Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-b97v9sgefn
Target f3cceaade073909138c4e002218ba66cd00afc7d6077ed44a632f7d98a7ac2ad
SHA256 f3cceaade073909138c4e002218ba66cd00afc7d6077ed44a632f7d98a7ac2ad
Tags
masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3cceaade073909138c4e002218ba66cd00afc7d6077ed44a632f7d98a7ac2ad

Threat Level: Known bad

The file f3cceaade073909138c4e002218ba66cd00afc7d6077ed44a632f7d98a7ac2ad was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware spyware stealer

MassLogger log file

MassLogger

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

outlook_win_path

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:51

Reported

2022-05-21 02:48

Platform

win7-20220414-en

Max time kernel

110s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GES39704.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1960 set thread context of 896 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Users\Admin\AppData\Local\Temp\GES39704.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Users\Admin\AppData\Local\Temp\GES39704.exe
PID 1960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Users\Admin\AppData\Local\Temp\GES39704.exe
PID 1960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Users\Admin\AppData\Local\Temp\GES39704.exe
PID 1960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Users\Admin\AppData\Local\Temp\GES39704.exe
PID 1960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Users\Admin\AppData\Local\Temp\GES39704.exe
PID 1960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Users\Admin\AppData\Local\Temp\GES39704.exe
PID 1960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Users\Admin\AppData\Local\Temp\GES39704.exe
PID 1960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Users\Admin\AppData\Local\Temp\GES39704.exe
PID 1960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Users\Admin\AppData\Local\Temp\GES39704.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GES39704.exe

"C:\Users\Admin\AppData\Local\Temp\GES39704.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hRXQymoFjGekl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1575.tmp"

C:\Users\Admin\AppData\Local\Temp\GES39704.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.ionos.de udp
DE 213.165.67.113:587 smtp.ionos.de tcp

Files

memory/1960-54-0x00000000012D0000-0x00000000013B0000-memory.dmp

memory/1960-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

memory/1960-56-0x0000000000310000-0x0000000000320000-memory.dmp

memory/1960-57-0x00000000057E0000-0x000000000588E000-memory.dmp

memory/1960-58-0x0000000005A80000-0x0000000005B38000-memory.dmp

memory/1736-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1575.tmp

MD5 fd0da90b2d459fff83a44d490f986376
SHA1 55763d7b7e26f5208fd46582dd26e62221063bf2
SHA256 fcf47def24f4df8c201b8d4628d1cee6ffa713f675eff8135547df1f7082ce7b
SHA512 aba3fae45367743613b51eb63d8be73133ce08339ea74f3d0b1ec35069876eb867b0d9d4439cd75cb3b3d7398f4dec721617874a53a994a9814526d907ad6999

memory/896-61-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/896-62-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/896-64-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/896-65-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/896-66-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/896-67-0x00000000004B32EE-mapping.dmp

memory/896-69-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/896-71-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/896-72-0x0000000000CF0000-0x0000000000D68000-memory.dmp

memory/896-74-0x0000000000F85000-0x0000000000F96000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:51

Reported

2022-05-21 02:50

Platform

win10v2004-20220414-en

Max time kernel

138s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GES39704.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3232 set thread context of 1492 N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe C:\Users\Admin\AppData\Local\Temp\GES39704.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\GES39704.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GES39704.exe

"C:\Users\Admin\AppData\Local\Temp\GES39704.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hRXQymoFjGekl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA930.tmp"

C:\Users\Admin\AppData\Local\Temp\GES39704.exe

"{path}"

Network

Country Destination Domain Proto
GB 92.123.143.240:80 tcp
US 52.109.8.21:443 tcp
US 20.42.72.131:443 tcp
IE 20.54.89.15:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.ionos.de udp
DE 213.165.67.97:587 smtp.ionos.de tcp

Files

memory/3232-130-0x00000000004C0000-0x00000000005A0000-memory.dmp

memory/3232-131-0x0000000005630000-0x0000000005BD4000-memory.dmp

memory/3232-132-0x0000000004F70000-0x0000000005002000-memory.dmp

memory/3232-133-0x0000000004F40000-0x0000000004F4A000-memory.dmp

memory/3232-134-0x00000000074F0000-0x000000000758C000-memory.dmp

memory/1996-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA930.tmp

MD5 3b7ae9f2cec67577ee776823afe13714
SHA1 840dde1fe793f185fccef97826aeb52f252c4d55
SHA256 f121c3980bbdfbe87272eb599bdc7fa18f6fab847b1a6a6eb7cc9892d4f2320f
SHA512 515b765be70c81f766165e6cc655c40d818d7648fe4439158f9886337b4e97a78b6da2e3288f58bf9a803fe114adb39a9576ecb6e80c08e9ec0cc398fbe0f8de

memory/1492-137-0x0000000000000000-mapping.dmp

memory/1492-138-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1492-139-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/1492-140-0x0000000008050000-0x00000000080A0000-memory.dmp