Malware Analysis Report

2025-01-18 04:58

Sample ID 220326-verqcabeem
Target 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2
SHA256 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2

Threat Level: Known bad

The file 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2 was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger Main Payload

MassLogger

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Enumerates physical storage devices

outlook_office_path

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

outlook_win_path

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 16:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 16:54

Reported

2022-03-28 04:29

Platform

win7-20220311-en

Max time kernel

4294181s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1648 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1760 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1760 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1760 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1760 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 1760 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 1760 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 1760 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 1060 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe

"C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8749.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp

Files

memory/1648-54-0x0000000000A30000-0x0000000000A9A000-memory.dmp

memory/1648-55-0x0000000004C70000-0x0000000004CD8000-memory.dmp

memory/1648-56-0x0000000007FB0000-0x0000000008036000-memory.dmp

memory/1936-57-0x0000000000000000-mapping.dmp

memory/1936-58-0x00000000752C1000-0x00000000752C3000-memory.dmp

memory/1996-59-0x0000000000000000-mapping.dmp

memory/1760-60-0x0000000000000000-mapping.dmp

memory/1648-61-0x0000000004D45000-0x0000000004D56000-memory.dmp

memory/1552-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8749.tmp.bat

MD5 bc060de594b60e3694d589dbbaba5ce1
SHA1 45a3cb668e1e72c07ad0542500f794d91f2854a0
SHA256 04455e07d89d1e9827a40d288b90147d641dffae565022f3434d5f2f71fcd203
SHA512 dcb786cdc431a402d827c118418efb63f2719a73022602c8a6603f89fe12ced67776e78e82576acf59bc8a889c62c498b50fe6e4e3a8e736249939aa97acc1f3

memory/1480-64-0x0000000000000000-mapping.dmp

memory/1936-65-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/1936-66-0x00000000023C0000-0x000000000300A000-memory.dmp

\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

MD5 4bf2b285e0392f1be1e357503cead553
SHA1 0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b
SHA256 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2
SHA512 4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

MD5 4bf2b285e0392f1be1e357503cead553
SHA1 0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b
SHA256 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2
SHA512 4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

memory/1060-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

MD5 4bf2b285e0392f1be1e357503cead553
SHA1 0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b
SHA256 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2
SHA512 4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

memory/1060-71-0x0000000001190000-0x00000000011FA000-memory.dmp

memory/1112-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 9fff146fd42b655737f7f42eb5873b28
SHA1 75621a484f64a237b3246558cc5ad0efc320ee46
SHA256 7bf68ae2ccf795bd6ea3dcd25cf7f610e702b3cc1005a443251e198d27893d84
SHA512 f3a96f9845b832c2f624009ae57f07a8bdd002f6fe49aeb82f7a73f625ce140d67d8bb92509f8d0857636624fb26604a10d39843f5caa149ee1c37f938b3db42

memory/1060-75-0x0000000004A25000-0x0000000004A36000-memory.dmp

memory/1112-76-0x000000006EC30000-0x000000006F1DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 16:54

Reported

2022-03-28 04:30

Platform

win10v2004-en-20220113

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3980 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3980 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3980 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3980 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1968 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1968 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1988 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1988 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1988 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 1968 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 1968 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
PID 4516 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe

"C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC7C2.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"'

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe'

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 104.208.16.90:443 tcp

Files

memory/3980-130-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3980-131-0x00000000052E0000-0x0000000005884000-memory.dmp

memory/3980-132-0x0000000004E10000-0x0000000004EA2000-memory.dmp

memory/3980-133-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

memory/3980-134-0x0000000008660000-0x00000000086C6000-memory.dmp

memory/4312-135-0x0000000000000000-mapping.dmp

memory/3980-136-0x0000000004D30000-0x00000000052D4000-memory.dmp

memory/3980-137-0x0000000008770000-0x000000000880C000-memory.dmp

memory/4312-138-0x00000000044A0000-0x00000000044D6000-memory.dmp

memory/4312-139-0x0000000004B90000-0x00000000051B8000-memory.dmp

memory/4312-140-0x00000000051F0000-0x0000000005212000-memory.dmp

memory/4312-141-0x0000000005390000-0x00000000053F6000-memory.dmp

memory/1988-142-0x0000000000000000-mapping.dmp

memory/1968-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC7C2.tmp.bat

MD5 f88ad9870be1dd67ffad820daa81088d
SHA1 909816936d9c19b481d9adaff26294f699969e11
SHA256 de8c3af9c2e24e598937672ab8125e2848762964c248740b536fecd603ba4a66
SHA512 e91159cba46ac5a787fced3609ef7c5ee03c228e954f3270e3c2b58ca20af0e80c554b6795b3eeaf69744cacbb0d09402aa5a1459081a877a9577d0fe981473e

memory/3692-145-0x0000000000000000-mapping.dmp

memory/1116-146-0x0000000000000000-mapping.dmp

memory/4312-147-0x0000000005A90000-0x0000000005AAE000-memory.dmp

memory/4516-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

MD5 4bf2b285e0392f1be1e357503cead553
SHA1 0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b
SHA256 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2
SHA512 4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

MD5 4bf2b285e0392f1be1e357503cead553
SHA1 0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b
SHA256 63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2
SHA512 4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

memory/4312-151-0x0000000006060000-0x0000000006092000-memory.dmp

memory/4312-152-0x0000000074CC0000-0x0000000074D0C000-memory.dmp

memory/4312-153-0x0000000006040000-0x000000000605E000-memory.dmp

memory/4312-154-0x0000000004555000-0x0000000004557000-memory.dmp

memory/4312-155-0x00000000073C0000-0x0000000007A3A000-memory.dmp

memory/4312-156-0x0000000006D80000-0x0000000006D9A000-memory.dmp

memory/4312-157-0x0000000006DF0000-0x0000000006DFA000-memory.dmp

memory/4312-158-0x0000000007000000-0x0000000007096000-memory.dmp

memory/4312-159-0x0000000006FB0000-0x0000000006FBE000-memory.dmp

memory/4312-160-0x00000000070C0000-0x00000000070DA000-memory.dmp

memory/4312-161-0x00000000070A0000-0x00000000070A8000-memory.dmp

memory/1848-162-0x0000000000000000-mapping.dmp

memory/4516-163-0x0000000008970000-0x00000000089C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6cb00dfdc232993fd6de2662f82b62c2
SHA1 105bae854b351a3e1cb2f496e755a9d7e50fb406
SHA256 433778ebe953b35c28ea23860891e19cfaa41fdfdf82380b5b9d51688a07de94
SHA512 e0b897b67a24d35af2b44174ee7e9bdedaa2f6bd094daf5e15927e6492608d5c2806c41ad12a68f653cf073c695d96cc40cc5cacf24ac7b5d3adda61bae441c9

memory/4516-166-0x0000000005130000-0x00000000056D4000-memory.dmp

memory/1848-167-0x00000000044E5000-0x00000000044E7000-memory.dmp

memory/1848-168-0x000000006EF90000-0x000000006EFDC000-memory.dmp