Malware Analysis Report

2025-01-18 04:57

Sample ID 220326-nnn79agffl
Target 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2
SHA256 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2

Threat Level: Known bad

The file 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2 was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger

MassLogger Main Payload

Reads user/profile data of web browsers

Checks computer location settings

Deletes itself

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of SetWindowsHookEx

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 11:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 11:32

Reported

2022-03-27 16:52

Platform

win7-20220311-en

Max time kernel

4294180s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
PID 1180 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
PID 1180 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
PID 1180 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
PID 1180 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
PID 784 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1340 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe

"C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"

C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe

"C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 mail.ch00zen1.website udp
NL 216.58.208.98:443 tcp
NL 216.58.208.98:443 tcp
NL 142.250.179.163:80 tcp
NL 142.250.179.163:80 tcp
NL 172.217.168.193:443 tcp
NL 172.217.168.193:443 tcp
NL 142.250.179.132:443 tcp
NL 142.250.179.132:443 tcp

Files

memory/1180-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

memory/784-55-0x0000000000000000-mapping.dmp

memory/1340-56-0x000000000040188B-mapping.dmp

memory/1948-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml

MD5 de0568b191c83304806f799becda4ebb
SHA1 fa173d7dbcfbff032aed5c0c78f2e77758acfbac
SHA256 5a76e8ae2a68014deae6999886f074625e6397692d1578697c76e47a2ba2f442
SHA512 1190c6ec33d231d18f52cad4e5ed234f8670fad22acb05292c5cd9dc9a96d3f7cbc6d6dbdca8bf18f9852aff3b0c1a04721f82d7f43133ae66f8c8680f80eb5d

memory/1340-60-0x0000000000710000-0x000000000079C000-memory.dmp

memory/1724-61-0x0000000000000000-mapping.dmp

memory/1340-63-0x0000000005010000-0x000000000504E000-memory.dmp

memory/1340-64-0x0000000006490000-0x0000000006520000-memory.dmp

memory/1340-65-0x0000000000FD9000-0x0000000000FEA000-memory.dmp

memory/1724-66-0x000000006F610000-0x000000006FBBB000-memory.dmp

memory/1724-67-0x00000000023E0000-0x000000000302A000-memory.dmp

memory/864-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3bb07001b62f6ad492cbc71abac3736c
SHA1 9790625d2fad12c074bb23e3dd63040fbafe6f0d
SHA256 c72a068c8551b235f0fe4cd51955c2a3c1c4d6c3e8d99a29b44a28ce88130ecc
SHA512 5a079dfe37d7accc9f3d460ee54d3d1adaa57fc76137db8ff6b798ea740eee47d2b147dce1b0f6445204be1b022fd2e7e2c8136e421c2500980cbe4172788a40

memory/864-71-0x000000006F610000-0x000000006FBBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 11:32

Reported

2022-03-27 16:53

Platform

win10v2004-en-20220113

Max time kernel

132s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"

Signatures

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
PID 1092 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
PID 1092 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
PID 1092 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
PID 1476 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1476 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1476 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe

"C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"

C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe

"C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe'

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
IE 13.69.239.74:443 tcp

Files

memory/1476-130-0x0000000000000000-mapping.dmp

memory/2172-131-0x0000000000000000-mapping.dmp

memory/2400-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml

MD5 c673ecc050b1038f727be09aa61cb4b1
SHA1 d2960b6d62810ce8745f6353d6924ae79af01e7e
SHA256 8f2648a15094c455e21cab1ba01133d9d9d17caaab1bb2ee782da160898880e4
SHA512 d6b75c8068c3d9208585413f7a799f69b05e141446d09925f9aae34ac65c0745f37196ec3aeb369e2c8dea6ddfcc55c07fe8f227a06d79dfa408f3d2315c29e6

memory/2172-134-0x0000000005680000-0x0000000005712000-memory.dmp

memory/2172-135-0x0000000005F20000-0x00000000064C4000-memory.dmp

memory/2172-136-0x0000000005A50000-0x0000000005AB6000-memory.dmp

memory/2920-137-0x0000000000000000-mapping.dmp

memory/2920-138-0x00000000028E0000-0x0000000002916000-memory.dmp

memory/2920-139-0x0000000005320000-0x0000000005948000-memory.dmp

memory/2920-140-0x0000000005980000-0x00000000059A2000-memory.dmp

memory/2920-141-0x0000000005B20000-0x0000000005B86000-memory.dmp

memory/2920-142-0x0000000006210000-0x000000000622E000-memory.dmp

memory/2920-143-0x0000000002945000-0x0000000002947000-memory.dmp

memory/2920-144-0x0000000007A00000-0x000000000807A000-memory.dmp

memory/2920-145-0x0000000006600000-0x000000000661A000-memory.dmp

memory/2920-146-0x0000000007420000-0x00000000074B6000-memory.dmp

memory/2920-147-0x00000000073B0000-0x00000000073D2000-memory.dmp