66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818

General

Target

66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Size

836KB
MD5

b66137894e7b2ce09501a59f4fad54aa
SHA1

69001867345de1d042b3827b5a07b2fc47507f8e
SHA256

66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818
SHA512

49c48cd41475c1e47541be5d51ba43bc6d603bb297918b45afea737dddfdb105921bb85fd259eb3fe59053e1863ce447a9c6bbb28cf4c9e8028c57c7fd542360

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

Processes:

66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.ipify.org
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

pid process

3488 66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

flow	ioc
12	api.ipify.org

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exepowershell.exe

pid	process
3488	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
3488	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
3488	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
3488	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
3488	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
3488	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
4552	powershell.exe
4552	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3488	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
Token: SeDebugPrivilege	4552	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

pid process

3488 66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

description	pid	process	target process
PID 3488 wrote to memory of 4552	3488	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe	powershell.exe
PID 3488 wrote to memory of 4552	3488	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe	powershell.exe
PID 3488 wrote to memory of 4552	3488	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

outlook_win_path 1 IoCs

Processes:

66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe

C:\Users\Admin\AppData\Local\Temp\66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe
"C:\Users\Admin\AppData\Local\Temp\66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3488
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\66d05250514627cddb42608a19e5bcfbb776861ece06b0314d5183dcbc55d818.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3488-142-0x0000000005223000-0x0000000005225000-memory.dmp

Filesize
8KB

Download
memory/3488-137-0x00000000070A0000-0x000000000713C000-memory.dmp

Filesize
624KB

Download
memory/3488-130-0x0000000000800000-0x00000000008D4000-memory.dmp

Filesize
848KB

Download
memory/3488-133-0x00000000067C0000-0x0000000006826000-memory.dmp

Filesize
408KB

Download
memory/3488-131-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/3488-136-0x0000000006F20000-0x0000000006F2A000-memory.dmp

Filesize
40KB

Download
memory/3488-135-0x0000000006FB0000-0x0000000007000000-memory.dmp

Filesize
320KB

Download
memory/3488-132-0x0000000005C60000-0x0000000006204000-memory.dmp

Filesize
5.6MB

Download
memory/4552-134-0x0000000000000000-mapping.dmp

Download
memory/4552-147-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/4552-140-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/4552-141-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/4552-144-0x0000000004A45000-0x0000000004A47000-memory.dmp

Filesize
8KB

Download
memory/4552-143-0x0000000005E80000-0x0000000005E9E000-memory.dmp

Filesize
120KB

Download
memory/4552-138-0x00000000048D0000-0x0000000004906000-memory.dmp

Filesize
216KB

Download
memory/4552-145-0x0000000006430000-0x0000000006462000-memory.dmp

Filesize
200KB

Download
memory/4552-146-0x00000000704E0000-0x000000007052C000-memory.dmp

Filesize
304KB

Download
memory/4552-139-0x0000000005080000-0x00000000056A8000-memory.dmp

Filesize
6.2MB

Download
memory/4552-148-0x0000000007850000-0x0000000007ECA000-memory.dmp

Filesize
6.5MB

Download
memory/4552-149-0x0000000006520000-0x000000000653A000-memory.dmp

Filesize
104KB

Download
memory/4552-150-0x00000000071F0000-0x00000000071FA000-memory.dmp

Filesize
40KB

Download
memory/4552-151-0x0000000007400000-0x0000000007496000-memory.dmp

Filesize
600KB

Download
memory/4552-152-0x00000000073B0000-0x00000000073BE000-memory.dmp

Filesize
56KB

Download
memory/4552-153-0x00000000074C0000-0x00000000074DA000-memory.dmp

Filesize
104KB

Download
memory/4552-154-0x00000000074A0000-0x00000000074A8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads