29387fe801f8473709ba8c3263b5f8d7ff0e6368f066d3533a62d382ef9e79fe | Triage

Analysis

max time kernel
121s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
17-03-2022 01:02

Sharing

Report Analysis Logs

General

Target

mailsend.exe
Size

1.2MB
MD5

ac23b87f8ec60ddd3f555556f89a6af8
SHA1

3cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA256

80a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA512

57e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000f87f5ae1ac43f6bb86f2b528c2f17b4f4ab2f72135284b9a5ba120ee2a5579cd000000000e8000000002000020000000bca12fa1e4ff918e13bd524b438bdd0fc569c6cd46dace4059001d4e9acb294b100d0000c2c39f5612725c8aae5f4dc7bead9f6522f52d8c0fcc4e666f76e83565c44a465f352790c24641c86b742d89266130342632eb4aac042e48e4b6ffe743138c4b72d2ec19f70166dbe2961d23e6471090119b8e0b69d6e5e2bc8e921ee52133523cb41a7d7b75476a2502dafa55b86d10d523557565f803975031548121b22db244d2e9370311afdfeb742e977288eb555f48b4038a028c5af0c451d906f5944bbf8f9e4b653478fec559e64ee71eaad5d5fefb4cc2e522bdba1b5ea1ce64ce7cf56080968448f2145553593ea7856f38d1a567f515abd855e339ba2643fcb7a6b12737e8704998c2b3e9bfab735cf3ab9474d25cf842c9cda03a81cbc359065762336a30535a998de639aa4f37bfce88fa8d2b8974e20354df042737a39108b247b57414e3d4083facbccef5c8fdbadca8eaba83778edd69de39fb39c845ea68c57f5ac8950a26542201e7965c3b752295858415ea5051d698bf44543b9248ec057c6ffee88e40ecd8e9a1b2e935c33174e6722b5f2ecda071567bb026a7d25053e899e398339a05706c15200beba00e3e6153b3c76f84b45f0a502f7f8b6542545e86ca2ca8bc3d305be3c829cb04884130a56ff6e5b5ee243b26a17f31160c26c50483f23d14532fc9a665df10c5a696a3bbed460f303f93eb151831ab2601aec9db2c85a4ee034cca3fa240546fc944ab49a909c8df2b4ca603bb704c05d7ca61c66d7f81938a66bc4e96fef24f7989d26de55553a6f6bcbb5d39e252322e9467d483eddb1be9544bd8af894e1842e196d7a9714cf87f015a68b3ba2194e1d7285174303b1d3f2c7ae7a7da5e72702813c52edeb6fd72fd75103ae5b02cd53c8dce5b7141bdc4aab20dafae2e6f1a63e09f4217ebf5d7a87d105c4398963d48369daee2de5554708b7325106d9ac811e486719a6c7b408ea0582daad24ddeedf8facc52d5108f97746b7777967b6200bf5e3e96137ac40c52f5b4a9cd7b5f705ac0a49aeef8f98825dc267b6757c8ca6e97c1fa7c8eb38c98685dd43b2add2d2391ec1cb4ae0d1327da3c8e86d43dda7e165a6b4e3fcf5c82cf124b3a790b91ed8a790f0e1b8a49e02d073ebb8c1fc4291f2c9c5e26b271c4d23697b7315e9dfe35c96d46385a8f863b48d7be24a7c6d400498891c15f53c223403db6d0652e41034d12a2fc3cb3deddb9ee240a4b1e2c2d851456a91ee2b9459aade6e38a16fedd825769801eb0bf527f4757e5e1e813a29e41b489223d991cd07e7295a76106c45de5bdb4b7294ddc71167152fcd87f15efb6e3696e798c174418da8fe9d94bd49d8a360a3f9f24bfbdd1a83d61c343b75d9291d5e33bfe33966922e2eaa5d4646a90a34a7ddee6bf8766c233239867e3988d35e9cb9c77118f43e0bb04656e17ba9e11214604619e2070ae33a49f0d8baf2bd60b78271c2cd70c03c6d535a3968afd8b0eb562a3f63cc2654b1bb6c33b0bfbf7dd9e03cc0494fe3abbcb1e14cbc2fd1947794d9faef6c76d8c1efc78912aacfd4c8f834d0e7b8fa051a5bd47728fb9e5a48189a358