Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-clkaqshban
Target c74b4236eb38d0bf5d1fe43ab575879f4cf81d498250ecfcb1926bb519f77d18
SHA256 c74b4236eb38d0bf5d1fe43ab575879f4cf81d498250ecfcb1926bb519f77d18
Tags
masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c74b4236eb38d0bf5d1fe43ab575879f4cf81d498250ecfcb1926bb519f77d18

Threat Level: Known bad

The file c74b4236eb38d0bf5d1fe43ab575879f4cf81d498250ecfcb1926bb519f77d18 was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware spyware stealer

MassLogger

MassLogger log file

MassLogger Main Payload

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 02:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 02:09

Reported

2022-05-21 03:14

Platform

win7-20220414-en

Max time kernel

115s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1240 set thread context of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1240 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1240 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1240 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1240 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 1240 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 1240 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 1240 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 1240 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 1240 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 1240 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 1240 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 1240 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fRHcKmAof" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A63.tmp"

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/1240-54-0x0000000000E30000-0x0000000000F30000-memory.dmp

memory/1240-55-0x0000000000270000-0x0000000000278000-memory.dmp

memory/1240-56-0x00000000056D0000-0x000000000579C000-memory.dmp

memory/1376-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3A63.tmp

MD5 174a6e7c45770e4e020e01b34147ce0a
SHA1 93df9d70655e715b7d497075d6bee44d7b5cb153
SHA256 198d53a1a99ddf097cb967ef139fe2efbd88255ef3b6d36a372e130a3124d9a4
SHA512 a3c84bf8da7e8547bc85b7efc46a9654a82f7196690d0a56675689fe22da20b66a86f44a61242dc0ab54e6d07de20ac64cf091bb85b335bb1253c1603af89e7a

memory/1604-59-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1604-60-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1604-62-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1604-63-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1604-64-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1604-65-0x00000000004C005E-mapping.dmp

memory/1604-67-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1604-69-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1604-70-0x0000000000DA0000-0x0000000000E18000-memory.dmp

memory/1604-71-0x00000000753E1000-0x00000000753E3000-memory.dmp

memory/1604-72-0x0000000004465000-0x0000000004476000-memory.dmp

memory/1604-73-0x0000000000890000-0x00000000008A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 02:09

Reported

2022-05-21 03:15

Platform

win10v2004-20220414-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4116 set thread context of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Windows\SysWOW64\schtasks.exe
PID 4116 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Windows\SysWOW64\schtasks.exe
PID 4116 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Windows\SysWOW64\schtasks.exe
PID 4116 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 4116 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 4116 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 4116 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 4116 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 4116 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 4116 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 4116 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 4116 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 4116 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
PID 4116 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fRHcKmAof" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp"

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe

"{path}"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
IE 20.54.89.106:443 tcp
NL 52.178.17.2:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp

Files

memory/4116-130-0x0000000000E90000-0x0000000000F90000-memory.dmp

memory/4116-131-0x0000000005B60000-0x0000000005BFC000-memory.dmp

memory/4116-132-0x0000000005D70000-0x0000000005E02000-memory.dmp

memory/4116-133-0x0000000006920000-0x0000000006EC4000-memory.dmp

memory/364-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp

MD5 f5533fda8385e4e1773500306a02f505
SHA1 ee8e46e91e47d599902f8c5ed5a24421d202a406
SHA256 5b5122aacfa6809a65fe553de715cbbd34d13b6f172102b281dceba746d23e03
SHA512 80f15bf4350e1a197c0f3d8a97c769c20275e5286c238fa404dddef226de8e58a74163254ec82fe23027b0f19a911bd6339eedb408f831664dc843900a6e2143

memory/936-136-0x0000000000000000-mapping.dmp

memory/1456-137-0x0000000000000000-mapping.dmp

memory/1456-138-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1456-139-0x0000000005760000-0x00000000057C6000-memory.dmp

memory/1456-140-0x0000000007040000-0x000000000704A000-memory.dmp

memory/1456-141-0x00000000071E0000-0x0000000007230000-memory.dmp