Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-caw56agehp
Target f171906d6dbc7c4ffe93e7ae0c5ae128057a7e4393a0bf7d753e8c84a88a62c9
SHA256 f171906d6dbc7c4ffe93e7ae0c5ae128057a7e4393a0bf7d753e8c84a88a62c9
Tags
masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f171906d6dbc7c4ffe93e7ae0c5ae128057a7e4393a0bf7d753e8c84a88a62c9

Threat Level: Known bad

The file f171906d6dbc7c4ffe93e7ae0c5ae128057a7e4393a0bf7d753e8c84a88a62c9 was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware spyware stealer

MassLogger

MassLogger log file

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

outlook_win_path

Creates scheduled task(s)

outlook_office_path

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:52

Reported

2022-05-21 02:50

Platform

win7-20220414-en

Max time kernel

41s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 1048 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe

"C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe"

C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe

"{path}"

Network

N/A

Files

memory/1048-54-0x00000000003C0000-0x00000000004CA000-memory.dmp

memory/1048-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

memory/1048-56-0x00000000005F0000-0x00000000005FC000-memory.dmp

memory/1048-57-0x0000000005BF0000-0x0000000005CD4000-memory.dmp

memory/1048-58-0x0000000008130000-0x0000000008210000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:52

Reported

2022-05-21 02:50

Platform

win10v2004-20220414-en

Max time kernel

95s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\VideoLAN\vlc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2160 set thread context of 3992 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 2216 set thread context of 2556 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\VideoLAN\vlc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\VideoLAN\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 2160 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 2160 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 2160 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 2160 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 2160 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 2160 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 2160 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe
PID 3992 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1388 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1388 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4540 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4540 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4540 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4540 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 4540 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 4540 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 2216 wrote to memory of 2556 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 2216 wrote to memory of 2556 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 2216 wrote to memory of 2556 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 2216 wrote to memory of 2556 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 2216 wrote to memory of 2556 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 2216 wrote to memory of 2556 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 2216 wrote to memory of 2556 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 2216 wrote to memory of 2556 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\VideoLAN\vlc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe

"C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe"

C:\Users\Admin\AppData\Local\Temp\SCTB38 NEW782.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\VideoLAN\vlc.exe

"C:\Users\Admin\VideoLAN\vlc.exe"

C:\Users\Admin\VideoLAN\vlc.exe

"{path}"

Network

Country Destination Domain Proto
US 20.189.173.10:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 52.109.12.20:443 tcp
DE 67.24.27.254:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
GB 92.123.140.25:80 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.gmail.com udp
US 142.250.102.109:587 smtp.gmail.com tcp

Files

memory/2160-130-0x0000000000DF0000-0x0000000000EFA000-memory.dmp

memory/2160-131-0x0000000005D90000-0x0000000006334000-memory.dmp

memory/2160-132-0x0000000005890000-0x0000000005922000-memory.dmp

memory/2160-133-0x0000000005A30000-0x0000000005A3A000-memory.dmp

memory/2160-134-0x000000000F9C0000-0x000000000FA5C000-memory.dmp

memory/3992-135-0x0000000000000000-mapping.dmp

memory/3992-136-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/3992-137-0x0000000005850000-0x00000000058B6000-memory.dmp

memory/1388-138-0x0000000000000000-mapping.dmp

memory/4540-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SCTB38 NEW782.exe.log

MD5 6dcfdb496c3cf0a736b09292618b380d
SHA1 59d3aecbd319c9b48d500b51a093ee48d02af334
SHA256 cb5dcf594045c8b7a5f87e8a12eabbd3e53e673654926027627ed79ef3e2a203
SHA512 9b7d22dc9e40d11693f7191f7b075a78974322af145010e66b19d989e678477dfe4741e88d02929d5b37236276f4605bc23a7adbedf43b66cd3c4e5e7b7e67ff

memory/4532-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.bat

MD5 73f6a2b0972fe2524ef6a6f09b6c789c
SHA1 b324258e3993fbba182e0f6dbf1e895d5cd6cf4b
SHA256 6dd62db1905607640852050055e6b3f5210bb5434a178fbfd70f2a0bb9cd7aaa
SHA512 3edf4117a599b5c89a11f7075f97db57f1f72866c2a6fd81b2441c03234fffdd8cac2e5310b5b76ee9e181a45eb1416ea4aa9329ea07bc41e6cc6be6c7c8b0fe

memory/1960-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\VideoLAN\vlc.exe

MD5 18b6f9b159d93570f9ace705a62a9fad
SHA1 82f75eeef6e25500f517faf6f561057e63ea3a63
SHA256 48c124e7d628adaa322470af51fdee8a965faf61bdfbc4c2b143dcf57d52be1a
SHA512 d836b883425d6c8567eb0876a67525aca3ac6a33c0b7d2a72ef76bf6f0bf71594fdb2c71d6b18f5eeb607c1b3cd334876ae5d2906fa456d6b8d2c6e498696e39

memory/2216-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\VideoLAN\vlc.exe

MD5 18b6f9b159d93570f9ace705a62a9fad
SHA1 82f75eeef6e25500f517faf6f561057e63ea3a63
SHA256 48c124e7d628adaa322470af51fdee8a965faf61bdfbc4c2b143dcf57d52be1a
SHA512 d836b883425d6c8567eb0876a67525aca3ac6a33c0b7d2a72ef76bf6f0bf71594fdb2c71d6b18f5eeb607c1b3cd334876ae5d2906fa456d6b8d2c6e498696e39

memory/2556-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\VideoLAN\vlc.exe

MD5 18b6f9b159d93570f9ace705a62a9fad
SHA1 82f75eeef6e25500f517faf6f561057e63ea3a63
SHA256 48c124e7d628adaa322470af51fdee8a965faf61bdfbc4c2b143dcf57d52be1a
SHA512 d836b883425d6c8567eb0876a67525aca3ac6a33c0b7d2a72ef76bf6f0bf71594fdb2c71d6b18f5eeb607c1b3cd334876ae5d2906fa456d6b8d2c6e498696e39

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log

MD5 6dcfdb496c3cf0a736b09292618b380d
SHA1 59d3aecbd319c9b48d500b51a093ee48d02af334
SHA256 cb5dcf594045c8b7a5f87e8a12eabbd3e53e673654926027627ed79ef3e2a203
SHA512 9b7d22dc9e40d11693f7191f7b075a78974322af145010e66b19d989e678477dfe4741e88d02929d5b37236276f4605bc23a7adbedf43b66cd3c4e5e7b7e67ff

memory/2556-151-0x0000000007CC0000-0x0000000007D10000-memory.dmp