cdb75c68aa100691eafb60ef651a7b76c3d820eff9dcc549c4aa5600997b7e6ec93d25bcf0e5ab1871cc948aede5d6b701083720a0b5da2b3b5f4d7b32e134706b75912384e608eb2c4d54d1772a3e3e89e305a9943b37c02dbe5c7a6232800c12267959fe5adef8c6c16f35dd1bc828063d2c7aaba0573daaf550fb5973406e3119ba43608651fce8727940330cc25d2ed388c11c8d3580423777b5ee4dfd447cd6fe08fd3e2694be398867c37c493779a68f8b2873d4f3b82fb99eca3f47125a29e1ed08ff8949271ea4b0637a6eabb9878bb1f2b67dda1e1106b7b8b331b114fdc683d67ca75eb17bcef39195da27e364234a4a5abb25886516248961b5b1dfffc3747be1b1d90ba52263637d4b1209eb905da3012805e0ebd6c63545c32ef65952bc94917c9797bd29afb0669e41ad21f32727da2af27617cb46649615fe5063ba35f9eb2a742a356c2be454b635392678a4d1dc24584a38d19c61a43f014b2b3d4e42ef411727da5991b4d0ba514026e6109d7e75db210cbba9d64465bafa86b14d2cb485b35f8d85b7f360d4f6460acb8ae13ff40d14e939b811926283694baf9ac8eb46961dc526a2a4774137325c5300139837dda78fbfe4c6b7107ba929c8470ecd3f4c2a9f0003b61867a8611a2bf1493f3b7be2b8b2dde8b7a0536db3151a6ec6d88e10b805b33d8494127d94845575ae3b6246c0cc7cca03fd7ffb0726532cc0b47de848e3999cd9bdd1b7bc2ee8d4ce4c9b6ebfe6e1536c039b1a9e17664b0354f78b0bf283947725fbfca023478927361bd0f5406eba28be15f87d1007d072a5b2bf756c0c8614963d180a451ae45df81a34ba3eb54477e69a9c47a90814bced6eb90d18c0dbf29abf3b25eaa78c83f623c4ae8ad3c9ca8401715fa7e6782e2b621f1e47e61129115f81a96a505c8f1ec6e81aba89e419f55db8cc455c793bc96e7e0992eb4d1967bb54cd4e1529c51ca167add7bbcc6cb42f89b635ff954054c10396b74a19708b192fa8e8948def4b00e2a8794941dd93964c694d727ebf8020a3ad42b89a5685e2b9da30188f66e98bdb85e88382a96017ca6773d1110e9b0548006c17b52ef0eefb5b1a68c7c3b0b1a918806a401d2161b19dfedf55b8532d61238981f818fc1846edd03c0f278555d45dbb0a9c531963518991f6672e56feb23b0f71f86de096ab51f5cbf1833444d23c27571f727ae67dd07480fe7e2b02d540a853e30840589d236b9810ca87478ca586c3b9df8c95640119ef33e4e3a96ed037f88ddea3be095723dae31a6c376cf2757b24021338da0aabd1a41cd22ac13e8097b06958376349a12a45f438792f782a570ad2d936506d4a9adc3e13b2286b316258b842a27e809e9cdf6ea7c6bc8db56d48f4b336bb18149a2157ce5a2adde588e12519f82292e72a9ea4f0a325ebebe97db1c101acef4f38f1f9cea94dd3855e72389f45b988d92a04910a72648c2d481d3b55ec70bccddfe7ac605031b65507d86f60912c4db892e6461e7e3a4515e6d42c9a63ce16ae254be75e2f196286fd92ef69f5158f58893b0b0b3db9fa7a218420670f1deb37e8eca7f92b92edcf3b8bbb2491fc76dc17f74b601542a21505c4f6916a0394f3378ab3f3a9069ac5beb544af22853faac3c2dd06d86d50c77b4b1dfee204b4da58d8ddc615c73954c7d647cdcbb36306c3fdf2ef0eb69c82bfc90c3ced43376bc1ff96d451cacb610d37161ede2c177f2a49b1005fa0993e108e5c9b582a201687b85c4d60e701367075a910de8edbc4f54b2e16e0e9d32be20533cb5b9ff8717e17fc4c9cbc989badcdc3efaa91ba10d53ca6df9355028ea148f7e690aea62d571c803660c2794fb436b89d6494d21a08d75b07c9dd2e8716b5bf514fa26a261a78d6aa2feb0c097e5e2bc2d6066944edccc6dcd13b86d3104f9404312ee30d18b548559d22c4a5aa67d878ef9dd485082eff73f1da3de20b7f244cc57052674a6bd02b3d684b090