52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80

General

Target

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Size

494KB
MD5

39e1b41b4118f4ea3ce2119c054b29e8
SHA1

1df78a1dc0aa3382fcc6fac172b70aafd0ed8d3d
SHA256

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80
SHA512

be221128a83547e0fbab70f1508704ad90dd94b22dab8ad3d502fb74f897dab5f1b4a14f9833cdb0bce7db687daa371a1a17098b4e2f438bb6953828b4684690

Score

8^/10

adware collection discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pptpctf.exe

pid process

3888 pptpctf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3888	pptpctf.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pptpctf.exe52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

description	ioc	process
File opened (read-only)	\??\M:	pptpctf.exe
File opened (read-only)	\??\F:	pptpctf.exe
File opened (read-only)	\??\V:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\U:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\P:	pptpctf.exe
File opened (read-only)	\??\O:	pptpctf.exe
File opened (read-only)	\??\X:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\K:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\T:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\Q:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\K:	pptpctf.exe
File opened (read-only)	\??\H:	pptpctf.exe
File opened (read-only)	\??\S:	pptpctf.exe
File opened (read-only)	\??\P:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\F:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\V:	pptpctf.exe
File opened (read-only)	\??\Q:	pptpctf.exe
File opened (read-only)	\??\N:	pptpctf.exe
File opened (read-only)	\??\J:	pptpctf.exe
File opened (read-only)	\??\Z:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\E:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\W:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\O:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\L:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\J:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\Y:	pptpctf.exe
File opened (read-only)	\??\W:	pptpctf.exe
File opened (read-only)	\??\H:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\R:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\Z:	pptpctf.exe
File opened (read-only)	\??\X:	pptpctf.exe
File opened (read-only)	\??\G:	pptpctf.exe
File opened (read-only)	\??\L:	pptpctf.exe
File opened (read-only)	\??\G:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\U:	pptpctf.exe
File opened (read-only)	\??\I:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\S:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\N:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\M:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\I:	pptpctf.exe
File opened (read-only)	\??\E:	pptpctf.exe
File opened (read-only)	\??\T:	pptpctf.exe
File opened (read-only)	\??\Y:	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened (read-only)	\??\R:	pptpctf.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 11 IoCs

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exepptpctf.exe

description	ioc	process
File created	C:\Windows\SysWOW64\cpldsp.ocx	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pptpctf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	pptpctf.exe
File created	C:\Windows\SysWOW64\libschd.exe	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pptpctf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pptpctf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	pptpctf.exe
File opened for modification	C:\Windows\SysWOW64\pptpctf.exe	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File created	C:\Windows\SysWOW64\pptpctf.exe	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened for modification	C:\Windows\SysWOW64\cpldsp.ocx	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
File opened for modification	C:\Windows\SysWOW64\libschd.exe	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

pptpctf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	pptpctf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion	pptpctf.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\SerialIID = 73c2c2db57008a5457e06007731133e3	pptpctf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	pptpctf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips = "0"	pptpctf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	pptpctf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	pptpctf.exe

Modifies registry class 9 IoCs

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWOW64\\cpldsp.ocx"	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

pid	process
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exepptpctf.exe

description	pid	process
Token: SeDebugPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeChangeNotifyPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeBackupPrivilege	3672	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
Token: SeDebugPrivilege	3888	pptpctf.exe
Token: SeChangeNotifyPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe
Token: SeBackupPrivilege	3888	pptpctf.exe

outlook_win_path 1 IoCs

Processes:

52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe

C:\Users\Admin\AppData\Local\Temp\52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe
"C:\Users\Admin\AppData\Local\Temp\52d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:3672

C:\Windows\SysWOW64\pptpctf.exe
C:\Windows\SysWOW64\pptpctf.exe md3
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-80BEAA2A80156501}.pol
MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-80BEAA2A8094E303}.pol
MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-80BEAA2A80A5F801}.pol
MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-80BEAA2A80CD9101}.pol
MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Windows\SysWOW64\pptpctf.exe
MD5
aa23771021fafb396bc8a7cc2c4e519d

SHA1
208cabf12cea965a9aece89b05c2a13517876354

SHA256
e7cfee9e1b63eaf05cc611eea93e9a4825f621144d902d6290a674502aea8837

SHA512
224e39dc79e71bfd9373d10117bcc62d1cae4554241b92df04592e507c3f99152bbe85992839eb4ecc4359b875f7eae7d860223fd096bac8ea084173531c526e

Download Submit
C:\Windows\SysWOW64\pptpctf.exe
MD5
aa23771021fafb396bc8a7cc2c4e519d

SHA1
208cabf12cea965a9aece89b05c2a13517876354

SHA256
e7cfee9e1b63eaf05cc611eea93e9a4825f621144d902d6290a674502aea8837

SHA512
224e39dc79e71bfd9373d10117bcc62d1cae4554241b92df04592e507c3f99152bbe85992839eb4ecc4359b875f7eae7d860223fd096bac8ea084173531c526e

Download Submit
memory/3672-117-0x0000000022F10000-0x0000000022F5E000-memory.dmp

Filesize
312KB

Download
memory/3672-118-0x0000000000400000-0x00000000022C2000-memory.dmp

Filesize
30.8MB

Download
memory/3888-121-0x00000000086D0000-0x000000000881A000-memory.dmp

Filesize
1.3MB

Download
memory/3888-122-0x0000000000400000-0x00000000022C2000-memory.dmp

Filesize
30.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads