Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-cjgrtshacj
Target d0a266b4b689590e572020b8117157cdfa05d9b6d9cbcdb0aa5389ab3d55cfa6
SHA256 d0a266b4b689590e572020b8117157cdfa05d9b6d9cbcdb0aa5389ab3d55cfa6
Tags
masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0a266b4b689590e572020b8117157cdfa05d9b6d9cbcdb0aa5389ab3d55cfa6

Threat Level: Known bad

The file d0a266b4b689590e572020b8117157cdfa05d9b6d9cbcdb0aa5389ab3d55cfa6 was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware spyware stealer

MassLogger Main Payload

MassLogger

MassLogger log file

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 02:06

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 02:06

Reported

2022-05-21 03:10

Platform

win10v2004-20220414-en

Max time kernel

108s

Max time network

182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 624 set thread context of 4136 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 624 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 624 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 624 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 624 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 624 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 624 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 624 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
GB 51.104.15.252:443 tcp
US 52.152.108.96:443 tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.yandex.ru udp
RU 77.88.21.158:587 smtp.yandex.ru tcp

Files

memory/624-130-0x0000000000770000-0x000000000084E000-memory.dmp

memory/624-131-0x0000000005830000-0x0000000005DD4000-memory.dmp

memory/624-132-0x0000000005280000-0x0000000005312000-memory.dmp

memory/624-133-0x00000000051F0000-0x00000000051FA000-memory.dmp

memory/624-134-0x0000000008E70000-0x000000000939C000-memory.dmp

memory/624-135-0x00000000097B0000-0x000000000984C000-memory.dmp

memory/4136-136-0x0000000000000000-mapping.dmp

memory/4136-137-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-139-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-141-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-143-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-145-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-147-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-149-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-151-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-153-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-155-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-157-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-159-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-161-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-163-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-165-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-167-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-169-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-171-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-173-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-175-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-177-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-179-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-181-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-183-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-185-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-187-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-189-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-191-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-193-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-195-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-197-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-199-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4136-646-0x0000000005500000-0x0000000005566000-memory.dmp

memory/4136-647-0x0000000006E30000-0x0000000006E80000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 02:06

Reported

2022-05-21 03:10

Platform

win7-20220414-en

Max time kernel

105s

Max time network

189s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1944 set thread context of 1360 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe
PID 1944 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\BIS SWIFT_20072020_9427492749242_PDF.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.yandex.ru udp
RU 77.88.21.158:587 smtp.yandex.ru tcp
US 8.8.8.8:53 repository.certum.pl udp
NL 104.110.191.14:80 repository.certum.pl tcp

Files

memory/1944-54-0x0000000000020000-0x00000000000FE000-memory.dmp

memory/1944-55-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

memory/1944-56-0x0000000000360000-0x0000000000372000-memory.dmp

memory/1944-57-0x0000000007D80000-0x0000000007E38000-memory.dmp

memory/1360-58-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-59-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-61-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-62-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-63-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-64-0x00000000004AB84E-mapping.dmp

memory/1360-66-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-68-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-70-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-72-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-74-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-76-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-78-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-80-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-82-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-84-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-86-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-88-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-90-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-92-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-94-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-96-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-98-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-100-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-102-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-104-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-106-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-108-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-110-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-112-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-114-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-116-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-118-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-120-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1360-577-0x00000000005D0000-0x0000000000614000-memory.dmp

memory/1360-579-0x0000000004CA5000-0x0000000004CB6000-memory.dmp

memory/1360-580-0x0000000001F60000-0x0000000001F74000-memory.dmp