Analysis Overview
SHA256
8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2
Threat Level: Known bad
The file 8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2 was found to be: Known bad.
Malicious Activity Summary
Turns off Windows Defender SpyNet reporting
Modifies Windows Defender Real-time Protection settings
Modifies WinLogon for persistence
Matiex Main Payload
Windows security bypass
Matiex
Drops startup file
Reads user/profile data of web browsers
Checks computer location settings
Reads data files stored by FTP clients
Windows security modification
Reads user/profile data of local email clients
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-15 12:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-15 12:56
Reported
2022-04-15 14:05
Platform
win7-20220414-en
Max time kernel
61s
Max time network
158s
Command Line
Signatures
Matiex
Matiex Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe\"" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe = "0" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe = "0" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 872 set thread context of 984 | N/A | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe
"C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" -Force
C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe
"C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 188.114.97.0:443 | freegeoip.app | tcp |
Files
memory/872-54-0x0000000000EB0000-0x00000000015B2000-memory.dmp
memory/872-55-0x0000000075521000-0x0000000075523000-memory.dmp
memory/872-56-0x0000000004C90000-0x0000000004D4C000-memory.dmp
memory/2044-57-0x0000000000000000-mapping.dmp
memory/1464-58-0x0000000000000000-mapping.dmp
memory/628-60-0x0000000000000000-mapping.dmp
memory/768-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 84821af4295144c7809cdb31170b78b8 |
| SHA1 | ef915357fdc06b45280bb27a5e02bac18b09d4bb |
| SHA256 | c6450f4f1d2186ef3fd8ea388afce532d5879974415bb9edb7d10072d67fd49a |
| SHA512 | 7e007c58d9116971ae4c598ffe564f0cb4569c8a3e7657612e1758d3dff397ac591259a4224ae6fc496ec58c21dd27d8b7e479625ddfa490e697c455a5e62a5b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 84821af4295144c7809cdb31170b78b8 |
| SHA1 | ef915357fdc06b45280bb27a5e02bac18b09d4bb |
| SHA256 | c6450f4f1d2186ef3fd8ea388afce532d5879974415bb9edb7d10072d67fd49a |
| SHA512 | 7e007c58d9116971ae4c598ffe564f0cb4569c8a3e7657612e1758d3dff397ac591259a4224ae6fc496ec58c21dd27d8b7e479625ddfa490e697c455a5e62a5b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 84821af4295144c7809cdb31170b78b8 |
| SHA1 | ef915357fdc06b45280bb27a5e02bac18b09d4bb |
| SHA256 | c6450f4f1d2186ef3fd8ea388afce532d5879974415bb9edb7d10072d67fd49a |
| SHA512 | 7e007c58d9116971ae4c598ffe564f0cb4569c8a3e7657612e1758d3dff397ac591259a4224ae6fc496ec58c21dd27d8b7e479625ddfa490e697c455a5e62a5b |
memory/768-68-0x000000006EE60000-0x000000006F40B000-memory.dmp
memory/1464-69-0x000000006EE60000-0x000000006F40B000-memory.dmp
memory/2044-70-0x000000006EE60000-0x000000006F40B000-memory.dmp
memory/628-71-0x000000006EE60000-0x000000006F40B000-memory.dmp
memory/1464-72-0x00000000025D0000-0x0000000002613000-memory.dmp
memory/984-73-0x0000000000400000-0x0000000000476000-memory.dmp
memory/984-74-0x0000000000400000-0x0000000000476000-memory.dmp
memory/984-76-0x0000000000400000-0x0000000000476000-memory.dmp
memory/984-79-0x000000000047087E-mapping.dmp
memory/984-77-0x0000000000400000-0x0000000000476000-memory.dmp
memory/984-78-0x0000000000400000-0x0000000000476000-memory.dmp
memory/984-81-0x0000000000400000-0x0000000000476000-memory.dmp
memory/984-83-0x0000000000400000-0x0000000000476000-memory.dmp
memory/772-84-0x0000000000000000-mapping.dmp
memory/984-86-0x0000000005D25000-0x0000000005D36000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-15 12:56
Reported
2022-04-15 14:05
Platform
win10v2004-20220414-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Matiex
Matiex Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe\"" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe = "0" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe = "0" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2912 set thread context of 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe
"C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe" -Force
C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe
"C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe"
C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe
"C:\Users\Admin\AppData\Local\Temp\8eff817d4a8ab57a51dd2863e8d1323ebac8158f558bceb9da56ebb08da1efc2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2912 -ip 2912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 2280
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 188.114.96.0:443 | freegeoip.app | tcp |
| US | 8.253.208.112:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| IE | 13.69.239.74:443 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp |
Files
memory/2912-130-0x0000000000B40000-0x0000000001242000-memory.dmp
memory/2912-131-0x00000000150F0000-0x000000001518C000-memory.dmp
memory/2912-132-0x0000000006230000-0x00000000067D4000-memory.dmp
memory/2916-133-0x0000000000000000-mapping.dmp
memory/4012-134-0x0000000000000000-mapping.dmp
memory/2916-136-0x00000000021E0000-0x0000000002216000-memory.dmp
memory/3144-135-0x0000000000000000-mapping.dmp
memory/1324-137-0x0000000000000000-mapping.dmp
memory/2916-138-0x0000000004CA0000-0x00000000052C8000-memory.dmp
memory/4012-139-0x0000000005180000-0x00000000051A2000-memory.dmp
memory/2916-140-0x0000000005440000-0x00000000054A6000-memory.dmp
memory/2916-141-0x00000000054B0000-0x0000000005516000-memory.dmp
memory/4012-142-0x0000000006160000-0x000000000617E000-memory.dmp
memory/1364-143-0x0000000000000000-mapping.dmp
memory/3432-144-0x0000000000000000-mapping.dmp
memory/3432-145-0x0000000000400000-0x0000000000476000-memory.dmp
memory/4012-146-0x0000000004C55000-0x0000000004C57000-memory.dmp
memory/3144-147-0x0000000005135000-0x0000000005137000-memory.dmp
memory/1324-149-0x00000000048D5000-0x00000000048D7000-memory.dmp
memory/2916-148-0x0000000004665000-0x0000000004667000-memory.dmp
memory/2916-154-0x0000000006090000-0x00000000060AE000-memory.dmp
memory/2916-151-0x000000006FF30000-0x000000006FF7C000-memory.dmp
memory/3144-152-0x000000006FF30000-0x000000006FF7C000-memory.dmp
memory/3144-150-0x0000000007430000-0x0000000007462000-memory.dmp
memory/4012-153-0x000000006FF30000-0x000000006FF7C000-memory.dmp
memory/1324-155-0x000000006FF30000-0x000000006FF7C000-memory.dmp
memory/4012-156-0x0000000007BC0000-0x000000000823A000-memory.dmp
memory/2916-157-0x0000000006E00000-0x0000000006E1A000-memory.dmp
memory/2916-158-0x0000000006E70000-0x0000000006E7A000-memory.dmp
memory/3144-159-0x0000000007A10000-0x0000000007AA6000-memory.dmp
memory/3432-160-0x0000000006F90000-0x0000000007022000-memory.dmp
memory/3432-161-0x0000000005E00000-0x0000000005E0A000-memory.dmp
memory/4708-162-0x0000000000000000-mapping.dmp
memory/2916-163-0x0000000007030000-0x000000000703E000-memory.dmp
memory/2916-164-0x0000000007140000-0x000000000715A000-memory.dmp
memory/4012-165-0x0000000007700000-0x0000000007708000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c823f38e558ff0e0a4eb1e92646f4d1e |
| SHA1 | cdf97cba35010f259f0f46a8b7f88df014031e96 |
| SHA256 | 3956e014345ee954a6a43099a7a12de45e46cc39c24376319939a6c876f437e4 |
| SHA512 | 4fe86fb402cde4880c747d4cb2ab3cbfc051768f691f692e64e658828afa1630180368f295ad7b51278a94a14efb999bfd4108c99b8e48d63006a509f0c4b31c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c823f38e558ff0e0a4eb1e92646f4d1e |
| SHA1 | cdf97cba35010f259f0f46a8b7f88df014031e96 |
| SHA256 | 3956e014345ee954a6a43099a7a12de45e46cc39c24376319939a6c876f437e4 |
| SHA512 | 4fe86fb402cde4880c747d4cb2ab3cbfc051768f691f692e64e658828afa1630180368f295ad7b51278a94a14efb999bfd4108c99b8e48d63006a509f0c4b31c |
memory/3432-168-0x00000000075F0000-0x00000000077B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | daf7be85c114e5aef130cbf7584a52e1 |
| SHA1 | 67f708c62a46bdfe0b9b4aa21db99ed9ffa9b470 |
| SHA256 | 17ab418ebdf9c76cb6ea9d232abfc04bf2b8b097ba64a47b43ea9723dfbd94e8 |
| SHA512 | 8bbd9796d3e28cc2099c4728f521315976384860731d77fef9a238f0f45e4054708392bd7a78d9df53614b546d155ec115831a6c203d7eeb632b626db74a9d1d |
memory/3432-170-0x0000000005860000-0x0000000005E04000-memory.dmp