52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80

General

Target

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Size

494KB
MD5

39e1b41b4118f4ea3ce2119c054b29e8
SHA1

1df78a1dc0aa3382fcc6fac172b70aafd0ed8d3d
SHA256

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80
SHA512

be221128a83547e0fbab70f1508704ad90dd94b22dab8ad3d502fb74f897dab5f1b4a14f9833cdb0bce7db687daa371a1a17098b4e2f438bb6953828b4684690

Score

8^/10

adware collection discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ntlib.exe

pid process

1732 ntlib.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1732	ntlib.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exentlib.exe

description	ioc	process
File opened (read-only)	\??\R:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\O:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\G:	ntlib.exe
File opened (read-only)	\??\U:	ntlib.exe
File opened (read-only)	\??\R:	ntlib.exe
File opened (read-only)	\??\J:	ntlib.exe
File opened (read-only)	\??\P:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\K:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\T:	ntlib.exe
File opened (read-only)	\??\L:	ntlib.exe
File opened (read-only)	\??\H:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\V:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\I:	ntlib.exe
File opened (read-only)	\??\F:	ntlib.exe
File opened (read-only)	\??\X:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\W:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\L:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\J:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\W:	ntlib.exe
File opened (read-only)	\??\M:	ntlib.exe
File opened (read-only)	\??\F:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\E:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\K:	ntlib.exe
File opened (read-only)	\??\H:	ntlib.exe
File opened (read-only)	\??\V:	ntlib.exe
File opened (read-only)	\??\N:	ntlib.exe
File opened (read-only)	\??\X:	ntlib.exe
File opened (read-only)	\??\Z:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\Y:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\I:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\G:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\M:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\Z:	ntlib.exe
File opened (read-only)	\??\Y:	ntlib.exe
File opened (read-only)	\??\S:	ntlib.exe
File opened (read-only)	\??\Q:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\P:	ntlib.exe
File opened (read-only)	\??\E:	ntlib.exe
File opened (read-only)	\??\Q:	ntlib.exe
File opened (read-only)	\??\U:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\T:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\S:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\N:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\O:	ntlib.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 7 IoCs

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exentlib.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntlib.exe	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened for modification	C:\Windows\SysWOW64\mslib.ocx	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File created	C:\Windows\SysWOW64\mslib.ocx	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened for modification	C:\Windows\SysWOW64\wmdns.exe	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File created	C:\Windows\SysWOW64\wmdns.exe	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	ntlib.exe
File opened for modification	C:\Windows\SysWOW64\ntlib.exe	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

Modifies data under HKEY_USERS 13 IoCs

Processes:

ntlib.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips = "0"	ntlib.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ntlib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ntlib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	ntlib.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ntlib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	ntlib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ntlib.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ntlib.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ntlib.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ntlib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion	ntlib.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SerialIID = 727d51a7f9e1b950d0af6afe540f6603	ntlib.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ntlib.exe

Modifies registry class 9 IoCs

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mslib.ocx"	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

pid	process
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exentlib.exe

description	pid	process
Token: SeDebugPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeChangeNotifyPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	1796	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeDebugPrivilege	1732	ntlib.exe
Token: SeChangeNotifyPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe
Token: SeBackupPrivilege	1732	ntlib.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exentlib.exe

pid process

1796 52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
1732 ntlib.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 588 wrote to memory of 1732	588	taskeng.exe	ntlib.exe
PID 588 wrote to memory of 1732	588	taskeng.exe	ntlib.exe
PID 588 wrote to memory of 1732	588	taskeng.exe	ntlib.exe
PID 588 wrote to memory of 1732	588	taskeng.exe	ntlib.exe
PID 588 wrote to memory of 1732	588	taskeng.exe	ntlib.exe
PID 588 wrote to memory of 1732	588	taskeng.exe	ntlib.exe
PID 588 wrote to memory of 1732	588	taskeng.exe	ntlib.exe

outlook_win_path 1 IoCs

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

C:\Users\Admin\AppData\Local\Temp\52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
"C:\Users\Admin\AppData\Local\Temp\52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- outlook_win_path
PID:1796

C:\Windows\system32\taskeng.exe
taskeng.exe {B51CDF66-22EE-4821-84D8-6CC4289DA526} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\ntlib.exe
C:\Windows\SysWOW64\ntlib.exe uif
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-80BEAA2A80156501}.pol
MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-80BEAA2A8094E303}.pol
MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-80BEAA2A80A5F801}.pol
MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-80BEAA2A80CD9101}.pol
MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Windows\SysWOW64\ntlib.exe
MD5
d94cbd04b129943527a4a7dfed308ea3

SHA1
70c605497416310abd996dee73496bac9bc9590f

SHA256
286b1da667f1ceb5b50d353953ab0f2aea1253f4fe6b0b132b05e91ded1c4364

SHA512
ebfe46fe5621af14045dd4b7668af239286eab1d4dea9a6c38d2cf953c058bad70ac4158a61702fc6765b611265c9d15149542b648131c1b5a15dfa5f2dcde6c

Download Submit
C:\Windows\SysWOW64\ntlib.exe
MD5
d94cbd04b129943527a4a7dfed308ea3

SHA1
70c605497416310abd996dee73496bac9bc9590f

SHA256
286b1da667f1ceb5b50d353953ab0f2aea1253f4fe6b0b132b05e91ded1c4364

SHA512
ebfe46fe5621af14045dd4b7668af239286eab1d4dea9a6c38d2cf953c058bad70ac4158a61702fc6765b611265c9d15149542b648131c1b5a15dfa5f2dcde6c

Download Submit
memory/1732-60-0x0000000000400000-0x00000000022C2000-memory.dmp

Filesize
30.8MB

Download
memory/1796-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1796-55-0x00000000086D0000-0x000000000871E000-memory.dmp

Filesize
312KB

Download
memory/1796-56-0x0000000000400000-0x00000000022C2000-memory.dmp

Filesize
30.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads