Analysis Overview
SHA256
7303654c2cc6af60f1d7033505de273c4291f65a04d252732e9a3abb2684404a
Threat Level: Known bad
The file 7303654c2cc6af60f1d7033505de273c4291f65a04d252732e9a3abb2684404a was found to be: Known bad.
Malicious Activity Summary
Cheetah Keylogger Payload
Cheetah Keylogger
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-21 01:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 01:37
Reported
2022-05-21 02:30
Platform
win7-20220414-en
Max time kernel
98s
Max time network
103s
Command Line
Signatures
Cheetah Keylogger
Cheetah Keylogger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ifconfig.me | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1600 set thread context of 1772 | N/A | C:\Users\Admin\AppData\Local\Temp\Bank Details.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bank Details.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bank Details.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bank Details.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bank Details.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Bank Details.exe
"C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ifconfig.me | udp |
| US | 34.117.59.81:80 | ifconfig.me | tcp |
| US | 8.8.8.8:53 | mail.aviner.co.za | udp |
| ZA | 102.130.117.53:587 | mail.aviner.co.za | tcp |
Files
memory/1600-54-0x00000000011B0000-0x000000000121C000-memory.dmp
memory/1600-55-0x00000000002F0000-0x0000000000306000-memory.dmp
memory/1600-56-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
memory/1600-57-0x00000000004A0000-0x00000000004A8000-memory.dmp
memory/1600-58-0x0000000000600000-0x0000000000608000-memory.dmp
memory/1600-59-0x0000000000650000-0x000000000065A000-memory.dmp
memory/1772-60-0x00000000000F0000-0x0000000000112000-memory.dmp
memory/1772-61-0x00000000000F0000-0x0000000000112000-memory.dmp
memory/1772-63-0x00000000000F0000-0x0000000000112000-memory.dmp
memory/1772-65-0x000000000041FEBE-mapping.dmp
memory/1772-66-0x00000000000F0000-0x0000000000112000-memory.dmp
memory/1772-67-0x00000000000F0000-0x0000000000112000-memory.dmp
memory/1772-70-0x00000000000F0000-0x0000000000112000-memory.dmp
memory/1772-72-0x00000000000F0000-0x0000000000112000-memory.dmp
memory/1772-73-0x0000000000510000-0x0000000000546000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 01:37
Reported
2022-05-21 02:31
Platform
win10v2004-20220414-en
Max time kernel
154s
Max time network
164s
Command Line
Signatures
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ifconfig.me | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2832 set thread context of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\Bank Details.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bank Details.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bank Details.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bank Details.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bank Details.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Bank Details.exe
"C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| IE | 20.54.89.106:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | ifconfig.me | udp |
| US | 34.117.59.81:80 | ifconfig.me | tcp |
| US | 8.8.8.8:53 | mail.aviner.co.za | udp |
| ZA | 102.130.117.53:587 | mail.aviner.co.za | tcp |
Files
memory/2832-130-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2832-131-0x0000000005A80000-0x0000000006024000-memory.dmp
memory/2832-132-0x00000000055B0000-0x0000000005642000-memory.dmp
memory/2832-133-0x00000000059C0000-0x0000000005A04000-memory.dmp
memory/2832-134-0x0000000005100000-0x0000000005122000-memory.dmp
memory/1196-135-0x0000000000000000-mapping.dmp
memory/1196-136-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1196-137-0x0000000005330000-0x00000000053CC000-memory.dmp
memory/1196-138-0x0000000005DB0000-0x0000000005F72000-memory.dmp
memory/1196-139-0x00000000061F0000-0x0000000006256000-memory.dmp
memory/1196-140-0x00000000061E0000-0x00000000061EA000-memory.dmp