stormkitty | 2db46ad5e0370f7f9762fd2ed5ca32e2bfcb7d78c56df7240cd4ff05889dd4d0

Analysis

max time kernel
121s
max time network
135s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02/01/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35b5b0cc100e0ba95f366d6a3b427823.exe
Size

490KB
MD5

35b5b0cc100e0ba95f366d6a3b427823
SHA1

2845a8d906a0c93281c560de1e2e3d5a8ae2a546
SHA256

2db46ad5e0370f7f9762fd2ed5ca32e2bfcb7d78c56df7240cd4ff05889dd4d0
SHA512

29252fdfd992ec5d0d351d43bed65872f0a5637a1854fbe796aa37f9dfbba4e11d0ba2be8418c56a79a846100e96418c7ee7d8bc8ee1b489a5a8bd0ca073841d
SSDEEP

12288:CTPh8TlBsPJ78hCWS0ok+jhXWuz/qMvp5h93Yure:zl870

Score

10^/10

stormkitty spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 6 IoCs

resource	yara_rule
behavioral1/memory/1136-16-0x0000000000400000-0x0000000000428000-memory.dmp	family_stormkitty
behavioral1/memory/1136-14-0x0000000000400000-0x0000000000428000-memory.dmp	family_stormkitty
behavioral1/memory/1136-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_stormkitty
behavioral1/memory/1136-8-0x0000000000400000-0x0000000000428000-memory.dmp	family_stormkitty
behavioral1/memory/1136-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_stormkitty
behavioral1/memory/1136-18-0x0000000002310000-0x0000000002350000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\c6913aa19b94d5c5a2ab587784a2ff7e\Admin@SCFGBRBT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	35b5b0cc100e0ba95f366d6a3b427823.exe
File created	C:\Users\Admin\AppData\Local\c6913aa19b94d5c5a2ab587784a2ff7e\Admin@SCFGBRBT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	35b5b0cc100e0ba95f366d6a3b427823.exe
File created	C:\Users\Admin\AppData\Local\c6913aa19b94d5c5a2ab587784a2ff7e\Admin@SCFGBRBT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	35b5b0cc100e0ba95f366d6a3b427823.exe
File created	C:\Users\Admin\AppData\Local\c6913aa19b94d5c5a2ab587784a2ff7e\Admin@SCFGBRBT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	35b5b0cc100e0ba95f366d6a3b427823.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 1136	2188	35b5b0cc100e0ba95f366d6a3b427823.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2728	1136	WerFault.exe	29

