Malware Analysis Report

2025-01-18 05:00

Sample ID 220415-kv5l2aedgl
Target 76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba
SHA256 76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba

Threat Level: Known bad

The file 76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger

MassLogger Main Payload

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

outlook_win_path

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-15 08:56

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 08:56

Reported

2022-04-15 11:22

Platform

win10v2004-en-20220113

Max time kernel

132s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe
PID 2564 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4116 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4116 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1432 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1432 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3248 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

"C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe"

C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe

"C:/Users/Admin/AppData/Local/Temp/76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe" "%temp%\FolderN\name.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba.exe'

Network

Country Destination Domain Proto
US 8.247.210.254:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 bh-58.webhostbox.net udp
US 199.79.63.24:587 bh-58.webhostbox.net tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp

Files

memory/2564-130-0x0000000000E20000-0x0000000000ECC000-memory.dmp

memory/2564-131-0x0000000005800000-0x000000000589C000-memory.dmp

memory/3248-132-0x0000000000000000-mapping.dmp

memory/3248-134-0x0000000000500000-0x0000000000586000-memory.dmp

memory/5072-135-0x0000000000000000-mapping.dmp

memory/4116-136-0x0000000000000000-mapping.dmp

memory/4056-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 bd3418b1fef079b20bee903645a3a1e6
SHA1 f4914dae7b7677f527b39ed6a581849d2c64fd96
SHA256 76c77083a255a33c0f87189398ea25c36d313b1f79ad85304986312a724b58ba
SHA512 6f226069eca220ff74263d99e0ec284b6390a7a598f52002b4a0c3064f0af9aa44756047e4266528b50a2d3ecb9892359fec0768c0f28ffd8c171b4721363570

memory/3392-139-0x0000000000000000-mapping.dmp

memory/1432-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

MD5 bfcbf382f036462e63f307ca4ae280c7
SHA1 ffe98d15fa5ea205220d6bc105e317253a6ea003
SHA256 2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727
SHA512 1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16

memory/3808-142-0x0000000000000000-mapping.dmp

memory/3248-143-0x0000000004E70000-0x0000000004F02000-memory.dmp

memory/3248-144-0x00000000054C0000-0x0000000005A64000-memory.dmp

memory/3248-145-0x0000000005D60000-0x0000000005DC6000-memory.dmp

memory/4084-146-0x0000000000000000-mapping.dmp

memory/3248-147-0x00000000066C0000-0x0000000006710000-memory.dmp

memory/3248-148-0x0000000006690000-0x000000000669A000-memory.dmp

memory/3248-149-0x0000000004A23000-0x0000000004A25000-memory.dmp

memory/4084-150-0x0000000004C10000-0x0000000004C46000-memory.dmp

memory/4084-151-0x00000000053D0000-0x00000000059F8000-memory.dmp

memory/4084-152-0x0000000005350000-0x0000000005372000-memory.dmp

memory/4084-153-0x0000000005A70000-0x0000000005AD6000-memory.dmp

memory/4084-154-0x00000000061F0000-0x000000000620E000-memory.dmp

memory/4084-155-0x00000000067B0000-0x00000000067E2000-memory.dmp

memory/4084-156-0x000000006F500000-0x000000006F54C000-memory.dmp

memory/4084-157-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/4084-158-0x0000000004D95000-0x0000000004D97000-memory.dmp

memory/4084-159-0x0000000007B40000-0x00000000081BA000-memory.dmp

memory/4084-160-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/4084-161-0x0000000007560000-0x000000000756A000-memory.dmp

memory/4084-162-0x0000000007750000-0x00000000077E6000-memory.dmp

memory/4084-163-0x0000000007730000-0x000000000773E000-memory.dmp

memory/4084-164-0x0000000007840000-0x000000000785A000-memory.dmp

memory/4084-165-0x0000000007820000-0x0000000007828000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 08:56

Reported

2022-04-15 11:17

Platform

win7-20220331-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A