b148a5cd9d58611e58519933b25a937cce094f920b724bc0e35376037bb611f8b1596f2ba76ea0e1dd1e2e00f6733a3f84bbfd644a3d7cb72b4ed5b28d803ea168df22d0725e1545f071dbefeca9b1c52728b095c9020c16edead2525fd9cf8c8eb0fce19d2f03ec5e383de13fa86a8ee04ed493e5b1772064ee9780d65394c455c15b757df9a327fbc517d99752a62568c90aae73e35ad0eca0b01b9316203f84f26b569cae95ce693a64582db5e73dcb7391b63fe53475f5f0a241511e54ed0634dbafdcdc861579866d2b0ca4d3f0844dd954db65244d8a5aea595634613796feda073405c30fdd4ebce1197701b7398de45b6eca283935dd3c31e7e5098018043db52c077cd8b305fc3f51d97d47239c5f0d82125bd36ca09937fafcdecdc65c4adfa9a506adb13f430d95838edfa840fcd9ac2b946520198982f522cb241ffcef21b14dcf3c0e1dde25046582496d11b07a7e5c07df52187bbdbb854037c0e0d8206735b7cc2dad5bfed0b66b2fff62d7b7e80e93b76d384d3d1cf0d185753d186a8b6356f7988fbda2f44f36aff8445c16b4361e7a1afa352b93e7340269ba3fc3441e66a96b50f7e1bfe3a3f78427433937f990649bbb7884302d5fac2acc34ae1cc51fa1f602083d4d85af1b7e728fde0c455ee9ef957badc0f56614f036b42b2592f90f28152b7d819ca8f5060072eff889d33ec892b682b08abe670d5405596cd995d58de77bfa105ab49d1eae4400feff7c3cbbce4a3a407bcc56d52ec1825cd0e1f3259d0ebd455763141a3572231901c62e559d46cf35beefe87f0eaa49f9ccc750f4c91c906d5bc57495f68a1828098cda6fcbcc6c3f047c87e72aa9fe37b4c1ebc4f3c7b1ec5fb5fe2700562a09788675c15a1f1b606fad853dde0d416156b933c803d6e065b697590cf24a31426422b008a58be59455c69ec5abe85ca77027d2ece42bd9b3f3bf683450a3fc5cb84da553dbeeab814fe89425e0ccc47358345748f897fd386937cf82aa961d6fad150d49f5da4e3d7fd92e1a79c00aa7dec2084a40c53bbe8dc9648f9730deb2771d41d94d9b4acc293dd976f3041d64c6c9e03f020926328ef8544d7d528f3a981ebb12d963f47088a12297c48124807109f08d2f7a0e1b8c0e1a05efd5c342ceed30bf940000000f4a5e89adf0ed7cd1b6bdd3b1fe0c268f4fcefb66fc76c866e63a34014f8c8481ec8545fdcd389e7adabe66bacecb4417a5b7585b51acecc3f773ec1069681ca	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018C005D9B6D4DB"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018C005D9B6D4DB = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000040b1f7bd3eac346ecce32f821a05b2ce75b8491b3f4d397db457ee9d5dcfb22d000000000e80000000020000200000006960b27f6f494c9b98343aa99509d753b8726f8dc0e54956371ea314a1e40de68000000066bdc7998f645d0391296c324ced13fb9eeba0cc766c1c46a4a469aea6ea1135647e83870c1a6dae882c0e76f796743042e08cb7bb30fe2189853b5609fd0eac3c12aefb47b687f7a596bcdffdd085c163634a34c0a5b2d782465cc182473fab8751d5c535361fc72c6b44cba898c00eeac7a9b7bef049ea2bfb13fe7f48404c400000009ae741c0337ef8cc64699f622a78887ee5c670a907c43f82d2656d0e36ec77b7deae5307088ff80d9c87b2e47824a25ac51aeb2d0e6922574156b960f8a71158	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3532	mailsend.exe
3532	mailsend.exe

C:\Users\Admin\AppData\Local\Temp\mailsend.exe
"C:\Users\Admin\AppData\Local\Temp\mailsend.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:4288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads