Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:31
Static task
static1
Behavioral task
behavioral1
Sample
f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe
Resource
win10v2004-20220812-en
General
-
Target
f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe
-
Size
780KB
-
MD5
84a5d4f71651972eec48a1f428df8e15
-
SHA1
2926d1fff5994d2254693c51fd3a70206b7f3a84
-
SHA256
f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e
-
SHA512
83276db60a8dac632789b4aa5619126aa17e28e48f05bcdadb347eb3ab64853732c59c9c10b9129a6736f4a3bfa2f396dd03f456ad07ae613354ef5ce1e68d02
-
SSDEEP
24576:GvVO6KZEW9QB7xmIiIznRlpVawlrWQp+3:vbZi7lzrawlrWV3
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exe family_stormkitty behavioral2/memory/4852-143-0x00000000006F0000-0x000000000079C000-memory.dmp family_stormkitty C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe family_stormkitty C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe family_stormkitty C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe family_stormkitty C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe family_stormkitty -
Executes dropped EXE 5 IoCs
Processes:
Jucpjvss.exeIvggwxwfnqvw.exeKeyboardserviceutilities.exeKeyboardserviceutilities.exeKeyboardserviceutilities.exepid process 2824 Jucpjvss.exe 4852 Ivggwxwfnqvw.exe 2184 Keyboardserviceutilities.exe 4876 Keyboardserviceutilities.exe 5100 Keyboardserviceutilities.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exeIvggwxwfnqvw.exeKeyboardserviceutilities.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Ivggwxwfnqvw.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Keyboardserviceutilities.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
Keyboardserviceutilities.exeKeyboardserviceutilities.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Keyboardserviceutilities.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Keyboardserviceutilities.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Keyboardserviceutilities.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Keyboardserviceutilities.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Keyboardserviceutilities.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Keyboardserviceutilities.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 icanhazip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
Processes:
Ivggwxwfnqvw.exeKeyboardserviceutilities.exeKeyboardserviceutilities.exepid process 4852 Ivggwxwfnqvw.exe 4852 Ivggwxwfnqvw.exe 4852 Ivggwxwfnqvw.exe 4852 Ivggwxwfnqvw.exe 4852 Ivggwxwfnqvw.exe 4852 Ivggwxwfnqvw.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 5100 Keyboardserviceutilities.exe 5100 Keyboardserviceutilities.exe 5100 Keyboardserviceutilities.exe 5100 Keyboardserviceutilities.exe 5100 Keyboardserviceutilities.exe 5100 Keyboardserviceutilities.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4484 2184 WerFault.exe Keyboardserviceutilities.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Keyboardserviceutilities.exeKeyboardserviceutilities.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Keyboardserviceutilities.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Keyboardserviceutilities.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Keyboardserviceutilities.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Keyboardserviceutilities.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2656 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Ivggwxwfnqvw.exeKeyboardserviceutilities.exepid process 4852 Ivggwxwfnqvw.exe 4852 Ivggwxwfnqvw.exe 4852 Ivggwxwfnqvw.exe 4852 Ivggwxwfnqvw.exe 4852 Ivggwxwfnqvw.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe 2184 Keyboardserviceutilities.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 4468 msedge.exe 4468 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Ivggwxwfnqvw.exeKeyboardserviceutilities.exemsiexec.exeKeyboardserviceutilities.exedescription pid process Token: SeDebugPrivilege 4852 Ivggwxwfnqvw.exe Token: SeDebugPrivilege 2184 Keyboardserviceutilities.exe Token: SeSecurityPrivilege 1136 msiexec.exe Token: SeDebugPrivilege 5100 Keyboardserviceutilities.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 4468 msedge.exe 4468 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exeIvggwxwfnqvw.exeKeyboardserviceutilities.execmd.execmd.execmd.exeKeyboardserviceutilities.execmd.execmd.exemsedge.exedescription pid process target process PID 4268 wrote to memory of 2824 4268 f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe Jucpjvss.exe PID 4268 wrote to memory of 2824 4268 f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe Jucpjvss.exe PID 4268 wrote to memory of 2824 4268 f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe Jucpjvss.exe PID 4268 wrote to memory of 4852 4268 f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe Ivggwxwfnqvw.exe PID 4268 wrote to memory of 4852 4268 f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe Ivggwxwfnqvw.exe PID 4268 wrote to memory of 4852 4268 f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe Ivggwxwfnqvw.exe PID 4852 wrote to memory of 2184 4852 Ivggwxwfnqvw.exe Keyboardserviceutilities.exe PID 4852 wrote to memory of 2184 4852 Ivggwxwfnqvw.exe Keyboardserviceutilities.exe PID 4852 wrote to memory of 2184 4852 Ivggwxwfnqvw.exe Keyboardserviceutilities.exe PID 2184 wrote to memory of 1312 2184 Keyboardserviceutilities.exe cmd.exe PID 2184 wrote to memory of 1312 2184 Keyboardserviceutilities.exe cmd.exe PID 2184 wrote to memory of 1312 2184 Keyboardserviceutilities.exe cmd.exe PID 1312 wrote to memory of 2656 1312 cmd.exe timeout.exe PID 1312 wrote to memory of 2656 1312 cmd.exe timeout.exe PID 1312 wrote to memory of 2656 1312 cmd.exe timeout.exe PID 1312 wrote to memory of 1860 1312 cmd.exe schtasks.exe PID 1312 wrote to memory of 1860 1312 cmd.exe schtasks.exe PID 1312 wrote to memory of 1860 1312 cmd.exe schtasks.exe PID 2184 wrote to memory of 2936 2184 Keyboardserviceutilities.exe cmd.exe PID 2184 wrote to memory of 2936 2184 Keyboardserviceutilities.exe cmd.exe PID 2184 wrote to memory of 2936 2184 Keyboardserviceutilities.exe cmd.exe PID 2936 wrote to memory of 3704 2936 cmd.exe chcp.com PID 2936 wrote to memory of 3704 2936 cmd.exe chcp.com PID 2936 wrote to memory of 3704 2936 cmd.exe chcp.com PID 2936 wrote to memory of 532 2936 cmd.exe netsh.exe PID 2936 wrote to memory of 532 2936 cmd.exe netsh.exe PID 2936 wrote to memory of 532 2936 cmd.exe netsh.exe PID 2936 wrote to memory of 3808 2936 cmd.exe findstr.exe PID 2936 wrote to memory of 3808 2936 cmd.exe findstr.exe PID 2936 wrote to memory of 3808 2936 cmd.exe findstr.exe PID 2184 wrote to memory of 3056 2184 Keyboardserviceutilities.exe cmd.exe PID 2184 wrote to memory of 3056 2184 Keyboardserviceutilities.exe cmd.exe PID 2184 wrote to memory of 3056 2184 Keyboardserviceutilities.exe cmd.exe PID 3056 wrote to memory of 3424 3056 cmd.exe chcp.com PID 3056 wrote to memory of 3424 3056 cmd.exe chcp.com PID 3056 wrote to memory of 3424 3056 cmd.exe chcp.com PID 3056 wrote to memory of 4140 3056 cmd.exe netsh.exe PID 3056 wrote to memory of 4140 3056 cmd.exe netsh.exe PID 3056 wrote to memory of 4140 3056 cmd.exe netsh.exe PID 5100 wrote to memory of 2584 5100 Keyboardserviceutilities.exe cmd.exe PID 5100 wrote to memory of 2584 5100 Keyboardserviceutilities.exe cmd.exe PID 5100 wrote to memory of 2584 5100 Keyboardserviceutilities.exe cmd.exe PID 5100 wrote to memory of 2152 5100 Keyboardserviceutilities.exe cmd.exe PID 5100 wrote to memory of 2152 5100 Keyboardserviceutilities.exe cmd.exe PID 5100 wrote to memory of 2152 5100 Keyboardserviceutilities.exe cmd.exe PID 2584 wrote to memory of 3276 2584 cmd.exe chcp.com PID 2584 wrote to memory of 3276 2584 cmd.exe chcp.com PID 2584 wrote to memory of 3276 2584 cmd.exe chcp.com PID 2152 wrote to memory of 4460 2152 cmd.exe chcp.com PID 2152 wrote to memory of 4460 2152 cmd.exe chcp.com PID 2152 wrote to memory of 4460 2152 cmd.exe chcp.com PID 2584 wrote to memory of 4456 2584 cmd.exe netsh.exe PID 2584 wrote to memory of 4456 2584 cmd.exe netsh.exe PID 2584 wrote to memory of 4456 2584 cmd.exe netsh.exe PID 2152 wrote to memory of 5044 2152 cmd.exe netsh.exe PID 2152 wrote to memory of 5044 2152 cmd.exe netsh.exe PID 2152 wrote to memory of 5044 2152 cmd.exe netsh.exe PID 2584 wrote to memory of 1804 2584 cmd.exe findstr.exe PID 2584 wrote to memory of 1804 2584 cmd.exe findstr.exe PID 2584 wrote to memory of 1804 2584 cmd.exe findstr.exe PID 5100 wrote to memory of 4364 5100 Keyboardserviceutilities.exe msedge.exe PID 5100 wrote to memory of 4364 5100 Keyboardserviceutilities.exe msedge.exe PID 4364 wrote to memory of 3376 4364 msedge.exe msedge.exe PID 4364 wrote to memory of 3376 4364 msedge.exe msedge.exe -
outlook_office_path 1 IoCs
Processes:
Keyboardserviceutilities.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Keyboardserviceutilities.exe -
outlook_win_path 1 IoCs
Processes:
Keyboardserviceutilities.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Keyboardserviceutilities.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe"C:\Users\Admin\AppData\Local\Temp\f59ced4cb1fe18a94e6640da8e12dce820a2a921367f17d8ca64be51f151d07e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Jucpjvss.exe"C:\Users\Admin\AppData\Local\Temp\Jucpjvss.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exe"C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe"C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBE92.tmp.cmd""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 45⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /f /sc MINUTE /mo 1 /tn "Modes Visual Studio ver6.70" /tr "'C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe"'5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 20204⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵
-
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe"C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2184 -ip 21841⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe"C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa10c746f8,0x7ffa10c74708,0x7ffa10c747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://127.0.0.1:141842⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa10c746f8,0x7ffa10c74708,0x7ffa10c747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4790309883997896232,8003714326950473501,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4790309883997896232,8003714326950473501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4790309883997896232,8003714326950473501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4790309883997896232,8003714326950473501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4790309883997896232,8003714326950473501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\CFFD99D0A92C5917C47DFilesize
282B
MD51c6b09b85ac82aa187202e6cd8f1662e
SHA15fbc2f7663245ede2c0b8b634f0c77e28a859151
SHA2561cb5964eff4d83d423c2f9bffe9f1aeba7bc9c912549b99d224647eb09ebb0b4
SHA5124bfdb5c3bebb8a8e12c78be5dc7e74cb407bc403975720d7e705ace945438cc12577ebb4c082988d68c35976578d060d9a951497ad509eb594122958e4b6d44f
-
C:\Users\Admin\AppData\Local\CFFD99D0A92C5917C47DFilesize
20B
MD5a4c301793da751db358f8429a91b564d
SHA1abf568085d2389755419c467c33709c171b64ec9
SHA256f64d9fb7a6bfaad6c29f0089fe66644428a155d55110ee7b6e6c7f80424f8ca4
SHA512cbde04ada630c3b58a91f4d8fa18a373b7663e04a3fc85b73b07d735c84c5eaaf9a6081ba8f5f2b8cda6804137116de0f446b00cf8885750960f607cc152198c
-
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exeFilesize
660KB
MD56871ac1e5748b36b8ba9535d979d4091
SHA1444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3
SHA2568966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c
SHA512983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b
-
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exeFilesize
660KB
MD56871ac1e5748b36b8ba9535d979d4091
SHA1444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3
SHA2568966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c
SHA512983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b
-
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exeFilesize
660KB
MD56871ac1e5748b36b8ba9535d979d4091
SHA1444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3
SHA2568966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c
SHA512983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b
-
C:\Users\Admin\AppData\Local\Keyboard service utilities ver1.22\Keyboardserviceutilities.exeFilesize
660KB
MD56871ac1e5748b36b8ba9535d979d4091
SHA1444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3
SHA2568966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c
SHA512983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Keyboardserviceutilities.exe.logFilesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exeFilesize
660KB
MD56871ac1e5748b36b8ba9535d979d4091
SHA1444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3
SHA2568966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c
SHA512983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b
-
C:\Users\Admin\AppData\Local\Temp\Ivggwxwfnqvw.exeFilesize
660KB
MD56871ac1e5748b36b8ba9535d979d4091
SHA1444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3
SHA2568966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c
SHA512983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b
-
C:\Users\Admin\AppData\Local\Temp\Jucpjvss.exeFilesize
172KB
MD54e288f438a0ef8a258f56dc24b6c6a6f
SHA10f53f19712ac703f15763eef7ce88eef53b486ee
SHA25603544a96cd68984cdea793aed35fbc7c87183909b5037b1850c7065c29eb477a
SHA512ca282f188b81fff1f0f950cc1eefe140da4836d38f134b35000db4d5debdb05898f6b88e5b4f66ef34016c272a879d206af1e49bfbb977d6f2531a4fa8ff87c4
-
C:\Users\Admin\AppData\Local\Temp\Jucpjvss.exeFilesize
172KB
MD54e288f438a0ef8a258f56dc24b6c6a6f
SHA10f53f19712ac703f15763eef7ce88eef53b486ee
SHA25603544a96cd68984cdea793aed35fbc7c87183909b5037b1850c7065c29eb477a
SHA512ca282f188b81fff1f0f950cc1eefe140da4836d38f134b35000db4d5debdb05898f6b88e5b4f66ef34016c272a879d206af1e49bfbb977d6f2531a4fa8ff87c4
-
C:\Users\Admin\AppData\Local\Temp\tmpBE92.tmp.cmdFilesize
307B
MD53de9ccdf4364f171018b7b01c2c1037f
SHA1939277d6503771969f7a9fdccacbb290c57c1ccc
SHA256944ae1ca17b154163fce37d231e6a29541a71963f268fcf6c509da29960b8503
SHA512bb83bd9f886bc96df882f630816edd40a207e2c6b4ec5d4679e54eb66177234cefacf0af0b3db4ffcbc8d122fea74d6c93af5e8a814a1079916ccbdb8b8c9645
-
\??\pipe\LOCAL\crashpad_4468_KGSLCJIAUVTJCLZBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/228-199-0x0000000000000000-mapping.dmp
-
