Analysis Overview
SHA256
331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51
Threat Level: Known bad
The file 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51 was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Enumerates physical storage devices
outlook_office_path
outlook_win_path
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-30 02:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-30 02:10
Reported
2022-04-01 08:37
Platform
win7-20220331-en
Max time kernel
98s
Max time network
162s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe
"C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe'
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD1E0.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.220.57.224:80 | api.ipify.org | tcp |
Files
memory/1740-54-0x00000000013E0000-0x00000000014B4000-memory.dmp
memory/1740-55-0x0000000000540000-0x00000000005A6000-memory.dmp
memory/1740-56-0x0000000006090000-0x0000000006116000-memory.dmp
memory/1856-57-0x0000000000000000-mapping.dmp
memory/1856-58-0x0000000075B01000-0x0000000075B03000-memory.dmp
memory/792-59-0x0000000000000000-mapping.dmp
memory/1260-60-0x0000000000000000-mapping.dmp
memory/1364-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD1E0.tmp.bat
| MD5 | 09671ede91bbecce2fbe8b1773f508ea |
| SHA1 | a661aec7c55dd9824bf6f6697a7dd0a9024c79f4 |
| SHA256 | 3c03d7e345dbe08eeedc1409c2c9612c03e2092ac2e4d88e0a8f8e0fcf166ecc |
| SHA512 | 97de6d157a301d656f95b1c516e31112691cadde20f240a581a5b9874a67af3931443a766d7013860946f009d86cc0d650d31b22c32c7cecd8ae092bf326fe8d |
memory/1740-63-0x0000000004EF5000-0x0000000004F06000-memory.dmp
memory/1896-64-0x0000000000000000-mapping.dmp
memory/1856-65-0x000000006F160000-0x000000006F70B000-memory.dmp
\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
| MD5 | a53df39071210ff353e46de71eb36dc6 |
| SHA1 | 3988e9828dffc4a2353bd8cfbabb161d0a896ac3 |
| SHA256 | 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51 |
| SHA512 | c82f198639e26a7efa1e2d7a95d865a95bbc74f6df621f3944a07b511107cbec24616ffa763b525ea0eec466f51a42b2923d2f52a18e8d40412a6d46b76d680c |
C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
| MD5 | a53df39071210ff353e46de71eb36dc6 |
| SHA1 | 3988e9828dffc4a2353bd8cfbabb161d0a896ac3 |
| SHA256 | 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51 |
| SHA512 | c82f198639e26a7efa1e2d7a95d865a95bbc74f6df621f3944a07b511107cbec24616ffa763b525ea0eec466f51a42b2923d2f52a18e8d40412a6d46b76d680c |
memory/1404-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
| MD5 | a53df39071210ff353e46de71eb36dc6 |
| SHA1 | 3988e9828dffc4a2353bd8cfbabb161d0a896ac3 |
| SHA256 | 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51 |
| SHA512 | c82f198639e26a7efa1e2d7a95d865a95bbc74f6df621f3944a07b511107cbec24616ffa763b525ea0eec466f51a42b2923d2f52a18e8d40412a6d46b76d680c |
memory/1404-70-0x00000000003D0000-0x00000000004A4000-memory.dmp
memory/1472-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 7fa5bce1d97448d218fc93b60ca6b60c |
| SHA1 | 5dad94ebffb228328669fb945b5e82eaaa979ec3 |
| SHA256 | 9a14e12c374bdd04f1930d174aa2f97605cd34e6f23ef135cf9cd202d6a6ba9e |
| SHA512 | ac43fe22d5274e9c9daf6fea3fb16c3f290f74aeb8a170338aa75296ff15a7e2a156d9dcb6c9ff06f29e5cd0a0058649798f4dddedf4cf7fbde108d676b26cf3 |
memory/1404-74-0x0000000004DF5000-0x0000000004E06000-memory.dmp
memory/1472-75-0x000000006ED20000-0x000000006F2CB000-memory.dmp
memory/1472-76-0x00000000025A0000-0x00000000031EA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-30 02:10
Reported
2022-04-01 08:37
Platform
win10v2004-20220331-en
Max time kernel
66s
Max time network
133s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe
"C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe'
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1CDE.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"'
