Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
26-03-2022 14:01
Static task
static1
Behavioral task
behavioral1
Sample
56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
Resource
win10v2004-en-20220113
General
-
Target
56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
-
Size
1.1MB
-
MD5
6830019535eeca9c9fb9a28349c71ab8
-
SHA1
d256790b9bf99acdc5fe3fe97dda339a7ff6e502
-
SHA256
56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
-
SHA512
037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
resource yara_rule behavioral2/memory/4708-139-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Executes dropped EXE 2 IoCs
pid Process 4444 src.exe 728 src.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation src.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook src.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook src.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook src.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook src.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 api.ipify.org 39 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1752 set thread context of 4708 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 90 PID 4444 set thread context of 728 4444 src.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4588 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3140 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 728 src.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 2620 powershell.exe 2620 powershell.exe 728 src.exe 728 src.exe 728 src.exe 728 src.exe 2068 powershell.exe 2068 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe Token: SeDebugPrivilege 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 728 src.exe Token: SeDebugPrivilege 2068 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 728 src.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1752 wrote to memory of 4720 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 88 PID 1752 wrote to memory of 4720 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 88 PID 1752 wrote to memory of 4720 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 88 PID 1752 wrote to memory of 4736 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 89 PID 1752 wrote to memory of 4736 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 89 PID 1752 wrote to memory of 4736 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 89 PID 1752 wrote to memory of 4708 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 90 PID 1752 wrote to memory of 4708 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 90 PID 1752 wrote to memory of 4708 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 90 PID 1752 wrote to memory of 4708 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 90 PID 1752 wrote to memory of 4708 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 90 PID 1752 wrote to memory of 4708 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 90 PID 1752 wrote to memory of 4708 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 90 PID 1752 wrote to memory of 4708 1752 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 90 PID 4708 wrote to memory of 2620 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 91 PID 4708 wrote to memory of 2620 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 91 PID 4708 wrote to memory of 2620 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 91 PID 4708 wrote to memory of 3016 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 93 PID 4708 wrote to memory of 3016 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 93 PID 4708 wrote to memory of 3016 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 93 PID 4708 wrote to memory of 3040 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 96 PID 4708 wrote to memory of 3040 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 96 PID 4708 wrote to memory of 3040 4708 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe 96 PID 3040 wrote to memory of 3140 3040 cmd.exe 97 PID 3040 wrote to memory of 3140 3040 cmd.exe 97 PID 3040 wrote to memory of 3140 3040 cmd.exe 97 PID 3016 wrote to memory of 4588 3016 cmd.exe 98 PID 3016 wrote to memory of 4588 3016 cmd.exe 98 PID 3016 wrote to memory of 4588 3016 cmd.exe 98 PID 3040 wrote to memory of 4444 3040 cmd.exe 99 PID 3040 wrote to memory of 4444 3040 cmd.exe 99 PID 3040 wrote to memory of 4444 3040 cmd.exe 99 PID 4444 wrote to memory of 728 4444 src.exe 100 PID 4444 wrote to memory of 728 4444 src.exe 100 PID 4444 wrote to memory of 728 4444 src.exe 100 PID 4444 wrote to memory of 728 4444 src.exe 100 PID 4444 wrote to memory of 728 4444 src.exe 100 PID 4444 wrote to memory of 728 4444 src.exe 100 PID 4444 wrote to memory of 728 4444 src.exe 100 PID 4444 wrote to memory of 728 4444 src.exe 100 PID 728 wrote to memory of 2068 728 src.exe 101 PID 728 wrote to memory of 2068 728 src.exe 101 PID 728 wrote to memory of 2068 728 src.exe 101 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 src.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"2⤵PID:4720
-
-
C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"2⤵PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn src.exe /tr '"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn src.exe /tr '"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"'4⤵
- Creates scheduled task(s)
PID:4588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6980.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:3140
-
-
C:\Users\Admin\AppData\Local\Temp\sre\src.exe"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\sre\src.exe"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sre\src.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe.log
Filesize1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
Filesize
18KB
MD5d32cdaea3f61bc05ebb8e8a2bb4482f8
SHA14c51cb7429e4edd073aa1148535b44eaa4a82b31
SHA256eea8db918dafa24b6312b67fd38c321dfd7bc9dd70aa2a91012480e463e6abae
SHA512597f37391f25a97d6679743bb4574973095a713485cd80cb64b02d485d0f579cbf3bf756247b6d54ce3aa1712978827a148c09573a81e679d6da78dacbd21638
-
Filesize
1.1MB
MD56830019535eeca9c9fb9a28349c71ab8
SHA1d256790b9bf99acdc5fe3fe97dda339a7ff6e502
SHA25656057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA512037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d
-
Filesize
1.1MB
MD56830019535eeca9c9fb9a28349c71ab8
SHA1d256790b9bf99acdc5fe3fe97dda339a7ff6e502
SHA25656057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA512037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d
-
Filesize
1.1MB
MD56830019535eeca9c9fb9a28349c71ab8
SHA1d256790b9bf99acdc5fe3fe97dda339a7ff6e502
SHA25656057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA512037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d
-
Filesize
154B
MD538451202f50b7cf1d4678a9966f9d448
SHA1b8a53b523393abd825a4231ed37d08cf38c32bbc
SHA256d9124ded590b01abae8712e15ef4d54285f669bd2c67e400a3a2912be130ba2c
SHA512ca588804845288fa6af398448bb135c3a1ee08d99ac5fdeb39e1321183cc12e49bbb3b4692acd16cc6a7ca43ef3e42fc7d33d0699d4a7ee317ba8dbb41a83eb8