memory/532-171-0x0000000000000000-mapping.dmp
-
memory/1312-151-0x0000000000000000-mapping.dmp
-
memory/1804-185-0x0000000000000000-mapping.dmp
-
memory/1860-154-0x0000000000000000-mapping.dmp
-
memory/2112-191-0x0000000000000000-mapping.dmp
-
memory/2152-180-0x0000000000000000-mapping.dmp
-
memory/2184-166-0x00000000065E0000-0x00000000066E0000-memory.dmpFilesize
1024KB
-
memory/2184-161-0x00000000065E0000-0x00000000066E0000-memory.dmpFilesize
1024KB
-
memory/2184-147-0x0000000000000000-mapping.dmp
-
memory/2184-155-0x00000000053F9000-0x00000000053FF000-memory.dmpFilesize
24KB
-
memory/2184-156-0x00000000053F9000-0x00000000053FF000-memory.dmpFilesize
24KB
-
memory/2184-157-0x00000000065E0000-0x00000000066E0000-memory.dmpFilesize
1024KB
-
memory/2184-158-0x00000000065E0000-0x00000000066E0000-memory.dmpFilesize
1024KB
-
memory/2184-168-0x00000000065E0000-0x00000000066E0000-memory.dmpFilesize
1024KB
-
memory/2184-160-0x00000000065E0000-0x00000000066E0000-memory.dmpFilesize
1024KB
-
memory/2184-167-0x00000000065E0000-0x00000000066E0000-memory.dmpFilesize
1024KB
-
memory/2184-162-0x00000000065E0000-0x00000000066E0000-memory.dmpFilesize
1024KB
-
memory/2184-163-0x00000000065E0000-0x00000000066E0000-memory.dmpFilesize
1024KB
-
memory/2184-164-0x00000000065E0000-0x00000000066E0000-memory.dmpFilesize
1024KB
-
memory/2184-165-0x00000000065E0000-0x00000000066E0000-memory.dmpFilesize
1024KB
-
memory/2220-192-0x0000000000000000-mapping.dmp
-
memory/2584-179-0x0000000000000000-mapping.dmp
-
memory/2656-153-0x0000000000000000-mapping.dmp
-
memory/2824-144-0x00000000050A0000-0x000000000513C000-memory.dmpFilesize
624KB
-
memory/2824-145-0x0000000005340000-0x0000000005396000-memory.dmpFilesize
344KB
-
memory/2824-136-0x0000000000000000-mapping.dmp
-
memory/2824-141-0x00000000007B0000-0x00000000007E0000-memory.dmpFilesize
192KB
-
memory/2936-169-0x0000000000000000-mapping.dmp
-
memory/3028-197-0x0000000000000000-mapping.dmp
-
memory/3056-173-0x0000000000000000-mapping.dmp
-
memory/3276-181-0x0000000000000000-mapping.dmp
-
memory/3376-187-0x0000000000000000-mapping.dmp
-
memory/3424-174-0x0000000000000000-mapping.dmp
-
memory/3508-189-0x0000000000000000-mapping.dmp
-
memory/3704-170-0x0000000000000000-mapping.dmp
-
memory/3808-172-0x0000000000000000-mapping.dmp
-
memory/4140-175-0x0000000000000000-mapping.dmp
-
memory/4180-195-0x0000000000000000-mapping.dmp
-
memory/4268-135-0x00000000050D0000-0x00000000050DA000-memory.dmpFilesize
40KB
-
memory/4268-134-0x0000000004A10000-0x0000000004AA2000-memory.dmpFilesize
584KB
-
memory/4268-132-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/4268-133-0x0000000004AC0000-0x0000000005064000-memory.dmpFilesize
5.6MB
-
memory/4364-186-0x0000000000000000-mapping.dmp
-
memory/4456-183-0x0000000000000000-mapping.dmp
-
memory/4460-182-0x0000000000000000-mapping.dmp
-
memory/4468-188-0x0000000000000000-mapping.dmp
-
memory/4852-143-0x00000000006F0000-0x000000000079C000-memory.dmpFilesize
688KB
-
memory/4852-146-0x0000000004F80000-0x0000000004FE6000-memory.dmpFilesize
408KB
-
memory/4852-139-0x0000000000000000-mapping.dmp
-
memory/5044-184-0x0000000000000000-mapping.dmp
-
memory/5100-200-0x0000000005859000-0x000000000585F000-memory.dmpFilesize
24KB
-
memory/5100-201-0x0000000005859000-0x000000000585F000-memory.dmpFilesize
24KB
-
memory/5100-202-0x0000000008760000-0x0000000008860000-memory.dmpFilesize
1024KB
-
memory/5100-203-0x0000000008760000-0x0000000008860000-memory.dmpFilesize
1024KB
-
memory/5100-204-0x0000000008760000-0x0000000008860000-memory.dmpFilesize
1024KB
-
memory/5100-205-0x0000000008760000-0x0000000008860000-memory.dmpFilesize
1024KB