Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-ckmz8shafm
Target cb7a462223f02ca4a41ce7f48a6bb8c7ee0d36798c12b1559bcdabe25d57141f
SHA256 cb7a462223f02ca4a41ce7f48a6bb8c7ee0d36798c12b1559bcdabe25d57141f
Tags
agenttesla keylogger spyware stealer trojan collection masslogger ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb7a462223f02ca4a41ce7f48a6bb8c7ee0d36798c12b1559bcdabe25d57141f

Threat Level: Known bad

The file cb7a462223f02ca4a41ce7f48a6bb8c7ee0d36798c12b1559bcdabe25d57141f was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan collection masslogger ransomware

MassLogger Main Payload

AgentTesla

MassLogger log file

MassLogger

AgentTesla Payload

Reads data files stored by FTP clients

Checks computer location settings

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_win_path

outlook_office_path

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 02:08

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-05-21 02:08

Reported

2022-05-21 03:13

Platform

win7-20220414-en

Max time kernel

123s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1808 set thread context of 844 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe
PID 1808 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe
PID 1808 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe
PID 1808 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe
PID 1808 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe
PID 1808 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe
PID 1808 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe
PID 1808 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe
PID 1808 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe

"C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YSyeaKfvcL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27BD.tmp"

C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe

"{path}"

Network

N/A

Files

memory/1808-54-0x0000000001120000-0x0000000001206000-memory.dmp

memory/1808-55-0x0000000000540000-0x000000000054A000-memory.dmp

memory/1808-56-0x0000000000FA0000-0x0000000000FF4000-memory.dmp

memory/1808-57-0x0000000075451000-0x0000000075453000-memory.dmp

memory/1772-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp27BD.tmp

MD5 faff45790f7332f4a4448646327c9298
SHA1 70541a12ee91dcd6cb075266878a0238a26b60c7
SHA256 4d7702be18ec893168148321222f6798022809c0ae1f2d5286279458ab36dc0a
SHA512 76961792d8e20b60cd564dfabf7be7687301456a2961fa6fa49f9fe6b4db2b0f5fc1bc8ecb5f41ee8471e52ce94bac2575d9457dc82ef3a46cfe54cd0110009d

memory/844-60-0x0000000000400000-0x000000000044C000-memory.dmp

memory/844-61-0x0000000000400000-0x000000000044C000-memory.dmp

memory/844-63-0x0000000000400000-0x000000000044C000-memory.dmp

memory/844-64-0x0000000000400000-0x000000000044C000-memory.dmp

memory/844-65-0x0000000000400000-0x000000000044C000-memory.dmp

memory/844-66-0x00000000004468DE-mapping.dmp

memory/844-68-0x0000000000400000-0x000000000044C000-memory.dmp

memory/844-70-0x0000000000400000-0x000000000044C000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-05-21 02:08

Reported

2022-05-21 03:14

Platform

win10v2004-20220414-en

Max time kernel

145s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3620 set thread context of 4536 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe

"C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YSyeaKfvcL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDDD.tmp"

C:\Users\Admin\AppData\Local\Temp\HOUSE_PI.exe

"{path}"

Network

Country Destination Domain Proto
NL 20.190.160.132:443 tcp
NL 20.190.160.4:443 tcp
US 93.184.221.240:80 tcp
IE 20.50.80.210:443 tcp
NL 20.190.160.8:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
NL 20.190.160.134:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.6:443 tcp
US 8.8.8.8:53 smtp.yandex.ru udp
RU 77.88.21.158:587 smtp.yandex.ru tcp
NL 20.190.160.129:443 tcp

Files

memory/3620-130-0x0000000000750000-0x0000000000836000-memory.dmp

memory/3620-131-0x0000000007570000-0x000000000760C000-memory.dmp

memory/3620-132-0x0000000007610000-0x00000000076A2000-memory.dmp

memory/3620-133-0x00000000081A0000-0x0000000008744000-memory.dmp

memory/4356-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDDDD.tmp

MD5 bab8595d9ee106c4e3b662db25a812bb
SHA1 b1fb078abff92d0af135bd8a5723dabdcf27c99a
SHA256 e2794ba020a028cedbee67fb2b5d88f4b73e395d952059c6c58b2945756fe9f1
SHA512 ae5ff440ec99375f5e4be9b7e690ea7c5e673f2e9a20efeb594bb8fd0e8a4163e1291509c66a004e0f22ac79e34b1102b11c24c0ee4109aeb5875ba791b3e5bb

memory/4536-136-0x0000000000000000-mapping.dmp

memory/4536-137-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HOUSE_PI.exe.log

MD5 ab4c71d3ff6255edd4e5c1e09540f49e
SHA1 22e06bf4e258741b5df918061871cba998c50cea
SHA256 1690fec628f775dd3c3385b800eed126b37978ef2ffd592b024052724caafb5a
SHA512 8fa7d0045796e6cda7c28e2b9a690ef550619828c1b5d0ebf8e8367aff4bf4d9f63121e5b4f199d30cb8006eb584c6767f4c59150749b8256dab9dd0ebd9f1af

memory/4536-139-0x00000000063F0000-0x0000000006456000-memory.dmp

memory/4536-140-0x00000000067E0000-0x0000000006830000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 02:08

Reported

2022-05-21 03:12

Platform

win7-20220414-en

Max time kernel

71s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe"

Signatures

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe
PID 1836 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe

"C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hUwUwo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED2D.tmp"

C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe

"{path}"

Network

N/A

Files

memory/1836-54-0x0000000000320000-0x000000000046E000-memory.dmp

memory/1836-55-0x00000000002E0000-0x00000000002EA000-memory.dmp

memory/1836-56-0x00000000005D0000-0x000000000068A000-memory.dmp

memory/628-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpED2D.tmp

MD5 fcf441b967ceb41a8ae5c967c0a33e26
SHA1 f62f4b8f35f0c184b68cf235a71e85b110cff380
SHA256 bf1fbe607b513a63eeb18990f828411f555594b5b88480320419acd9aa0779bb
SHA512 e1dbd992d59c9272f62c02500de6b8824e2dc968f5aca65260bf7effc0e8364e8b45605c0a29c52ad37a674523a924dc21a3bd19016eb3a6b6c6139a0901919e

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 02:08

Reported

2022-05-21 03:12

Platform

win10v2004-20220414-en

Max time kernel

153s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5044 set thread context of 3416 N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe

"C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hUwUwo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp51C5.tmp"

C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe

"{path}"

Network

Country Destination Domain Proto
US 20.189.173.2:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.yandex.ru udp
RU 77.88.21.158:587 smtp.yandex.ru tcp

Files

memory/5044-130-0x0000000000420000-0x000000000056E000-memory.dmp

memory/5044-131-0x0000000007390000-0x000000000742C000-memory.dmp

memory/5044-132-0x00000000074E0000-0x0000000007572000-memory.dmp

memory/5044-133-0x0000000008050000-0x00000000085F4000-memory.dmp

memory/224-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp51C5.tmp

MD5 f110adb6c4fe60af49f8edc13085aacc
SHA1 a0d1351a0b1ab97a980f8a6cdbdfd92f3850e5f9
SHA256 0d30157ea5bc759453567b6801bdabd62727e59421796aac20a6171e3ba5feb4
SHA512 2848f0692ccd58d339d25e64f4bfb13ed6dd213f29a48e1283e86f5e0b66ae4ac699a4f999b5354fe7349a24caa7f360d5c1b13943ea35056fcbc24a406046cf

memory/3416-136-0x0000000000000000-mapping.dmp

memory/3416-137-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-139-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-141-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-143-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-145-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-147-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-149-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-151-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-153-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-155-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-157-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-159-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-161-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-163-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-165-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-167-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-169-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-171-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-173-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-175-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-177-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-179-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-181-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-183-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-185-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-187-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-189-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-191-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-193-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-195-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-197-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-199-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3416-654-0x00000000057C0000-0x0000000005826000-memory.dmp

memory/3416-655-0x0000000006AB0000-0x0000000006ABA000-memory.dmp

memory/3416-656-0x0000000006F00000-0x0000000006F50000-memory.dmp