Malware Analysis Report

2025-01-18 04:57

Sample ID 220326-ghchyadfcl
Target 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3
SHA256 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3

Threat Level: Known bad

The file 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3 was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger

MassLogger Main Payload

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 05:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 05:47

Reported

2022-03-27 03:42

Platform

win7-20220311-en

Max time kernel

4294179s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 296 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 296 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 296 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 296 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 296 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 296 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 296 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 296 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 296 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 1076 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1076 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1076 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1076 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 592 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 592 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 592 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 592 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe

"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe

"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 8.8.8.8:53 mail.turkaykalibrasyon.com udp
TR 95.173.177.131:587 mail.turkaykalibrasyon.com tcp

Files

memory/296-54-0x0000000076851000-0x0000000076853000-memory.dmp

memory/296-55-0x0000000000B60000-0x0000000000BFC000-memory.dmp

memory/1076-56-0x0000000000000000-mapping.dmp

memory/1576-58-0x0000000000000000-mapping.dmp

memory/592-57-0x000000000040188B-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml

MD5 de0568b191c83304806f799becda4ebb
SHA1 fa173d7dbcfbff032aed5c0c78f2e77758acfbac
SHA256 5a76e8ae2a68014deae6999886f074625e6397692d1578697c76e47a2ba2f442
SHA512 1190c6ec33d231d18f52cad4e5ed234f8670fad22acb05292c5cd9dc9a96d3f7cbc6d6dbdca8bf18f9852aff3b0c1a04721f82d7f43133ae66f8c8680f80eb5d

memory/592-61-0x0000000002210000-0x0000000002296000-memory.dmp

memory/592-62-0x00000000002C9000-0x00000000002DA000-memory.dmp

memory/1488-63-0x0000000000000000-mapping.dmp

memory/592-65-0x0000000004E40000-0x0000000004E7E000-memory.dmp

memory/592-66-0x0000000006550000-0x00000000065E0000-memory.dmp

memory/1488-67-0x000000006F040000-0x000000006F5EB000-memory.dmp

memory/1488-68-0x0000000002550000-0x000000000319A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 05:47

Reported

2022-03-27 03:43

Platform

win10v2004-en-20220113

Max time kernel

125s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"

Signatures

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 1344 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 1344 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 1344 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 1344 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 1344 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 5112 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5112 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5112 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4184 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 4184 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 4184 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 4184 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
PID 4564 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe

"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe

"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"

C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe

"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe

"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe'

Network

Country Destination Domain Proto
US 20.189.173.6:443 tcp

Files

memory/1344-133-0x00000000005B0000-0x000000000064C000-memory.dmp

memory/5112-134-0x0000000000000000-mapping.dmp

memory/4156-135-0x0000000000000000-mapping.dmp

memory/4184-136-0x0000000000000000-mapping.dmp

memory/4184-137-0x00000000005B0000-0x000000000064C000-memory.dmp

memory/4020-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml

MD5 c673ecc050b1038f727be09aa61cb4b1
SHA1 d2960b6d62810ce8745f6353d6924ae79af01e7e
SHA256 8f2648a15094c455e21cab1ba01133d9d9d17caaab1bb2ee782da160898880e4
SHA512 d6b75c8068c3d9208585413f7a799f69b05e141446d09925f9aae34ac65c0745f37196ec3aeb369e2c8dea6ddfcc55c07fe8f227a06d79dfa408f3d2315c29e6

memory/4564-140-0x0000000000000000-mapping.dmp

memory/4564-141-0x0000000005480000-0x0000000005512000-memory.dmp

memory/4564-142-0x0000000005AD0000-0x0000000006074000-memory.dmp

memory/4564-143-0x00000000053E0000-0x0000000005446000-memory.dmp

memory/952-144-0x0000000000000000-mapping.dmp

memory/952-145-0x0000000002CF0000-0x0000000002D26000-memory.dmp

memory/952-146-0x0000000005700000-0x0000000005D28000-memory.dmp

memory/952-147-0x00000000055E0000-0x0000000005602000-memory.dmp

memory/952-148-0x0000000005EA0000-0x0000000005F06000-memory.dmp

memory/952-149-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/952-150-0x0000000002CE5000-0x0000000002CE7000-memory.dmp

memory/952-151-0x0000000007DF0000-0x000000000846A000-memory.dmp

memory/952-152-0x0000000006A00000-0x0000000006A1A000-memory.dmp

memory/952-153-0x0000000007810000-0x00000000078A6000-memory.dmp

memory/952-154-0x0000000006B70000-0x0000000006B92000-memory.dmp