C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe'
Network
| Country | Destination | Domain | Proto |
| FI | 62.115.252.112:80 | tcp | |
| US | 20.189.173.11:443 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
| SE | 178.79.212.129:80 | tcp | |
| SE | 178.79.212.129:80 | tcp | |
| SE | 178.79.212.129:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
Files
memory/4332-124-0x0000000000A50000-0x0000000000B24000-memory.dmp
memory/4332-125-0x0000000005B10000-0x00000000060B4000-memory.dmp
memory/4332-126-0x0000000005560000-0x00000000055F2000-memory.dmp
memory/4332-127-0x00000000054D0000-0x00000000054DA000-memory.dmp
memory/4332-128-0x0000000008DC0000-0x0000000008E26000-memory.dmp
memory/4780-129-0x0000000000000000-mapping.dmp
memory/4332-130-0x0000000008ED0000-0x0000000008F6C000-memory.dmp
memory/4780-131-0x0000000004E90000-0x0000000004EC6000-memory.dmp
memory/4780-132-0x0000000005500000-0x0000000005B28000-memory.dmp
memory/4780-133-0x0000000005CD0000-0x0000000005CF2000-memory.dmp
memory/3188-134-0x0000000000000000-mapping.dmp
memory/4856-136-0x0000000000000000-mapping.dmp
memory/4780-135-0x0000000005D70000-0x0000000005DD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1CDE.tmp.bat
| MD5 | 46f5ec22e554b087ec71f2b88eb03096 |
| SHA1 | 88dd07f136c6d4270f07d0675c75cacf4f3e281c |
| SHA256 | 5a56925aeda43b232d1629cc27d49f6b2a69c1f7ce4331233ef6cca89f1574aa |
| SHA512 | 5e9de1ad013ff898749d68d2a556ef9712f99737ed321cee120c9371eef4a5830efe4991e71d2c39fdf1c7f0d49c2b782e3e81ac1fed46ed61da5f2df9e2bc51 |
memory/4048-139-0x0000000000000000-mapping.dmp
memory/4332-138-0x0000000005560000-0x0000000005B04000-memory.dmp
memory/4076-140-0x0000000000000000-mapping.dmp
memory/4780-141-0x0000000006410000-0x000000000642E000-memory.dmp
memory/4780-142-0x0000000004E85000-0x0000000004E87000-memory.dmp
memory/4780-143-0x00000000075D0000-0x0000000007602000-memory.dmp
memory/4780-144-0x0000000074FA0000-0x0000000074FEC000-memory.dmp
memory/4780-145-0x00000000069D0000-0x00000000069EE000-memory.dmp
memory/4600-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
| MD5 | a53df39071210ff353e46de71eb36dc6 |
| SHA1 | 3988e9828dffc4a2353bd8cfbabb161d0a896ac3 |
| SHA256 | 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51 |
| SHA512 | c82f198639e26a7efa1e2d7a95d865a95bbc74f6df621f3944a07b511107cbec24616ffa763b525ea0eec466f51a42b2923d2f52a18e8d40412a6d46b76d680c |
C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
| MD5 | a53df39071210ff353e46de71eb36dc6 |
| SHA1 | 3988e9828dffc4a2353bd8cfbabb161d0a896ac3 |
| SHA256 | 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51 |
| SHA512 | c82f198639e26a7efa1e2d7a95d865a95bbc74f6df621f3944a07b511107cbec24616ffa763b525ea0eec466f51a42b2923d2f52a18e8d40412a6d46b76d680c |
memory/4780-149-0x0000000007D50000-0x00000000083CA000-memory.dmp
memory/4780-150-0x0000000007710000-0x000000000772A000-memory.dmp
memory/4780-151-0x0000000007780000-0x000000000778A000-memory.dmp
memory/4780-152-0x00000000079B0000-0x0000000007A46000-memory.dmp
memory/4780-153-0x0000000007950000-0x000000000795E000-memory.dmp
memory/4780-154-0x0000000007A70000-0x0000000007A8A000-memory.dmp
memory/4780-155-0x00000000079A0000-0x00000000079A8000-memory.dmp
memory/4152-156-0x0000000000000000-mapping.dmp
memory/4600-157-0x00000000083E0000-0x0000000008430000-memory.dmp
memory/4600-158-0x0000000004A90000-0x0000000005034000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b23683240d23789d77e84064876c0f41 |
| SHA1 | 9a4df5d436c02fae455ed63b821d49f2c296d0af |
| SHA256 | 40021eda3181be20eb82ea9af4e4c4dc5413f56b0e9aa8c312626dd9e6043ee7 |
| SHA512 | d17c5820bf4fbf3146ce350541e7f5c2188deef36eabd8ed15bfb67af38936d2e9fa80aac19b7d14036b1f5a1994d4d70a4c6489d331b90a369fee338e5fd543 |
memory/4152-160-0x0000000004B65000-0x0000000004B67000-memory.dmp
memory/4152-161-0x000000006FF10000-0x000000006FF5C000-memory.dmp