masslogger | 76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba

General

Target

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Size

661KB
MD5

bd3418b1fef079b20bee903645a3a1e6
SHA1

f4914dae7b7677f527b39ed6a581849d2c64fd96
SHA256

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba
SHA512

6f226069eca220ff74263d99e0ec284b6390a7a598f52002b4a0c3064f0af9aa44756047e4266528b50a2d3ecb9892359fec0768c0f28ffd8c171b4721363570

Score

10^/10

masslogger collection spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
bh-58.webhostbox.net
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3248-134-0x0000000000500000-0x0000000000586000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

Processes:

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org

flow	ioc
6	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

description	pid	process	target process
PID 2564 set thread context of 3248	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3808 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

pid process

3248 76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

pid	process
3808	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

pid	process
3248	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exepowershell.exe

pid	process
2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
3248	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
3248	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
3248	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
3248	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
4084	powershell.exe
4084	powershell.exe
2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Token: SeDebugPrivilege	3248	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
Token: SeDebugPrivilege	4084	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

pid process

3248 76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

pid	process
3248	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.execmd.execmd.exe76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

description	pid	process	target process
PID 2564 wrote to memory of 3248	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 5072	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 2564 wrote to memory of 5072	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 2564 wrote to memory of 5072	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 2564 wrote to memory of 4116	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 2564 wrote to memory of 4116	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 2564 wrote to memory of 4116	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 4116 wrote to memory of 4056	4116	cmd.exe	reg.exe
PID 4116 wrote to memory of 4056	4116	cmd.exe	reg.exe
PID 4116 wrote to memory of 4056	4116	cmd.exe	reg.exe
PID 2564 wrote to memory of 3392	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 2564 wrote to memory of 3392	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 2564 wrote to memory of 3392	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 2564 wrote to memory of 1432	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 2564 wrote to memory of 1432	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 2564 wrote to memory of 1432	2564	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	cmd.exe
PID 1432 wrote to memory of 3808	1432	cmd.exe	timeout.exe
PID 1432 wrote to memory of 3808	1432	cmd.exe	timeout.exe
PID 1432 wrote to memory of 3808	1432	cmd.exe	timeout.exe
PID 3248 wrote to memory of 4084	3248	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	powershell.exe
PID 3248 wrote to memory of 4084	3248	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	powershell.exe
PID 3248 wrote to memory of 4084	3248	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

outlook_win_path 1 IoCs

Processes:

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
"C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
  "C:/Users/Admin/AppData/Local/Temp/76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:3248
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe" "%temp%\FolderN\name.exe" /Y
  2⤵
  PID:5072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
    3⤵
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
  2⤵
  - NTFS ADS
  PID:3392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
661KB

MD5
bd3418b1fef079b20bee903645a3a1e6

SHA1
f4914dae7b7677f527b39ed6a581849d2c64fd96

SHA256
76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba

SHA512
6f226069eca220ff74263d99e0ec284b6390a7a598f52002b4a0c3064f0af9aa44756047e4266528b50a2d3ecb9892359fec0768c0f28ffd8c171b4721363570

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

Filesize
204B

MD5
bfcbf382f036462e63f307ca4ae280c7

SHA1
ffe98d15fa5ea205220d6bc105e317253a6ea003

SHA256
2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727

SHA512
1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16

Download Submit
memory/1432-140-0x0000000000000000-mapping.dmp

Download
memory/2564-131-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/2564-130-0x0000000000E20000-0x0000000000ECC000-memory.dmp

Filesize
688KB

Download
memory/3248-134-0x0000000000500000-0x0000000000586000-memory.dmp

Filesize
536KB

Download
memory/3248-147-0x00000000066C0000-0x0000000006710000-memory.dmp

Filesize
320KB

Download
memory/3248-148-0x0000000006690000-0x000000000669A000-memory.dmp

Filesize
40KB

Download
memory/3248-149-0x0000000004A23000-0x0000000004A25000-memory.dmp

Filesize
8KB

Download
memory/3248-144-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/3248-132-0x0000000000000000-mapping.dmp

Download
memory/3248-145-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/3248-143-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/3392-139-0x0000000000000000-mapping.dmp

Download
memory/3808-142-0x0000000000000000-mapping.dmp

Download
memory/4056-137-0x0000000000000000-mapping.dmp

Download
memory/4084-155-0x00000000067B0000-0x00000000067E2000-memory.dmp

Filesize
200KB

Download
memory/4084-156-0x000000006F500000-0x000000006F54C000-memory.dmp

Filesize
304KB

Download
memory/4084-165-0x0000000007820000-0x0000000007828000-memory.dmp

Filesize
32KB

Download
memory/4084-150-0x0000000004C10000-0x0000000004C46000-memory.dmp

Filesize
216KB

Download
memory/4084-151-0x00000000053D0000-0x00000000059F8000-memory.dmp

Filesize
6.2MB

Download
memory/4084-152-0x0000000005350000-0x0000000005372000-memory.dmp

Filesize
136KB

Download
memory/4084-153-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/4084-154-0x00000000061F0000-0x000000000620E000-memory.dmp

Filesize
120KB

Download
memory/4084-146-0x0000000000000000-mapping.dmp

Download
memory/4084-164-0x0000000007840000-0x000000000785A000-memory.dmp

Filesize
104KB

Download
memory/4084-157-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/4084-158-0x0000000004D95000-0x0000000004D97000-memory.dmp

Filesize
8KB

Download
memory/4084-159-0x0000000007B40000-0x00000000081BA000-memory.dmp

Filesize
6.5MB

Download
memory/4084-160-0x00000000074F0000-0x000000000750A000-memory.dmp

Filesize
104KB

Download
memory/4084-161-0x0000000007560000-0x000000000756A000-memory.dmp

Filesize
40KB

Download
memory/4084-162-0x0000000007750000-0x00000000077E6000-memory.dmp

Filesize
600KB

Download
memory/4084-163-0x0000000007730000-0x000000000773E000-memory.dmp

Filesize
56KB

Download
memory/4116-136-0x0000000000000000-mapping.dmp

Download
memory/5072-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads