Malware Analysis Report

2025-01-18 04:58

Sample ID 220330-c849esfaa9
Target c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4
SHA256 c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4
Tags
masslogger collection persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4

Threat Level: Known bad

The file c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4 was found to be: Known bad.

Malicious Activity Summary

masslogger collection persistence spyware stealer

MassLogger

MassLogger Main Payload

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-30 02:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-30 02:45

Reported

2022-04-01 09:39

Platform

win7-20220331-en

Max time kernel

143s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\msword = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\system32.exe" C:\Windows\SysWOW64\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1744 set thread context of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1536 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1536 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1536 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2020 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe
PID 2020 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe
PID 2020 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe
PID 2020 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe
PID 1744 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1744 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1744 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1744 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1744 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1744 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1744 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1744 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1744 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1560 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1560 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe

"C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v msword /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v msword /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe"

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp

Files

memory/2020-54-0x0000000001000000-0x00000000010D0000-memory.dmp

memory/2020-55-0x00000000755F1000-0x00000000755F3000-memory.dmp

memory/2020-56-0x00000000002A0000-0x00000000002C6000-memory.dmp

\Users\Admin\AppData\Local\Temp\b6f96cbd-28d1-43bc-88f5-383eb90a6caf\e.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/2020-58-0x0000000075210000-0x0000000075290000-memory.dmp

memory/1536-59-0x0000000000000000-mapping.dmp

memory/2036-60-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe

MD5 56e7aca17b3ac392edd902fbebdfcb5d
SHA1 3db34861004bbcdf8b387705ad00b5fcc0db328e
SHA256 c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4
SHA512 bbc6b950ec838e633f977e4c85f477ea0724dde32e33cb1b04e8f3821bdc6699c03139868a9e2f7e4a4343cf60c9179e90b7a3042533374d0eb9dadcdcd0792e

memory/1744-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe

MD5 56e7aca17b3ac392edd902fbebdfcb5d
SHA1 3db34861004bbcdf8b387705ad00b5fcc0db328e
SHA256 c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4
SHA512 bbc6b950ec838e633f977e4c85f477ea0724dde32e33cb1b04e8f3821bdc6699c03139868a9e2f7e4a4343cf60c9179e90b7a3042533374d0eb9dadcdcd0792e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe

MD5 56e7aca17b3ac392edd902fbebdfcb5d
SHA1 3db34861004bbcdf8b387705ad00b5fcc0db328e
SHA256 c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4
SHA512 bbc6b950ec838e633f977e4c85f477ea0724dde32e33cb1b04e8f3821bdc6699c03139868a9e2f7e4a4343cf60c9179e90b7a3042533374d0eb9dadcdcd0792e

memory/1744-65-0x00000000012A0000-0x0000000001370000-memory.dmp

memory/1744-67-0x0000000000470000-0x0000000000496000-memory.dmp

\Users\Admin\AppData\Local\Temp\b6f96cbd-28d1-43bc-88f5-383eb90a6caf\e.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

C:\Users\Admin\AppData\Local\Temp\b6f96cbd-28d1-43bc-88f5-383eb90a6caf\e.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/1744-70-0x0000000075200000-0x0000000075280000-memory.dmp

memory/1744-71-0x00000000009D0000-0x00000000009DC000-memory.dmp

\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 6a673bfc3b67ae9782cb31af2f234c68
SHA1 7544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA512 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

memory/1560-73-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1560-74-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1560-76-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1560-77-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1560-78-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 6a673bfc3b67ae9782cb31af2f234c68
SHA1 7544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA512 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

memory/1560-79-0x0000000000481C4E-mapping.dmp

memory/1560-82-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1560-84-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 6a673bfc3b67ae9782cb31af2f234c68
SHA1 7544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA512 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

memory/1352-86-0x0000000000000000-mapping.dmp

memory/1560-88-0x00000000011B5000-0x00000000011C6000-memory.dmp

memory/1352-89-0x000000006F2D0000-0x000000006F87B000-memory.dmp

memory/1352-90-0x0000000002510000-0x000000000315A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-30 02:45

Reported

2022-04-01 09:39

Platform

win10v2004-20220331-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\system32.exe" C:\Windows\SysWOW64\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4112 set thread context of 1432 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4644 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3840 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3840 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4644 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe
PID 4644 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe
PID 4644 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe
PID 4112 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4112 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4112 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4112 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4112 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4112 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4112 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4112 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1432 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe

"C:\Users\Admin\AppData\Local\Temp\c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v msword /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v msword /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe"

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe'

Network

Country Destination Domain Proto
US 52.109.8.21:443 tcp
US 20.189.173.15:443 tcp
SE 95.140.228.1:80 tcp
SE 95.140.228.1:80 tcp
SE 95.140.228.1:80 tcp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
FI 62.115.252.81:80 tcp
FI 62.115.252.81:80 tcp

Files

memory/4644-124-0x00000000005D0000-0x00000000006A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b6f96cbd-28d1-43bc-88f5-383eb90a6caf\e.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/4644-126-0x0000000073A90000-0x0000000073B19000-memory.dmp

memory/4644-127-0x0000000005930000-0x0000000005ED4000-memory.dmp

memory/4644-128-0x0000000005420000-0x00000000054B2000-memory.dmp

memory/3840-129-0x0000000000000000-mapping.dmp

memory/4336-130-0x0000000000000000-mapping.dmp

memory/4112-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe

MD5 56e7aca17b3ac392edd902fbebdfcb5d
SHA1 3db34861004bbcdf8b387705ad00b5fcc0db328e
SHA256 c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4
SHA512 bbc6b950ec838e633f977e4c85f477ea0724dde32e33cb1b04e8f3821bdc6699c03139868a9e2f7e4a4343cf60c9179e90b7a3042533374d0eb9dadcdcd0792e

memory/4112-136-0x0000000073A90000-0x0000000073B19000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b6f96cbd-28d1-43bc-88f5-383eb90a6caf\e.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

C:\Users\Admin\AppData\Local\Temp\b6f96cbd-28d1-43bc-88f5-383eb90a6caf\e.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\system32.exe

MD5 56e7aca17b3ac392edd902fbebdfcb5d
SHA1 3db34861004bbcdf8b387705ad00b5fcc0db328e
SHA256 c25a07e2624f849e3b1db404fced1d44e2b597ea7967f4c422d4b97e5564f9e4
SHA512 bbc6b950ec838e633f977e4c85f477ea0724dde32e33cb1b04e8f3821bdc6699c03139868a9e2f7e4a4343cf60c9179e90b7a3042533374d0eb9dadcdcd0792e

memory/1432-137-0x0000000000000000-mapping.dmp

memory/1432-141-0x0000000000830000-0x00000000008B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 9827ff3cdf4b83f9c86354606736ca9c
SHA1 e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256 c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA512 8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 9827ff3cdf4b83f9c86354606736ca9c
SHA1 e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256 c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA512 8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

memory/1432-142-0x0000000006010000-0x0000000006076000-memory.dmp

memory/4752-143-0x0000000000000000-mapping.dmp

memory/1432-144-0x0000000006700000-0x000000000670A000-memory.dmp

memory/1432-145-0x0000000006960000-0x00000000069B0000-memory.dmp

memory/1432-147-0x0000000006A50000-0x0000000006AEC000-memory.dmp

memory/4752-146-0x0000000004EA0000-0x0000000004ED6000-memory.dmp

memory/4752-148-0x0000000005510000-0x0000000005B38000-memory.dmp

memory/1432-149-0x0000000004E33000-0x0000000004E35000-memory.dmp

memory/4752-150-0x0000000005470000-0x0000000005492000-memory.dmp

memory/4752-151-0x0000000005C40000-0x0000000005CA6000-memory.dmp

memory/4752-152-0x00000000063E0000-0x00000000063FE000-memory.dmp

memory/4752-153-0x0000000002A05000-0x0000000002A07000-memory.dmp

memory/4752-154-0x0000000007600000-0x0000000007632000-memory.dmp

memory/4752-155-0x00000000702A0000-0x00000000702EC000-memory.dmp

memory/4752-156-0x0000000006A00000-0x0000000006A1E000-memory.dmp

memory/4752-157-0x0000000007DF0000-0x000000000846A000-memory.dmp

memory/4752-158-0x0000000007770000-0x000000000778A000-memory.dmp

memory/4752-159-0x0000000007700000-0x000000000770A000-memory.dmp

memory/4752-160-0x00000000079E0000-0x0000000007A76000-memory.dmp

memory/4752-161-0x0000000007980000-0x000000000798E000-memory.dmp

memory/4752-162-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

memory/4752-163-0x00000000079D0000-0x00000000079D8000-memory.dmp