Analysis Overview
SHA256
f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816
Threat Level: Known bad
The file f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816 was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
MassLogger log file
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
outlook_office_path
outlook_win_path
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 02:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 02:08
Reported
2022-05-21 03:18
Platform
win7-20220414-en
Max time kernel
101s
Max time network
154s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 908 set thread context of 1836 | N/A | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe
"C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hUwUwo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADA.tmp"
C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.ru | udp |
| RU | 77.88.21.158:587 | smtp.yandex.ru | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| NL | 104.110.191.15:80 | repository.certum.pl | tcp |
Files
memory/908-54-0x0000000000BA0000-0x0000000000CEE000-memory.dmp
memory/908-55-0x00000000001F0000-0x00000000001FA000-memory.dmp
memory/908-56-0x0000000007950000-0x0000000007A0A000-memory.dmp
memory/1156-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpADA.tmp
| MD5 | fcf441b967ceb41a8ae5c967c0a33e26 |
| SHA1 | f62f4b8f35f0c184b68cf235a71e85b110cff380 |
| SHA256 | bf1fbe607b513a63eeb18990f828411f555594b5b88480320419acd9aa0779bb |
| SHA512 | e1dbd992d59c9272f62c02500de6b8824e2dc968f5aca65260bf7effc0e8364e8b45605c0a29c52ad37a674523a924dc21a3bd19016eb3a6b6c6139a0901919e |
memory/1836-59-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-60-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-62-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-63-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-64-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-65-0x00000000004ACD7E-mapping.dmp
memory/1836-67-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-69-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-71-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-73-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-75-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-77-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-79-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-81-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-83-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-85-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-87-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-89-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-91-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-93-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-95-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-97-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-99-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-101-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-103-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-105-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-107-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-109-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-111-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-113-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-115-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-117-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-121-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-119-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-123-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1836-586-0x0000000000510000-0x0000000000554000-memory.dmp
memory/1836-588-0x0000000004F85000-0x0000000004F96000-memory.dmp
memory/1836-589-0x0000000002260000-0x0000000002274000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 02:08
Reported
2022-05-21 03:17
Platform
win10v2004-20220414-en
Max time kernel
113s
Max time network
156s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1424 set thread context of 4372 | N/A | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe
"C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hUwUwo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD39C.tmp"
C:\Users\Admin\AppData\Local\Temp\f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.238.21.126:80 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.ru | udp |
| RU | 77.88.21.158:587 | smtp.yandex.ru | tcp |
Files
memory/1424-130-0x00000000004B0000-0x00000000005FE000-memory.dmp
memory/1424-131-0x0000000007470000-0x000000000750C000-memory.dmp
memory/1424-132-0x0000000007510000-0x00000000075A2000-memory.dmp
memory/1424-133-0x00000000080D0000-0x0000000008674000-memory.dmp
memory/3488-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD39C.tmp
| MD5 | f110adb6c4fe60af49f8edc13085aacc |
| SHA1 | a0d1351a0b1ab97a980f8a6cdbdfd92f3850e5f9 |
| SHA256 | 0d30157ea5bc759453567b6801bdabd62727e59421796aac20a6171e3ba5feb4 |
| SHA512 | 2848f0692ccd58d339d25e64f4bfb13ed6dd213f29a48e1283e86f5e0b66ae4ac699a4f999b5354fe7349a24caa7f360d5c1b13943ea35056fcbc24a406046cf |
memory/4372-136-0x0000000000000000-mapping.dmp
memory/4372-137-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-139-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-141-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-143-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-145-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-147-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-149-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-151-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-153-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-155-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-157-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-159-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-161-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-163-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-165-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-167-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-169-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-171-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-173-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-175-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-177-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-179-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-181-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-183-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-185-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-187-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-189-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-191-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-193-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-195-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-197-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-199-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4372-654-0x00000000058D0000-0x0000000005936000-memory.dmp
memory/4372-655-0x00000000070B0000-0x00000000070BA000-memory.dmp
memory/4372-656-0x00000000070D0000-0x0000000007120000-memory.dmp