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	35b5b0cc100e0ba95f366d6a3b427823.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	35b5b0cc100e0ba95f366d6a3b427823.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	35b5b0cc100e0ba95f366d6a3b427823.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	35b5b0cc100e0ba95f366d6a3b427823.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	35b5b0cc100e0ba95f366d6a3b427823.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	35b5b0cc100e0ba95f366d6a3b427823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	35b5b0cc100e0ba95f366d6a3b427823.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	35b5b0cc100e0ba95f366d6a3b427823.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1136	35b5b0cc100e0ba95f366d6a3b427823.exe
1136	35b5b0cc100e0ba95f366d6a3b427823.exe
1136	35b5b0cc100e0ba95f366d6a3b427823.exe
1136	35b5b0cc100e0ba95f366d6a3b427823.exe
1136	35b5b0cc100e0ba95f366d6a3b427823.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	35b5b0cc100e0ba95f366d6a3b427823.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1136	2188	35b5b0cc100e0ba95f366d6a3b427823.exe	29
PID 2188 wrote to memory of 1136	2188	35b5b0cc100e0ba95f366d6a3b427823.exe	29
PID 2188 wrote to memory of 1136	2188	35b5b0cc100e0ba95f366d6a3b427823.exe	29
PID 2188 wrote to memory of 1136	2188	35b5b0cc100e0ba95f366d6a3b427823.exe	29
PID 2188 wrote to memory of 1136	2188	35b5b0cc100e0ba95f366d6a3b427823.exe	29
PID 2188 wrote to memory of 1136	2188	35b5b0cc100e0ba95f366d6a3b427823.exe	29
PID 2188 wrote to memory of 1136	2188	35b5b0cc100e0ba95f366d6a3b427823.exe	29
PID 2188 wrote to memory of 1136	2188	35b5b0cc100e0ba95f366d6a3b427823.exe	29
PID 2188 wrote to memory of 1136	2188	35b5b0cc100e0ba95f366d6a3b427823.exe	29
PID 1136 wrote to memory of 2212	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	31
PID 1136 wrote to memory of 2212	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	31
PID 1136 wrote to memory of 2212	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	31
PID 1136 wrote to memory of 2212	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	31
PID 2212 wrote to memory of 2052	2212	cmd.exe	34
PID 2212 wrote to memory of 2052	2212	cmd.exe	34
PID 2212 wrote to memory of 2052	2212	cmd.exe	34
PID 2212 wrote to memory of 2052	2212	cmd.exe	34
PID 2212 wrote to memory of 308	2212	cmd.exe	32
PID 2212 wrote to memory of 308	2212	cmd.exe	32
PID 2212 wrote to memory of 308	2212	cmd.exe	32
PID 2212 wrote to memory of 308	2212	cmd.exe	32
PID 2212 wrote to memory of 764	2212	cmd.exe	33
PID 2212 wrote to memory of 764	2212	cmd.exe	33
PID 2212 wrote to memory of 764	2212	cmd.exe	33
PID 2212 wrote to memory of 764	2212	cmd.exe	33
PID 1136 wrote to memory of 1624	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	39
PID 1136 wrote to memory of 1624	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	39
PID 1136 wrote to memory of 1624	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	39
PID 1136 wrote to memory of 1624	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	39
PID 1624 wrote to memory of 2544	1624	cmd.exe	37
PID 1624 wrote to memory of 2544	1624	cmd.exe	37
PID 1624 wrote to memory of 2544	1624	cmd.exe	37
PID 1624 wrote to memory of 2544	1624	cmd.exe	37
PID 1624 wrote to memory of 2680	1624	cmd.exe	36
PID 1624 wrote to memory of 2680	1624	cmd.exe	36
PID 1624 wrote to memory of 2680	1624	cmd.exe	36
PID 1624 wrote to memory of 2680	1624	cmd.exe	36
PID 1136 wrote to memory of 2728	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	40
PID 1136 wrote to memory of 2728	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	40
PID 1136 wrote to memory of 2728	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	40
PID 1136 wrote to memory of 2728	1136	35b5b0cc100e0ba95f366d6a3b427823.exe	40

C:\Users\Admin\AppData\Local\Temp\35b5b0cc100e0ba95f366d6a3b427823.exe
"C:\Users\Admin\AppData\Local\Temp\35b5b0cc100e0ba95f366d6a3b427823.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\35b5b0cc100e0ba95f366d6a3b427823.exe
  C:\Users\Admin\AppData\Local\Temp\35b5b0cc100e0ba95f366d6a3b427823.exe
  2⤵
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 864
    3⤵
    - Program crash
    PID:2728

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
1⤵
PID:2680

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7982ff5f0d61ab2e90c280247f74ec4d

SHA1
b9a5854eff7b015becef992783e16fe893ea9beb

SHA256
e7a7017dc18768ea7a11975a64e099892f3b1d6ea6599c7d19b6ddced2b1c556

SHA512
3d40c80749057ccc444834f950f14d7c305cea1e11830620fb92ed12b5c5b6aedccb5da5e2ff21239cc704de6f221ed87d695a6d8f6ca21a04e6ba539a320c18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
2b8f8208d63351c3c16a80b29ed43b8e

SHA1
18cddffa520c87189a49d726c6e11371ea33a0d7

SHA256
d1f1691b299bafc58c01a230ef16f722ada2881c985e113fddaa1f836e31d4c2

SHA512
f51a401bd323cd7f67f4c0ec94729e777bf7e47db9ffa6cf43d33aea2f9a32f5740bfcdb032f373b2628e5a0b7edec9f4aa03d024232c3571d4df42b02d70f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4E0D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\c6913aa19b94d5c5a2ab587784a2ff7e\Admin@SCFGBRBT_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\c6913aa19b94d5c5a2ab587784a2ff7e\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/1136-17-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/1136-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1136-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1136-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1136-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1136-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1136-18-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/1136-208-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/1136-87-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/1136-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1136-210-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/1136-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1136-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1136-209-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2188-0-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/2188-2-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/2188-13-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download