Malware Analysis Report

2025-01-18 04:57

Sample ID 220326-2873raaed5
Target 8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f
SHA256 8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f

Threat Level: Known bad

The file 8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger

MassLogger Main Payload

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Enumerates physical storage devices

Delays execution with timeout.exe

Creates scheduled task(s)

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 23:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 23:16

Reported

2022-03-28 12:41

Platform

win7-20220311-en

Max time kernel

4294183s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 572 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 548 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 548 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 548 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2000 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2000 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2000 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2000 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2000 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 2000 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 2000 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 2000 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 564 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe

"C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1BCA.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/572-54-0x0000000000900000-0x0000000000972000-memory.dmp

memory/572-55-0x0000000000840000-0x00000000008A2000-memory.dmp

memory/572-56-0x00000000008A0000-0x0000000000906000-memory.dmp

memory/572-57-0x0000000005B00000-0x0000000005B86000-memory.dmp

memory/1356-58-0x0000000000000000-mapping.dmp

memory/1356-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

memory/548-60-0x0000000000000000-mapping.dmp

memory/2000-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1BCA.tmp.bat

MD5 2b51e9fd34777129b4e903f33c074642
SHA1 58be10870041c192c43765ae8600e0aee7d11101
SHA256 eb76ffe3366d33ecb6a06f004138035782333d909d46c8158e6cbdf4816bc1d0
SHA512 ab76eacd54ac01f21946b86088869fdcf0bb6c6d732fc49dd80a59f49e3e2dea5226dd59f4edba098aabbbda11b57b36982c2c38371cd56267a9a471a8dfa224

memory/1744-64-0x0000000000000000-mapping.dmp

memory/928-63-0x0000000000000000-mapping.dmp

memory/572-65-0x00000000005C5000-0x00000000005D6000-memory.dmp

memory/1356-66-0x0000000073070000-0x000000007361B000-memory.dmp

memory/1356-67-0x00000000001D0000-0x0000000000210000-memory.dmp

\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

MD5 a3b4d25af01edf5fe34fd6e13a1381e6
SHA1 3a60499205fa92a581d3b6cb232fc8ed8d750088
SHA256 8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f
SHA512 d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

MD5 a3b4d25af01edf5fe34fd6e13a1381e6
SHA1 3a60499205fa92a581d3b6cb232fc8ed8d750088
SHA256 8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f
SHA512 d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

memory/564-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

MD5 a3b4d25af01edf5fe34fd6e13a1381e6
SHA1 3a60499205fa92a581d3b6cb232fc8ed8d750088
SHA256 8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f
SHA512 d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

memory/564-72-0x00000000013C0000-0x0000000001432000-memory.dmp

memory/564-73-0x0000000000D70000-0x0000000000DD2000-memory.dmp

memory/564-74-0x0000000004B20000-0x0000000004B86000-memory.dmp

memory/960-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 89ac079495743cbbfda0d932adee7bc1
SHA1 c4aa6af3ee8a67cd3ed67d34faa9b8b34643f57b
SHA256 a4faf8189747309aa8668cce25b3b857ce5f9182c49d01f46fa5f910a303a867
SHA512 2458fd46bcf428cef4babc89c7c1451c5dccd23c282764e50a57f1046ba0f9bb00dc0fcdae4e129797bcfd90b31cf83d804c46c95c94b66a206082c142ae9b19

memory/564-78-0x0000000000370000-0x00000000003B0000-memory.dmp

memory/960-79-0x000000006E760000-0x000000006ED0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 23:16

Reported

2022-03-28 12:51

Platform

win10v2004-20220310-en

Max time kernel

133s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3948 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4380 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4380 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4060 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4060 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4060 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4060 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 4060 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 4060 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 1284 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe

"C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C6E.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/3948-134-0x0000000000070000-0x00000000000E2000-memory.dmp

memory/3948-135-0x00000000050C0000-0x0000000005664000-memory.dmp

memory/3948-136-0x0000000004B10000-0x0000000004BA2000-memory.dmp

memory/3948-137-0x0000000004AB0000-0x0000000004ABA000-memory.dmp

memory/3948-138-0x0000000007060000-0x00000000070D6000-memory.dmp

memory/3948-139-0x0000000007010000-0x000000000702E000-memory.dmp

memory/3948-140-0x00000000084D0000-0x0000000008536000-memory.dmp

memory/2960-141-0x0000000000000000-mapping.dmp

memory/3948-142-0x00000000086E0000-0x000000000877C000-memory.dmp

memory/2960-143-0x00000000021E0000-0x0000000002216000-memory.dmp

memory/2960-145-0x0000000004E70000-0x0000000005498000-memory.dmp

memory/3948-144-0x0000000004B03000-0x0000000004B05000-memory.dmp

memory/2960-146-0x0000000004B30000-0x0000000004B52000-memory.dmp

memory/2960-147-0x0000000004DD0000-0x0000000004E36000-memory.dmp

memory/4380-148-0x0000000000000000-mapping.dmp

memory/4060-149-0x0000000000000000-mapping.dmp

memory/1572-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8C6E.tmp.bat

MD5 f0a2091e01c4caab167d64d2c14a3c2d
SHA1 83536fd7b95ee98438506cfde8c006514c814ae1
SHA256 0157ebb01fc0604d0e798097286f2b6bfac6bcbaf93d71a117c7431c9ac7c23b
SHA512 3e65d18ba27477230b2cd3c6eb077b186add49d6c35c8cb11007ae89a5e400958c3e0e91096f9ca9b7158377403ebe78639fb174824342b8e78d08515b94eab8

memory/2348-152-0x0000000000000000-mapping.dmp

memory/2960-153-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

memory/2960-154-0x0000000004835000-0x0000000004837000-memory.dmp

memory/2960-155-0x00000000060C0000-0x00000000060F2000-memory.dmp

memory/2960-156-0x0000000074C70000-0x0000000074CBC000-memory.dmp

memory/2960-157-0x0000000006090000-0x00000000060AE000-memory.dmp

memory/1284-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

MD5 a3b4d25af01edf5fe34fd6e13a1381e6
SHA1 3a60499205fa92a581d3b6cb232fc8ed8d750088
SHA256 8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f
SHA512 d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

MD5 a3b4d25af01edf5fe34fd6e13a1381e6
SHA1 3a60499205fa92a581d3b6cb232fc8ed8d750088
SHA256 8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f
SHA512 d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

memory/2960-161-0x0000000007460000-0x0000000007ADA000-memory.dmp

memory/2960-162-0x0000000006E10000-0x0000000006E2A000-memory.dmp

memory/2960-163-0x0000000006E80000-0x0000000006E8A000-memory.dmp

memory/2960-164-0x0000000007090000-0x0000000007126000-memory.dmp

memory/2960-165-0x0000000007040000-0x000000000704E000-memory.dmp

memory/2960-166-0x0000000007150000-0x000000000716A000-memory.dmp

memory/2960-167-0x0000000007130000-0x0000000007138000-memory.dmp

memory/2572-168-0x0000000000000000-mapping.dmp

memory/1284-170-0x0000000008140000-0x0000000008190000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1284-171-0x0000000004963000-0x0000000004965000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b597c90d8967bc27104d9fc54c32a6d4
SHA1 d6d0182c3367bf7b87941f05baff2d27532ec1be
SHA256 c57652ded43ff393f9d0b51c1709b30c4c8ebedf6040942f3b2510dc3dd15b46
SHA512 8e7211b0dd60683c11491c3ef23ade022aa2900e7ffec304e4d183bbc0668121f7440d36af113cc8074d504698d1269f0c46a555ac460d72bda1ff01997bbb72

memory/2572-173-0x000000006F650000-0x000000006F69C000-memory.dmp

memory/2572-174-0x0000000002695000-0x0000000002697000-memory.dmp