Malware Analysis Report

2025-01-18 02:38

Sample ID 220205-mqqcnaafhl
Target bf46f077e141459e3dd7c2e481031329a1cb9180995fc43734e137feb5c623fe
SHA256 bf46f077e141459e3dd7c2e481031329a1cb9180995fc43734e137feb5c623fe
Tags
hawkeye_reborn m00nd3v_logger collection keylogger rezer0 spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf46f077e141459e3dd7c2e481031329a1cb9180995fc43734e137feb5c623fe

Threat Level: Known bad

The file bf46f077e141459e3dd7c2e481031329a1cb9180995fc43734e137feb5c623fe was found to be: Known bad.

Malicious Activity Summary

hawkeye_reborn m00nd3v_logger collection keylogger rezer0 spyware stealer trojan

M00nd3v_Logger

HawkEye Reborn

M00nD3v Logger Payload

ReZer0 packer

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

outlook_win_path

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 10:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 10:40

Reported

2022-02-05 10:43

Platform

win7-en-20211208

Max time kernel

137s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

M00nd3v_Logger

stealer spyware m00nd3v_logger

M00nD3v Logger Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 840 set thread context of 1772 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Windows\SysWOW64\schtasks.exe
PID 840 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Windows\SysWOW64\schtasks.exe
PID 840 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Windows\SysWOW64\schtasks.exe
PID 840 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Windows\SysWOW64\schtasks.exe
PID 840 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 840 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe

"C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGCsZVSPdCGAaI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBA0.tmp"

C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/840-55-0x0000000001100000-0x00000000011F0000-memory.dmp

memory/840-56-0x0000000076371000-0x0000000076373000-memory.dmp

memory/840-57-0x0000000001030000-0x0000000001031000-memory.dmp

memory/840-58-0x0000000000310000-0x0000000000318000-memory.dmp

memory/840-59-0x0000000007EB0000-0x0000000007F48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBBA0.tmp

MD5 b7ac982f0c7e55ba4f2d38e02ddc7485
SHA1 86c8813c31f1385161a4b04db962e8489880d314
SHA256 01b93d3d89dafc9b2ebf889d4011b304f93e8f6f1d74b3435c688402163ae2bc
SHA512 a0729cd06f1a19ad4f54258bb23132b2834e818a46036121632c484d1e32edaa7e63915b7c127a7ccb7bd0c7b8290b91a69e9bf3bb543f7e5d5af6ae2f1f6006

memory/1772-61-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1772-62-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1772-63-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1772-64-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1772-65-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1772-66-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1772-67-0x00000000003C0000-0x00000000003C6000-memory.dmp

memory/1772-69-0x0000000004D00000-0x0000000004D01000-memory.dmp

memory/1772-70-0x0000000004D05000-0x0000000004D16000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 10:40

Reported

2022-02-05 10:43

Platform

win10v2004-en-20220112

Max time kernel

162s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

M00nd3v_Logger

stealer spyware m00nd3v_logger

M00nD3v Logger Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2336 set thread context of 2060 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3856" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4044" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006564" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.347749" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887076683451641" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Windows\SysWOW64\schtasks.exe
PID 2336 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Windows\SysWOW64\schtasks.exe
PID 2336 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Windows\SysWOW64\schtasks.exe
PID 2336 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 2336 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 2336 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 2336 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 2336 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 2336 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 2336 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe
PID 2336 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe

"C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGCsZVSPdCGAaI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6A8.tmp"

C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 40.91.73.169:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/2336-130-0x00000000008D0000-0x00000000009C0000-memory.dmp

memory/2336-131-0x0000000005930000-0x0000000005ED4000-memory.dmp

memory/2336-132-0x0000000005380000-0x0000000005412000-memory.dmp

memory/2336-133-0x0000000005260000-0x0000000005371000-memory.dmp

memory/2336-134-0x0000000005530000-0x000000000553A000-memory.dmp

memory/2336-135-0x0000000008C00000-0x0000000008C9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA6A8.tmp

MD5 b176d7bf2f7b6999c805f8b0ac28c35b
SHA1 fb9c5d3e3fb98da0ec969d23a2e88edbf567242a
SHA256 73d0dbfae9c6da4cab06b1bf3cb0424d8bc14280510e6e8c63fa4c41ef94b10a
SHA512 97735dc2021f509389a7689f584077db1608a718e5677a1d5e63c75c072a5d99f8822041499d36bc58c8a9177f87ffb8b25c4ea9a7a1a074c5c1d9a73a285212

memory/2060-137-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2060-138-0x0000000005660000-0x0000000005661000-memory.dmp

memory/2060-139-0x0000000009D30000-0x0000000009D96000-memory.dmp