Analysis Overview
SHA256
63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2
Threat Level: Known bad
The file 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2 was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Enumerates physical storage devices
outlook_office_path
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
outlook_win_path
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-26 16:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-26 16:54
Reported
2022-03-28 04:29
Platform
win7-20220311-en
Max time kernel
4294181s
Max time network
154s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe
"C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe'
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8749.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
Files
memory/1648-54-0x0000000000A30000-0x0000000000A9A000-memory.dmp
memory/1648-55-0x0000000004C70000-0x0000000004CD8000-memory.dmp
memory/1648-56-0x0000000007FB0000-0x0000000008036000-memory.dmp
memory/1936-57-0x0000000000000000-mapping.dmp
memory/1936-58-0x00000000752C1000-0x00000000752C3000-memory.dmp
memory/1996-59-0x0000000000000000-mapping.dmp
memory/1760-60-0x0000000000000000-mapping.dmp
memory/1648-61-0x0000000004D45000-0x0000000004D56000-memory.dmp
memory/1552-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8749.tmp.bat
| MD5 | bc060de594b60e3694d589dbbaba5ce1 |
| SHA1 | 45a3cb668e1e72c07ad0542500f794d91f2854a0 |
| SHA256 | 04455e07d89d1e9827a40d288b90147d641dffae565022f3434d5f2f71fcd203 |
| SHA512 | dcb786cdc431a402d827c118418efb63f2719a73022602c8a6603f89fe12ced67776e78e82576acf59bc8a889c62c498b50fe6e4e3a8e736249939aa97acc1f3 |
memory/1480-64-0x0000000000000000-mapping.dmp
memory/1936-65-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/1936-66-0x00000000023C0000-0x000000000300A000-memory.dmp
\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
| MD5 | 4bf2b285e0392f1be1e357503cead553 |
| SHA1 | 0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b |
| SHA256 | 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2 |
| SHA512 | 4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1 |
C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
| MD5 | 4bf2b285e0392f1be1e357503cead553 |
| SHA1 | 0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b |
| SHA256 | 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2 |
| SHA512 | 4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1 |
memory/1060-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
| MD5 | 4bf2b285e0392f1be1e357503cead553 |
| SHA1 | 0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b |
| SHA256 | 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2 |
| SHA512 | 4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1 |
memory/1060-71-0x0000000001190000-0x00000000011FA000-memory.dmp
memory/1112-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 9fff146fd42b655737f7f42eb5873b28 |
| SHA1 | 75621a484f64a237b3246558cc5ad0efc320ee46 |
| SHA256 | 7bf68ae2ccf795bd6ea3dcd25cf7f610e702b3cc1005a443251e198d27893d84 |
| SHA512 | f3a96f9845b832c2f624009ae57f07a8bdd002f6fe49aeb82f7a73f625ce140d67d8bb92509f8d0857636624fb26604a10d39843f5caa149ee1c37f938b3db42 |
memory/1060-75-0x0000000004A25000-0x0000000004A36000-memory.dmp
memory/1112-76-0x000000006EC30000-0x000000006F1DB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-26 16:54
Reported
2022-03-28 04:30
Platform
win10v2004-en-20220113
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe
"C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe'
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC7C2.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"'
C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe'
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| US | 104.208.16.90:443 | tcp |
Files
memory/3980-130-0x0000000000400000-0x000000000046A000-memory.dmp
memory/3980-131-0x00000000052E0000-0x0000000005884000-memory.dmp
memory/3980-132-0x0000000004E10000-0x0000000004EA2000-memory.dmp
memory/3980-133-0x0000000004FB0000-0x0000000004FBA000-memory.dmp
memory/3980-134-0x0000000008660000-0x00000000086C6000-memory.dmp
memory/4312-135-0x0000000000000000-mapping.dmp
memory/3980-136-0x0000000004D30000-0x00000000052D4000-memory.dmp
memory/3980-137-0x0000000008770000-0x000000000880C000-memory.dmp
memory/4312-138-0x00000000044A0000-0x00000000044D6000-memory.dmp
memory/4312-139-0x0000000004B90000-0x00000000051B8000-memory.dmp
memory/4312-140-0x00000000051F0000-0x0000000005212000-memory.dmp
memory/4312-141-0x0000000005390000-0x00000000053F6000-memory.dmp
memory/1988-142-0x0000000000000000-mapping.dmp
memory/1968-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC7C2.tmp.bat
| MD5 | f88ad9870be1dd67ffad820daa81088d |
| SHA1 | 909816936d9c19b481d9adaff26294f699969e11 |
| SHA256 | de8c3af9c2e24e598937672ab8125e2848762964c248740b536fecd603ba4a66 |
| SHA512 | e91159cba46ac5a787fced3609ef7c5ee03c228e954f3270e3c2b58ca20af0e80c554b6795b3eeaf69744cacbb0d09402aa5a1459081a877a9577d0fe981473e |
memory/3692-145-0x0000000000000000-mapping.dmp
memory/1116-146-0x0000000000000000-mapping.dmp
memory/4312-147-0x0000000005A90000-0x0000000005AAE000-memory.dmp
memory/4516-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
| MD5 | 4bf2b285e0392f1be1e357503cead553 |
| SHA1 | 0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b |
| SHA256 | 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2 |
| SHA512 | 4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1 |
C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
| MD5 | 4bf2b285e0392f1be1e357503cead553 |
| SHA1 | 0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b |
| SHA256 | 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2 |
| SHA512 | 4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1 |
memory/4312-151-0x0000000006060000-0x0000000006092000-memory.dmp
memory/4312-152-0x0000000074CC0000-0x0000000074D0C000-memory.dmp
memory/4312-153-0x0000000006040000-0x000000000605E000-memory.dmp
memory/4312-154-0x0000000004555000-0x0000000004557000-memory.dmp
memory/4312-155-0x00000000073C0000-0x0000000007A3A000-memory.dmp
memory/4312-156-0x0000000006D80000-0x0000000006D9A000-memory.dmp
memory/4312-157-0x0000000006DF0000-0x0000000006DFA000-memory.dmp
memory/4312-158-0x0000000007000000-0x0000000007096000-memory.dmp
memory/4312-159-0x0000000006FB0000-0x0000000006FBE000-memory.dmp
memory/4312-160-0x00000000070C0000-0x00000000070DA000-memory.dmp
memory/4312-161-0x00000000070A0000-0x00000000070A8000-memory.dmp
memory/1848-162-0x0000000000000000-mapping.dmp
memory/4516-163-0x0000000008970000-0x00000000089C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6cb00dfdc232993fd6de2662f82b62c2 |
| SHA1 | 105bae854b351a3e1cb2f496e755a9d7e50fb406 |
| SHA256 | 433778ebe953b35c28ea23860891e19cfaa41fdfdf82380b5b9d51688a07de94 |
| SHA512 | e0b897b67a24d35af2b44174ee7e9bdedaa2f6bd094daf5e15927e6492608d5c2806c41ad12a68f653cf073c695d96cc40cc5cacf24ac7b5d3adda61bae441c9 |
memory/4516-166-0x0000000005130000-0x00000000056D4000-memory.dmp
memory/1848-167-0x00000000044E5000-0x00000000044E7000-memory.dmp
memory/1848-168-0x000000006EF90000-0x000000006EFDC000-memory.dmp