Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-ckx57shagl
Target ca175c94eb00b4846925e068678e41edc91faf50950303699635ee3f0546683b
SHA256 ca175c94eb00b4846925e068678e41edc91faf50950303699635ee3f0546683b
Tags
masslogger collection coreentity rezer0 spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca175c94eb00b4846925e068678e41edc91faf50950303699635ee3f0546683b

Threat Level: Known bad

The file ca175c94eb00b4846925e068678e41edc91faf50950303699635ee3f0546683b was found to be: Known bad.

Malicious Activity Summary

masslogger collection coreentity rezer0 spyware stealer

MassLogger log file

MassLogger Main Payload

MassLogger

CoreEntity .NET Packer

ReZer0 packer

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 02:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 02:08

Reported

2022-05-21 03:14

Platform

win7-20220414-en

Max time kernel

104s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe"

Signatures

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1272 set thread context of 852 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe

"C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\okFpWBEWz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD24.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.akonuchenwam.org udp

Files

memory/1272-54-0x0000000001180000-0x0000000001276000-memory.dmp

memory/1272-55-0x0000000076171000-0x0000000076173000-memory.dmp

memory/1272-56-0x00000000004F0000-0x00000000004F8000-memory.dmp

memory/1272-57-0x00000000053E0000-0x000000000548E000-memory.dmp

memory/1692-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFD24.tmp

MD5 f0c366c613ac8bfda0d71393f871a3f5
SHA1 007fefb0852033971f88265a4b38b9517dd32a45
SHA256 158d352b52b06edc454d1f77299a88ac13a46e72f9b1bd252a50c45bd985139b
SHA512 6f06adf0ef7c2d08fb3385cda3554aa32a214e3c8da0da1c5e926b3a68c6faa4679c45dbab03baec4269834251c325b0b5efba61afa05c634f03565ac795037a

memory/852-60-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-61-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-63-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-64-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-65-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-66-0x00000000004A19AE-mapping.dmp

memory/852-68-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-70-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-72-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-74-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-76-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-78-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-80-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-82-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-84-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-86-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-88-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-90-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-92-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-94-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-96-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-98-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-100-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-102-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-104-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-106-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-108-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-110-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-112-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-114-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-116-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-118-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-120-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-122-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/852-572-0x00000000007C0000-0x0000000000804000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 02:08

Reported

2022-05-21 03:14

Platform

win10v2004-20220414-en

Max time kernel

141s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1636 set thread context of 5028 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1636 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1636 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1636 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1636 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1636 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1636 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1636 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe

"C:\Users\Admin\AppData\Local\Temp\rfq Img docs892712.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\okFpWBEWz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE3DD.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
NL 104.97.14.81:80 tcp
IE 20.54.110.249:443 tcp
US 52.168.117.170:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 store-images.s-microsoft.com udp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
US 8.8.8.8:53 tsfe.trafficshaping.dsp.mp.microsoft.com udp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 2.tlu.dl.delivery.mp.microsoft.com udp
FR 2.22.147.73:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
FR 2.22.147.73:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.73:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.27:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 smtp.akonuchenwam.org udp
FR 2.22.147.27:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 204.79.197.203:80 tcp
FR 2.22.147.73:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.73:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
US 209.197.3.8:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 2.tlu.dl.delivery.mp.microsoft.com udp
FR 2.22.147.17:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.17:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 dl.delivery.mp.microsoft.com tcp
US 13.107.21.200:443 tcp

Files

memory/1636-130-0x0000000000790000-0x0000000000886000-memory.dmp

memory/1636-131-0x0000000005840000-0x0000000005DE4000-memory.dmp

memory/1636-132-0x0000000005290000-0x0000000005322000-memory.dmp

memory/1636-133-0x0000000005220000-0x000000000522A000-memory.dmp

memory/1636-134-0x0000000008D40000-0x0000000008DDC000-memory.dmp

memory/4532-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE3DD.tmp

MD5 19fb46feaddac99c6ca1935251cd01ba
SHA1 4fbf21c85cf667946c9dbb5c66e5747947061044
SHA256 8dd8a44f49cc280a1f3e4e3fecd5c570b5a19713c3f5d18becb2806273da796d
SHA512 43d0495555d33bf71d00becd91d02b39a3e380446b55669ed6145e9cb4b42d4379d60365de62f9374390c37c3e7f5f3925aea96c41050005249b45f0559b106f

memory/5028-137-0x0000000000000000-mapping.dmp

memory/5028-138-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-140-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-142-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-144-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-146-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-148-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-150-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-152-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-156-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-154-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-158-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-160-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-162-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-164-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-166-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-168-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-170-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-172-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-174-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-178-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-176-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-180-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-182-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-184-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-186-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-188-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-190-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-192-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-194-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-196-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-198-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-200-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5028-639-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/5028-640-0x0000000007210000-0x0000000007260000-memory.dmp