Analysis Overview
SHA256
98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511
Threat Level: Known bad
The file 98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511 was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
Deletes itself
Reads user/profile data of web browsers
Checks computer location settings
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: MapViewOfSection
outlook_win_path
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-26 07:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-26 07:25
Reported
2022-03-27 03:26
Platform
win7-20220311-en
Max time kernel
4294180s
Max time network
130s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2016 set thread context of 664 | N/A | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
"C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"
C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
"C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | mail.ch00zen1.website | udp |
Files
memory/2016-54-0x0000000075D31000-0x0000000075D33000-memory.dmp
memory/320-55-0x0000000000000000-mapping.dmp
memory/664-56-0x000000000040188B-mapping.dmp
memory/472-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml
| MD5 | de0568b191c83304806f799becda4ebb |
| SHA1 | fa173d7dbcfbff032aed5c0c78f2e77758acfbac |
| SHA256 | 5a76e8ae2a68014deae6999886f074625e6397692d1578697c76e47a2ba2f442 |
| SHA512 | 1190c6ec33d231d18f52cad4e5ed234f8670fad22acb05292c5cd9dc9a96d3f7cbc6d6dbdca8bf18f9852aff3b0c1a04721f82d7f43133ae66f8c8680f80eb5d |
memory/664-60-0x0000000000E50000-0x0000000000EDC000-memory.dmp
memory/1244-61-0x0000000000000000-mapping.dmp
memory/664-63-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/664-64-0x0000000006100000-0x0000000006190000-memory.dmp
memory/664-65-0x00000000008B9000-0x00000000008CA000-memory.dmp
memory/1244-66-0x000000006EF20000-0x000000006F4CB000-memory.dmp
memory/1244-67-0x0000000002530000-0x000000000317A000-memory.dmp
memory/992-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | ea24895394a30917bcd977588ce517ec |
| SHA1 | 8cb5dba8c9936c97385e66eaf8c148f5e26a6be4 |
| SHA256 | 26d287d4ddb9d43462b19ea93d55f42c6d3dc5459e03f1a827c8cd66b1f83a5f |
| SHA512 | 9a1042935c2e19616aff1a3e23e41d0dd3274e91f539d1d499556245e7320e19dfcc54dbccdb2200de74f64539c891194f94781b94e90ac178e3dd80ed89dede |
memory/992-72-0x0000000002442000-0x0000000002444000-memory.dmp
memory/992-71-0x000000006EF20000-0x000000006F4CB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-26 07:25
Reported
2022-03-27 03:26
Platform
win10v2004-en-20220113
Max time kernel
92s
Max time network
158s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3600 set thread context of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
"C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"
C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe
"C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\98c78f4a9b3ee333efec27d29c33b073e0e55930d31257eabbfe9bbbf4775511.exe'
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.24.126:80 | tcp | |
| NL | 8.238.24.126:80 | tcp | |
| US | 8.247.211.254:80 | tcp | |
| US | 8.247.211.254:80 | tcp |
Files
memory/1704-130-0x0000000000000000-mapping.dmp
memory/1980-131-0x0000000000000000-mapping.dmp
memory/2040-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml
| MD5 | c673ecc050b1038f727be09aa61cb4b1 |
| SHA1 | d2960b6d62810ce8745f6353d6924ae79af01e7e |
| SHA256 | 8f2648a15094c455e21cab1ba01133d9d9d17caaab1bb2ee782da160898880e4 |
| SHA512 | d6b75c8068c3d9208585413f7a799f69b05e141446d09925f9aae34ac65c0745f37196ec3aeb369e2c8dea6ddfcc55c07fe8f227a06d79dfa408f3d2315c29e6 |
memory/1980-134-0x0000000005B30000-0x0000000005BC2000-memory.dmp
memory/1980-135-0x00000000063E0000-0x0000000006984000-memory.dmp
memory/1980-136-0x0000000005F00000-0x0000000005F66000-memory.dmp
memory/4700-137-0x0000000000000000-mapping.dmp
memory/4700-138-0x0000000002C20000-0x0000000002C56000-memory.dmp
memory/4700-139-0x0000000005670000-0x0000000005C98000-memory.dmp
memory/4700-140-0x0000000005CD0000-0x0000000005CF2000-memory.dmp
memory/4700-141-0x0000000005E70000-0x0000000005ED6000-memory.dmp
memory/4700-142-0x00000000064D0000-0x00000000064EE000-memory.dmp
memory/4700-143-0x0000000002C95000-0x0000000002C97000-memory.dmp
memory/4700-144-0x0000000007BC0000-0x000000000823A000-memory.dmp
memory/4700-145-0x0000000006A50000-0x0000000006A6A000-memory.dmp
memory/4700-147-0x0000000006B20000-0x0000000006B42000-memory.dmp
memory/4700-146-0x00000000077E0000-0x0000000007876000-memory.dmp