memory/4468-188-0x0000000000000000-mapping.dmp

Download
memory/4852-143-0x00000000006F0000-0x000000000079C000-memory.dmp

Filesize
688KB

Download
memory/4852-146-0x0000000004F80000-0x0000000004FE6000-memory.dmp

Filesize
408KB

Download
memory/4852-139-0x0000000000000000-mapping.dmp

Download
memory/5044-184-0x0000000000000000-mapping.dmp

Download
memory/5100-200-0x0000000005859000-0x000000000585F000-memory.dmp

Filesize
24KB

Download
memory/5100-201-0x0000000005859000-0x000000000585F000-memory.dmp

Filesize
24KB

Download
memory/5100-202-0x0000000008760000-0x0000000008860000-memory.dmp

Filesize
1024KB

Download
memory/5100-203-0x0000000008760000-0x0000000008860000-memory.dmp

Filesize
1024KB

Download
memory/5100-204-0x0000000008760000-0x0000000008860000-memory.dmp

Filesize
1024KB

Download
memory/5100-205-0x0000000008760000-0x0000000008860000-memory.dmp

Filesize
1024KB

Download