Malware Analysis Report

2025-01-18 04:59

Sample ID 220414-hq44laaeep
Target 72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506
SHA256 72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506

Threat Level: Known bad

The file 72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506 was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger Main Payload

MassLogger

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: AddClipboardFormatListener

outlook_win_path

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-14 06:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-14 06:57

Reported

2022-04-14 07:11

Platform

win7-20220311-en

Max time kernel

4294182s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1576 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1576 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1576 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1568 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1568 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1568 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1568 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1568 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 1568 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 1568 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 1568 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 1764 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe

"C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B7D.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp

Files

memory/1940-54-0x00000000000A0000-0x0000000000168000-memory.dmp

memory/1940-55-0x00000000006D0000-0x0000000000736000-memory.dmp

memory/1940-56-0x0000000004620000-0x00000000046A6000-memory.dmp

memory/608-57-0x0000000000000000-mapping.dmp

memory/608-58-0x0000000076BC1000-0x0000000076BC3000-memory.dmp

memory/1576-59-0x0000000000000000-mapping.dmp

memory/1568-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8B7D.tmp.bat

MD5 77007f37a82f1475b4d7d375dd4d4e99
SHA1 0e59caffc393545c902981b5d22a6f995254f888
SHA256 fe0645b823f61fd70974d40a616bbdd6e9398c9568d3ca24b1e54cacd1750821
SHA512 a5db0c1d09bde5cf508ddd197adb280736a9e3e17c9644f9154acf6508cd41d0780bb052d7d7f2db63d3def1b6b239afd6e3717d2708d0ec926c3fffcf4346b7

memory/1940-62-0x0000000002065000-0x0000000002076000-memory.dmp

memory/876-63-0x0000000000000000-mapping.dmp

memory/1012-64-0x0000000000000000-mapping.dmp

memory/608-65-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/608-66-0x0000000002530000-0x000000000317A000-memory.dmp

\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

MD5 8ede330b784357b9c3fef76332659c5e
SHA1 e85a1c6036f6f189cae2067320f8a7214ac1866f
SHA256 72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506
SHA512 ccef5e5904231f919f1a5cb660db74aff46e8165df482c2b87b3522b99d1baf01eb26667bc16392dfc43849ea634e686c76b80cd010980e02ba308e1968c733a

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

MD5 8ede330b784357b9c3fef76332659c5e
SHA1 e85a1c6036f6f189cae2067320f8a7214ac1866f
SHA256 72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506
SHA512 ccef5e5904231f919f1a5cb660db74aff46e8165df482c2b87b3522b99d1baf01eb26667bc16392dfc43849ea634e686c76b80cd010980e02ba308e1968c733a

memory/1764-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

MD5 8ede330b784357b9c3fef76332659c5e
SHA1 e85a1c6036f6f189cae2067320f8a7214ac1866f
SHA256 72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506
SHA512 ccef5e5904231f919f1a5cb660db74aff46e8165df482c2b87b3522b99d1baf01eb26667bc16392dfc43849ea634e686c76b80cd010980e02ba308e1968c733a

memory/1764-71-0x0000000001310000-0x00000000013D8000-memory.dmp

memory/1764-72-0x00000000003E0000-0x0000000000446000-memory.dmp

memory/1764-73-0x0000000005630000-0x00000000056B6000-memory.dmp

memory/1588-74-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 86a94fc0e95fd12ef09698a5f8a80bb9
SHA1 0157e66c8ff9535c91472c3c753cc27ac350e339
SHA256 d42a4e2f3600995cc1d29bea812a422610ccbb4d06e45bef1fb7e41c619b7b56
SHA512 be64aa2245d9bfed601c696c6d2cf7bca92516521532acfd0ba3d65060fc91ab89619a7f63876ebb82b997200eb3003bc6aa1ff6d66e1c3fef1ce46a90764b57

memory/1588-77-0x0000000072ED0000-0x000000007347B000-memory.dmp

memory/1764-78-0x00000000011E5000-0x00000000011F6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-14 06:57

Reported

2022-04-14 07:11

Platform

win10v2004-en-20220113

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe C:\Windows\SysWOW64\cmd.exe
PID 360 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 360 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 360 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4772 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4772 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4772 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4772 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 4772 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 4772 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 3128 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe

"C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9BD0.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"'

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe'

Network

Country Destination Domain Proto
US 20.189.173.11:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp

Files

memory/1288-130-0x0000000000B90000-0x0000000000C58000-memory.dmp

memory/1288-131-0x0000000005AC0000-0x0000000006064000-memory.dmp

memory/1288-132-0x0000000005650000-0x00000000056C6000-memory.dmp

memory/1288-133-0x0000000005620000-0x000000000563E000-memory.dmp

memory/1288-134-0x0000000006E20000-0x0000000006EB2000-memory.dmp

memory/1288-135-0x0000000006EC0000-0x0000000006F26000-memory.dmp

memory/2936-136-0x0000000000000000-mapping.dmp

memory/1288-137-0x0000000007280000-0x000000000731C000-memory.dmp

memory/2936-138-0x00000000024C0000-0x00000000024F6000-memory.dmp

memory/1288-139-0x0000000005510000-0x0000000005AB4000-memory.dmp

memory/2936-140-0x0000000005080000-0x00000000056A8000-memory.dmp

memory/2936-141-0x0000000004F20000-0x0000000004F42000-memory.dmp

memory/2936-142-0x0000000004FC0000-0x0000000005026000-memory.dmp

memory/360-143-0x0000000000000000-mapping.dmp

memory/4772-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9BD0.tmp.bat

MD5 08fcb7afb41a1c8be2e1a2efcadfa6d2
SHA1 8429aea82a65ac2e6cb648eaf1b21977006001ed
SHA256 cbae675d3c1431b27f5ce0b95ac64ba8f116f678c818af2a6180ae3e0a86e81c
SHA512 80eb971f3266c60efbaba76cdb6c30966ebf06c6823112a16b90c2733ba9b0b534d02f32e3b7c58b9dc50a7431266c5a6201439da13a62918036e208b9abf4df

memory/2308-147-0x0000000000000000-mapping.dmp

memory/1296-146-0x0000000000000000-mapping.dmp

memory/2936-148-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

memory/2936-149-0x0000000004A45000-0x0000000004A47000-memory.dmp

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

MD5 8ede330b784357b9c3fef76332659c5e
SHA1 e85a1c6036f6f189cae2067320f8a7214ac1866f
SHA256 72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506
SHA512 ccef5e5904231f919f1a5cb660db74aff46e8165df482c2b87b3522b99d1baf01eb26667bc16392dfc43849ea634e686c76b80cd010980e02ba308e1968c733a

memory/3128-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

MD5 8ede330b784357b9c3fef76332659c5e
SHA1 e85a1c6036f6f189cae2067320f8a7214ac1866f
SHA256 72b50da8bca5b84512f4d2905a24f45628b0221ae2bda664389b5c87db13f506
SHA512 ccef5e5904231f919f1a5cb660db74aff46e8165df482c2b87b3522b99d1baf01eb26667bc16392dfc43849ea634e686c76b80cd010980e02ba308e1968c733a

memory/2936-153-0x0000000006FA0000-0x0000000006FD2000-memory.dmp

memory/2936-154-0x0000000075760000-0x00000000757AC000-memory.dmp

memory/2936-155-0x0000000006F60000-0x0000000006F7E000-memory.dmp

memory/2936-156-0x0000000007740000-0x0000000007DBA000-memory.dmp

memory/2936-157-0x00000000062A0000-0x00000000062BA000-memory.dmp

memory/2936-158-0x0000000007170000-0x000000000717A000-memory.dmp

memory/2936-159-0x0000000007380000-0x0000000007416000-memory.dmp

memory/2936-160-0x0000000007330000-0x000000000733E000-memory.dmp

memory/2936-161-0x0000000007440000-0x000000000745A000-memory.dmp

memory/2936-162-0x0000000007420000-0x0000000007428000-memory.dmp

memory/3592-163-0x0000000000000000-mapping.dmp

memory/3128-164-0x00000000072B0000-0x0000000007300000-memory.dmp

memory/3128-165-0x00000000071F0000-0x00000000071FA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8dc57e52411bb2a4e748505124721e7a
SHA1 9a04b8be88c32f84b958eb98b3120365b81f7b1d
SHA256 f3229d13074d4db94dcc3fd001c4da64bd6269d8b862bfc37701f99a49030ba3
SHA512 76ff447103a32acbe84b7b2094bd38eb4aea524383eb34b159784c0143c6112af80149c825d04ebd51c4876d3465ec9f74737b952d3da20c4178a9b51b917517

memory/3128-168-0x0000000004FE0000-0x0000000005584000-memory.dmp

memory/3592-169-0x000000006FFC0000-0x000000007000C000-memory.dmp

memory/3592-170-0x0000000004E15000-0x0000000004E17000-memory.dmp