Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-cgf3hsdha5
Target d9ba65273cd9e8f4f3c4dcf601c652d153fe3fc54a0dd1135389574945128dd5
SHA256 d9ba65273cd9e8f4f3c4dcf601c652d153fe3fc54a0dd1135389574945128dd5
Tags
masslogger collection rezer0 spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9ba65273cd9e8f4f3c4dcf601c652d153fe3fc54a0dd1135389574945128dd5

Threat Level: Known bad

The file d9ba65273cd9e8f4f3c4dcf601c652d153fe3fc54a0dd1135389574945128dd5 was found to be: Known bad.

Malicious Activity Summary

masslogger collection rezer0 spyware stealer upx

MassLogger log file

MassLogger

ACProtect 1.3x - 1.4x DLL software

ReZer0 packer

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 02:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 02:02

Reported

2022-05-21 03:10

Platform

win7-20220414-en

Max time kernel

130s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1992 set thread context of 1660 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe
PID 1992 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe
PID 1992 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe
PID 1992 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe
PID 1992 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe
PID 1992 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe
PID 1992 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe
PID 1992 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe
PID 1992 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe

"C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTZEtCS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D8.tmp"

C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.flockmail.com udp
US 52.201.104.110:587 smtp.flockmail.com tcp

Files

memory/1992-54-0x0000000000B10000-0x0000000000CCC000-memory.dmp

memory/1992-55-0x00000000755C1000-0x00000000755C3000-memory.dmp

memory/1992-56-0x00000000003D0000-0x00000000003D8000-memory.dmp

memory/1992-57-0x000000000A260000-0x000000000A3C6000-memory.dmp

memory/1700-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3D8.tmp

MD5 d35735e2f2c4449eeeca3d4fb9254702
SHA1 a52b2a0d2a2451742ca0a008eef0f4b867ba6bc2
SHA256 4e2b9d28fd20df815c5dbe2f5aef8fc19fcc843b17fe72f3dfa32e9cdeff0f64
SHA512 c0268f5ab9323d3ca970efe8b7ac5f15291b1930bb1f5ee9507a1a501c1ab8c77b7847584366fb37ae0709dc086d6aec3fc140f3767a897e4e0f2167b5b466dd

memory/1660-60-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-61-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-63-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-64-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-66-0x000000000055996E-mapping.dmp

memory/1660-68-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-65-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-70-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-72-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-74-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-76-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-78-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-80-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-82-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-84-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-86-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-88-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-90-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-92-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-94-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-96-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-98-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-100-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-102-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-104-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-106-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-108-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-110-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-112-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-114-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-116-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-118-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-120-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1660-122-0x0000000000400000-0x000000000055E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll

MD5 e81aeac387c5db32b7f9b07d15e788e0
SHA1 829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3
SHA256 44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06
SHA512 cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e

memory/1660-633-0x0000000000370000-0x00000000003B4000-memory.dmp

memory/1660-634-0x0000000005D60000-0x0000000005DF0000-memory.dmp

memory/1660-635-0x0000000006050000-0x00000000060B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 02:02

Reported

2022-05-21 03:10

Platform

win10v2004-20220414-en

Max time kernel

126s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2736 set thread context of 1688 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe

"C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTZEtCS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C0D.tmp"

C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe

"{path}"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.247.211.126:80 tcp
US 8.247.211.126:80 tcp
GB 51.104.15.253:443 tcp
US 8.247.211.126:80 tcp
US 8.247.211.126:80 tcp
US 8.247.211.126:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.flockmail.com udp
US 54.160.129.236:587 smtp.flockmail.com tcp

Files

memory/2736-130-0x0000000000CE0000-0x0000000000E9C000-memory.dmp

memory/2736-131-0x0000000008280000-0x0000000008824000-memory.dmp

memory/2736-132-0x0000000007D70000-0x0000000007E02000-memory.dmp

memory/2736-133-0x0000000007D20000-0x0000000007D2A000-memory.dmp

memory/2736-134-0x00000000081B0000-0x000000000824C000-memory.dmp

memory/2172-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4C0D.tmp

MD5 a9ef5bfc90a95db0644d2c23b8cb07f1
SHA1 76f3d9537192045044e5074085e36ad46e6451d8
SHA256 3345a9e77fe85cfd1a02de9fe6308ae3797b03a30c8fc0a08b027db8cc20c7cb
SHA512 7a93891ede69dac4cac1f0d294c5c89bb6a27799f5bacdd6c2bc87c51c63eeedb335626790bde2ff3d039cac8ad76baff16ff83fd856d74a4d376686df6e37f8

memory/1688-137-0x0000000000000000-mapping.dmp

memory/1688-138-0x0000000000400000-0x000000000055E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASE.exe.log

MD5 400f1cc1a0a0ce1cdabda365ab3368ce
SHA1 1ecf683f14271d84f3b6063493dce00ff5f42075
SHA256 c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA512 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

memory/1688-141-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-143-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-145-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-147-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-149-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-151-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-153-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-155-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-157-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-159-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-161-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-163-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-165-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-167-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-169-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-171-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-173-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-175-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-177-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-179-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-181-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-183-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-185-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-187-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-189-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-191-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-193-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-195-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-197-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-199-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1688-201-0x0000000000400000-0x000000000055E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll

MD5 e81aeac387c5db32b7f9b07d15e788e0
SHA1 829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3
SHA256 44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06
SHA512 cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e

memory/1688-701-0x00000000069B0000-0x0000000006A16000-memory.dmp

memory/1688-702-0x00000000087E0000-0x0000000008830000-memory.dmp