Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-chqcksdhf3
Target d43a19e0d55377fea3acc08b3e9e1f7a964bf08da5b11c500217e184bd7cf79a
SHA256 d43a19e0d55377fea3acc08b3e9e1f7a964bf08da5b11c500217e184bd7cf79a
Tags
masslogger collection ransomware rezer0 spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d43a19e0d55377fea3acc08b3e9e1f7a964bf08da5b11c500217e184bd7cf79a

Threat Level: Known bad

The file d43a19e0d55377fea3acc08b3e9e1f7a964bf08da5b11c500217e184bd7cf79a was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware rezer0 spyware stealer

MassLogger

MassLogger log file

MassLogger Main Payload

ReZer0 packer

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 02:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 02:04

Reported

2022-05-21 03:13

Platform

win7-20220414-en

Max time kernel

85s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1688 set thread context of 1792 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1688 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1688 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1688 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\order.exe

"C:\Users\Admin\AppData\Local\Temp\order.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rUrNVd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55EE.tmp"

C:\Users\Admin\AppData\Local\Temp\order.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.gmail.com udp
US 142.250.102.108:587 smtp.gmail.com tcp

Files

memory/1688-54-0x0000000000E10000-0x0000000000F4E000-memory.dmp

memory/1688-55-0x0000000075E31000-0x0000000075E33000-memory.dmp

memory/1688-56-0x00000000004D0000-0x00000000004D8000-memory.dmp

memory/1688-57-0x00000000051C0000-0x0000000005278000-memory.dmp

memory/1220-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp55EE.tmp

MD5 561cf94e4146ff3f2ddb6468333616b2
SHA1 4a2733ed642d1274287578470e7e14a4a5818a2e
SHA256 6f36c64b5cef5e568cab1e621e973267e7204a52e653868dd778abfad170a283
SHA512 d829eec5197a4bd9f9d65649859d7df2e0508a6c7fd55a1ff6f35ab56b0de970060ae46536c821225acd6866676d89464d539be009b819667bb909101b77b927

memory/1688-60-0x0000000008070000-0x0000000008120000-memory.dmp

memory/1792-61-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-62-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-64-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-65-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-66-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-67-0x00000000004AB4EE-mapping.dmp

memory/1792-69-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-71-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-73-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-75-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-77-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-79-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-81-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-83-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-85-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-87-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-89-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-91-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-93-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-95-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-97-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-99-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-101-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-103-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-105-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-107-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-109-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-111-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-113-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-115-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-117-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-119-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-121-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-123-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1792-580-0x00000000003C0000-0x0000000000404000-memory.dmp

memory/1792-582-0x0000000004F95000-0x0000000004FA6000-memory.dmp

memory/1792-583-0x0000000000E00000-0x0000000000E14000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 02:04

Reported

2022-05-21 03:13

Platform

win10v2004-20220414-en

Max time kernel

94s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4944 set thread context of 3332 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\order.exe

"C:\Users\Admin\AppData\Local\Temp\order.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rUrNVd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA107.tmp"

C:\Users\Admin\AppData\Local\Temp\order.exe

"{path}"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 smtp.gmail.com udp
US 142.250.102.108:587 smtp.gmail.com tcp

Files

memory/4944-130-0x00000000000B0000-0x00000000001EE000-memory.dmp

memory/4944-131-0x0000000005060000-0x0000000005604000-memory.dmp

memory/4944-132-0x0000000004B90000-0x0000000004C22000-memory.dmp

memory/4944-133-0x0000000004D30000-0x0000000004D3A000-memory.dmp

memory/4944-134-0x0000000008DC0000-0x0000000008E5C000-memory.dmp

memory/4828-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA107.tmp

MD5 dc85c7adaa3656a6aa7cfb2732827cdc
SHA1 4e3b2b939d3a280f8f45f26b88aa7479594837be
SHA256 86a4e3343f3195df3cfffc87ad3a93d8d9088e15a88a0297a741a477cdaad115
SHA512 30272421e4e6714aa394a0a1fbf2557e16037ccc88f046feb9012e4df67be1a1439f265edfc5ac8e2f692be93b01719add98fc32958f4ca46e1c03445a81f712

memory/3332-137-0x0000000000000000-mapping.dmp

memory/3332-138-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/3332-141-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-143-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-145-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-147-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-149-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-151-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-153-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-155-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-157-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-159-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-161-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-163-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-165-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-167-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-169-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-171-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-173-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-175-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-177-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-179-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-181-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-183-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-187-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-185-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-189-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-191-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-193-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-195-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-197-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-199-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-201-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3332-648-0x0000000005F30000-0x0000000005F96000-memory.dmp

memory/3332-649-0x0000000008690000-0x00000000086E0000-memory.dmp