Malware Analysis Report

2025-01-18 04:59

Sample ID 220330-jp2shsedfq
Target 10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1
SHA256 10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1

Threat Level: Known bad

The file 10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1 was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger Main Payload

MassLogger

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-30 07:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-30 07:51

Reported

2022-04-01 04:27

Platform

win7-20220311-en

Max time kernel

4294180s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
PID 1248 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
PID 1248 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
PID 1248 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
PID 1248 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
PID 1296 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1296 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1296 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1296 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe

"C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe

"C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 mail.turkaykalibrasyon.com udp
TR 95.173.177.131:587 mail.turkaykalibrasyon.com tcp

Files

memory/1248-54-0x0000000076071000-0x0000000076073000-memory.dmp

memory/1248-55-0x0000000000F90000-0x000000000102C000-memory.dmp

memory/1296-56-0x0000000000000000-mapping.dmp

memory/2016-57-0x000000000040188B-mapping.dmp

memory/776-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml

MD5 de0568b191c83304806f799becda4ebb
SHA1 fa173d7dbcfbff032aed5c0c78f2e77758acfbac
SHA256 5a76e8ae2a68014deae6999886f074625e6397692d1578697c76e47a2ba2f442
SHA512 1190c6ec33d231d18f52cad4e5ed234f8670fad22acb05292c5cd9dc9a96d3f7cbc6d6dbdca8bf18f9852aff3b0c1a04721f82d7f43133ae66f8c8680f80eb5d

memory/2016-61-0x0000000000AD0000-0x0000000000B56000-memory.dmp

memory/1556-62-0x0000000000000000-mapping.dmp

memory/2016-64-0x00000000044D0000-0x000000000450E000-memory.dmp

memory/2016-65-0x0000000005EB0000-0x0000000005F40000-memory.dmp

memory/2016-66-0x0000000004B79000-0x0000000004B8A000-memory.dmp

memory/1556-68-0x0000000002552000-0x0000000002554000-memory.dmp

memory/1556-67-0x000000006EF20000-0x000000006F4CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-30 07:51

Reported

2022-04-01 04:31

Platform

win10v2004-20220331-en

Max time kernel

73s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe"

Signatures

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
PID 1700 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
PID 1700 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
PID 1700 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe
PID 3960 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3960 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3960 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 328 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe

"C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe

"C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\10b88ac8b8f3eadacaaafc13548973db3f2e48c681801fb05d6bfe88c3fbe2d1.exe'

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 20.42.65.85:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 185.199.108.133:443 tcp
US 185.199.108.133:443 tcp
US 185.199.109.154:443 tcp
US 185.199.109.154:443 tcp

Files

memory/1700-124-0x0000000000B50000-0x0000000000BEC000-memory.dmp

memory/3960-125-0x0000000000000000-mapping.dmp

memory/328-126-0x0000000000000000-mapping.dmp

memory/3956-127-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml

MD5 8a0cf1f6cfc8a5ef47c2c1a90888e5a1
SHA1 0da142e08b0ab9b9df5d1fdf3f3a47aaffd63aa2
SHA256 24a14fb0b915aabe7fceab6c2b1efdd13d30cfb9951b57e8fdba53e4e4fb94bb
SHA512 c2d3f8030a33239c275c53a932d3db8353d50646cb6ede1f2fb105940ac8ddf7a8abd6a110e985c2b01fae72378c141a304e2156ffea621021f6b902e8784118

memory/328-129-0x00000000056D0000-0x0000000005762000-memory.dmp

memory/328-130-0x0000000005D20000-0x00000000062C4000-memory.dmp

memory/328-131-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/5084-132-0x0000000000000000-mapping.dmp

memory/5084-133-0x0000000002730000-0x0000000002766000-memory.dmp

memory/5084-134-0x0000000005210000-0x0000000005838000-memory.dmp

memory/5084-135-0x0000000005070000-0x0000000005092000-memory.dmp

memory/5084-136-0x00000000058F0000-0x0000000005956000-memory.dmp

memory/5084-137-0x0000000006070000-0x000000000608E000-memory.dmp

memory/5084-138-0x00000000027C5000-0x00000000027C7000-memory.dmp

memory/5084-139-0x0000000007690000-0x0000000007D0A000-memory.dmp

memory/5084-140-0x0000000006550000-0x000000000656A000-memory.dmp

memory/5084-141-0x00000000072B0000-0x0000000007346000-memory.dmp

memory/5084-142-0x0000000006620000-0x0000000006642000-memory.dmp