Malware Analysis Report

2025-01-18 04:58

Sample ID 220326-daa4cscccr
Target 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba
SHA256 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba

Threat Level: Known bad

The file 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger Main Payload

MassLogger

Reads user/profile data of web browsers

Deletes itself

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

outlook_win_path

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 02:47

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 02:47

Reported

2022-03-26 21:36

Platform

win10v2004-en-20220113

Max time kernel

136s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"

Signatures

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
PID 2924 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
PID 2924 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
PID 2924 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
PID 1340 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1340 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1340 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1420 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe

"C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml"

C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe

"C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe'

Network

Country Destination Domain Proto
US 20.44.10.122:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.253.146.249:80 tcp
US 8.253.146.249:80 tcp

Files

memory/1340-130-0x0000000000000000-mapping.dmp

memory/1420-131-0x0000000000000000-mapping.dmp

memory/1660-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml

MD5 c673ecc050b1038f727be09aa61cb4b1
SHA1 d2960b6d62810ce8745f6353d6924ae79af01e7e
SHA256 8f2648a15094c455e21cab1ba01133d9d9d17caaab1bb2ee782da160898880e4
SHA512 d6b75c8068c3d9208585413f7a799f69b05e141446d09925f9aae34ac65c0745f37196ec3aeb369e2c8dea6ddfcc55c07fe8f227a06d79dfa408f3d2315c29e6

memory/1420-134-0x0000000005AE0000-0x0000000005B72000-memory.dmp

memory/1420-135-0x0000000006390000-0x0000000006934000-memory.dmp

memory/1420-136-0x0000000005E50000-0x0000000005EB6000-memory.dmp

memory/2692-137-0x0000000000000000-mapping.dmp

memory/2692-138-0x0000000002C40000-0x0000000002C76000-memory.dmp

memory/2692-139-0x00000000056C0000-0x0000000005CE8000-memory.dmp

memory/2692-140-0x0000000005530000-0x0000000005552000-memory.dmp

memory/2692-141-0x0000000005E60000-0x0000000005EC6000-memory.dmp

memory/2692-142-0x0000000006500000-0x000000000651E000-memory.dmp

memory/2692-143-0x0000000002C35000-0x0000000002C37000-memory.dmp

memory/2692-144-0x0000000007CF0000-0x000000000836A000-memory.dmp

memory/2692-145-0x00000000069F0000-0x0000000006A0A000-memory.dmp

memory/2692-146-0x0000000007510000-0x00000000075A6000-memory.dmp

memory/2692-147-0x0000000007470000-0x0000000007492000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 02:47

Reported

2022-03-26 21:36

Platform

win7-20220311-en

Max time kernel

4294180s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 284 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
PID 284 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
PID 284 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
PID 284 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
PID 284 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
PID 2008 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2008 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2008 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2008 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe

"C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml"

C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe

"C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 mail.ch00zen1.website udp

Files

memory/284-54-0x0000000075471000-0x0000000075473000-memory.dmp

memory/2008-55-0x0000000000000000-mapping.dmp

memory/1992-56-0x000000000040188B-mapping.dmp

memory/1988-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml

MD5 de0568b191c83304806f799becda4ebb
SHA1 fa173d7dbcfbff032aed5c0c78f2e77758acfbac
SHA256 5a76e8ae2a68014deae6999886f074625e6397692d1578697c76e47a2ba2f442
SHA512 1190c6ec33d231d18f52cad4e5ed234f8670fad22acb05292c5cd9dc9a96d3f7cbc6d6dbdca8bf18f9852aff3b0c1a04721f82d7f43133ae66f8c8680f80eb5d

memory/1992-60-0x0000000004880000-0x000000000490C000-memory.dmp

memory/1480-61-0x0000000000000000-mapping.dmp

memory/1992-63-0x00000000011F0000-0x000000000122E000-memory.dmp

memory/1992-64-0x0000000005DF0000-0x0000000005E80000-memory.dmp

memory/1992-65-0x0000000004989000-0x000000000499A000-memory.dmp

memory/1480-66-0x000000006EEF0000-0x000000006F49B000-memory.dmp

memory/1480-67-0x0000000002350000-0x0000000002F9A000-memory.dmp

memory/912-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 a5bb49498ea4cea09b3ccaf8d146a47a
SHA1 0911e2b9b5e3cef982c1908bef2fe408f9932acf
SHA256 825a65a42e511cbdc774c783e853f5bd08f3afd59b1ae5d3ba45de1a3b259db9
SHA512 1d94aad6b6a12f043bda78c4071091402a0788c7f382c117813217df6acd041eabf9079461ef7aefda43c740bcee14d08489f0d398f151740c604198b1adc1f7

memory/912-71-0x000000006EEF0000-0x000000006F49B000-memory.dmp

memory/912-72-0x0000000002510000-0x000000000315A000-memory.dmp