Malware Analysis Report

2025-01-18 04:57

Sample ID 220326-lm4kfabbd3
Target ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b
SHA256 ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b

Threat Level: Known bad

The file ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger

MassLogger Main Payload

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 09:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 09:39

Reported

2022-03-27 08:35

Platform

win7-20220311-en

Max time kernel

4294179s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe
PID 1776 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe
PID 1776 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe
PID 1776 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe
PID 1776 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe
PID 756 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 756 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 756 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 756 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe

"C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe

"C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 mail.turkaykalibrasyon.com udp
TR 95.173.177.131:587 mail.turkaykalibrasyon.com tcp

Files

memory/1776-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

memory/1776-55-0x0000000000AA0000-0x0000000000B3C000-memory.dmp

memory/756-56-0x0000000000000000-mapping.dmp

memory/1656-57-0x000000000040188B-mapping.dmp

memory/580-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml

MD5 de0568b191c83304806f799becda4ebb
SHA1 fa173d7dbcfbff032aed5c0c78f2e77758acfbac
SHA256 5a76e8ae2a68014deae6999886f074625e6397692d1578697c76e47a2ba2f442
SHA512 1190c6ec33d231d18f52cad4e5ed234f8670fad22acb05292c5cd9dc9a96d3f7cbc6d6dbdca8bf18f9852aff3b0c1a04721f82d7f43133ae66f8c8680f80eb5d

memory/1656-61-0x00000000041A0000-0x0000000004226000-memory.dmp

memory/1660-62-0x0000000000000000-mapping.dmp

memory/1656-64-0x00000000046D0000-0x000000000470E000-memory.dmp

memory/1656-65-0x00000000065E0000-0x0000000006670000-memory.dmp

memory/1656-66-0x00000000048E9000-0x00000000048FA000-memory.dmp

memory/1660-67-0x000000006F3D0000-0x000000006F97B000-memory.dmp

memory/1660-68-0x00000000024A0000-0x00000000030EA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 09:39

Reported

2022-03-27 08:35

Platform

win10v2004-en-20220113

Max time kernel

132s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe"

Signatures

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe
PID 1096 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe
PID 1096 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe
PID 1096 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe
PID 1724 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1828 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe

"C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe

"C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\ca6dbe9ccf2dbcf8cfa6cb04dada5d7caaa594fbfa83e424dda4f88911b4af6b.exe'

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 20.189.173.6:443 tcp

Files

memory/1096-130-0x0000000000EA0000-0x0000000000F3C000-memory.dmp

memory/1724-131-0x0000000000000000-mapping.dmp

memory/1828-132-0x0000000000000000-mapping.dmp

memory/2356-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml

MD5 c673ecc050b1038f727be09aa61cb4b1
SHA1 d2960b6d62810ce8745f6353d6924ae79af01e7e
SHA256 8f2648a15094c455e21cab1ba01133d9d9d17caaab1bb2ee782da160898880e4
SHA512 d6b75c8068c3d9208585413f7a799f69b05e141446d09925f9aae34ac65c0745f37196ec3aeb369e2c8dea6ddfcc55c07fe8f227a06d79dfa408f3d2315c29e6

memory/1828-135-0x00000000052B0000-0x0000000005342000-memory.dmp

memory/1828-136-0x0000000005900000-0x0000000005EA4000-memory.dmp

memory/1828-137-0x0000000005350000-0x00000000053B6000-memory.dmp

memory/4232-138-0x0000000000000000-mapping.dmp

memory/4232-139-0x00000000023F0000-0x0000000002426000-memory.dmp

memory/4232-140-0x0000000004EB0000-0x00000000054D8000-memory.dmp

memory/4232-141-0x0000000004E00000-0x0000000004E22000-memory.dmp

memory/4232-142-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/4232-143-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/4232-144-0x0000000004875000-0x0000000004877000-memory.dmp

memory/4232-145-0x0000000007310000-0x000000000798A000-memory.dmp

memory/4232-146-0x00000000061E0000-0x00000000061FA000-memory.dmp

memory/4232-147-0x0000000006F30000-0x0000000006FC6000-memory.dmp

memory/4232-148-0x00000000062A0000-0x00000000062C2000-memory.dmp