Malware Analysis Report

2025-01-18 05:00

Sample ID 220415-a5j3zaabd5
Target fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4
SHA256 fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4

Threat Level: Known bad

The file fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4 was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger Main Payload

MassLogger

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-15 00:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 00:47

Reported

2022-04-15 01:06

Platform

win7-20220414-en

Max time kernel

44s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1260 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1260 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1260 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1260 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1260 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1260 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1260 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1260 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1260 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 936 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 936 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 936 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 888 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 888 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 888 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1160 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe

"C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe"

C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe

"C:/Users/Admin/AppData/Local/Temp/fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe" "%temp%\FolderN\name.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 bh-58.webhostbox.net udp
US 199.79.63.24:587 bh-58.webhostbox.net tcp

Files

memory/1260-54-0x0000000000B50000-0x0000000000BF6000-memory.dmp

memory/1160-55-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1160-56-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1160-58-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1160-59-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1160-61-0x000000000048140E-mapping.dmp

memory/1160-60-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1160-63-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1160-65-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2044-66-0x0000000000000000-mapping.dmp

memory/936-67-0x0000000000000000-mapping.dmp

memory/1296-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 366e3c080ecfdf6882c6a40ed7ce2667
SHA1 54acfcce862f6a8313692623f3b6d4020b671edf
SHA256 fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4
SHA512 e4f0574b200facfe486484b1783096869ce52005659fcbd2557d9e830753597d320155baf4e5fa053a0da0f0aeba45220e6ff7e5d31c35ae9d5831cc5a0076b2

\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 366e3c080ecfdf6882c6a40ed7ce2667
SHA1 54acfcce862f6a8313692623f3b6d4020b671edf
SHA256 fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4
SHA512 e4f0574b200facfe486484b1783096869ce52005659fcbd2557d9e830753597d320155baf4e5fa053a0da0f0aeba45220e6ff7e5d31c35ae9d5831cc5a0076b2

memory/676-71-0x0000000000000000-mapping.dmp

memory/888-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

MD5 bfcbf382f036462e63f307ca4ae280c7
SHA1 ffe98d15fa5ea205220d6bc105e317253a6ea003
SHA256 2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727
SHA512 1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16

memory/824-74-0x0000000000000000-mapping.dmp

memory/1896-75-0x0000000000000000-mapping.dmp

memory/1896-76-0x00000000753C1000-0x00000000753C3000-memory.dmp

memory/1160-78-0x0000000005140000-0x000000000517E000-memory.dmp

memory/1160-77-0x00000000006B5000-0x00000000006C6000-memory.dmp

memory/1160-79-0x0000000006350000-0x00000000063E0000-memory.dmp

memory/1896-80-0x0000000070780000-0x0000000070D2B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 00:47

Reported

2022-04-15 01:05

Platform

win10v2004-20220414-en

Max time kernel

106s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1484 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1484 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1484 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1484 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1484 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1484 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1484 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
PID 1484 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1484 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4992 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4992 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 940 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe

"C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe"

C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe

"C:/Users/Admin/AppData/Local/Temp/fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe" "%temp%\FolderN\name.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 bh-58.webhostbox.net udp
US 199.79.63.24:587 bh-58.webhostbox.net tcp
NL 104.97.14.81:80 tcp
NL 104.110.191.133:80 tcp
US 52.168.117.170:443 tcp
US 204.79.197.203:80 tcp

Files

memory/1484-130-0x0000000000E90000-0x0000000000F36000-memory.dmp

memory/1484-131-0x0000000005910000-0x00000000059AC000-memory.dmp

memory/940-132-0x0000000000000000-mapping.dmp

memory/940-134-0x0000000000510000-0x0000000000596000-memory.dmp

memory/1636-135-0x0000000000000000-mapping.dmp

memory/2256-136-0x0000000000000000-mapping.dmp

memory/3304-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 366e3c080ecfdf6882c6a40ed7ce2667
SHA1 54acfcce862f6a8313692623f3b6d4020b671edf
SHA256 fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4
SHA512 e4f0574b200facfe486484b1783096869ce52005659fcbd2557d9e830753597d320155baf4e5fa053a0da0f0aeba45220e6ff7e5d31c35ae9d5831cc5a0076b2

memory/3788-139-0x0000000000000000-mapping.dmp

memory/4992-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

MD5 bfcbf382f036462e63f307ca4ae280c7
SHA1 ffe98d15fa5ea205220d6bc105e317253a6ea003
SHA256 2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727
SHA512 1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16

memory/2220-142-0x0000000000000000-mapping.dmp

memory/940-143-0x0000000004CF0000-0x0000000004D82000-memory.dmp

memory/940-144-0x0000000005340000-0x00000000058E4000-memory.dmp

memory/940-145-0x0000000005F50000-0x0000000005FB6000-memory.dmp

memory/2060-146-0x0000000000000000-mapping.dmp

memory/940-147-0x00000000066B0000-0x00000000066BA000-memory.dmp

memory/2060-149-0x00000000051D0000-0x0000000005206000-memory.dmp

memory/940-148-0x0000000006760000-0x00000000067B0000-memory.dmp

memory/2060-150-0x0000000005880000-0x0000000005EA8000-memory.dmp

memory/2060-151-0x0000000005FF0000-0x0000000006012000-memory.dmp

memory/940-152-0x00000000049C3000-0x00000000049C5000-memory.dmp

memory/2060-153-0x0000000006190000-0x00000000061F6000-memory.dmp

memory/2060-154-0x0000000006780000-0x000000000679E000-memory.dmp

memory/2060-155-0x0000000007960000-0x0000000007992000-memory.dmp

memory/2060-156-0x00000000713B0000-0x00000000713FC000-memory.dmp

memory/2060-157-0x0000000006D20000-0x0000000006D3E000-memory.dmp

memory/2060-159-0x00000000080D0000-0x000000000874A000-memory.dmp

memory/2060-158-0x0000000005245000-0x0000000005247000-memory.dmp

memory/2060-160-0x0000000007A90000-0x0000000007AAA000-memory.dmp

memory/2060-161-0x0000000007B00000-0x0000000007B0A000-memory.dmp

memory/2060-162-0x0000000007D10000-0x0000000007DA6000-memory.dmp

memory/2060-163-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

memory/2060-164-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

memory/2060-165-0x0000000007DB0000-0x0000000007DB8000-memory.dmp