Analysis Overview
SHA256
10a4ba420a16ca28bd4a7b50d7f947d4705bba87031009a45e8ace94e7dee855
Threat Level: Known bad
The file 10a4ba420a16ca28bd4a7b50d7f947d4705bba87031009a45e8ace94e7dee855 was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
MassLogger log file
ReZer0 packer
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 03:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 03:28
Reported
2022-05-21 05:10
Platform
win7-20220414-en
Max time kernel
145s
Max time network
164s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2040 set thread context of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
"C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZyngPFdO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8518.tmp"
C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.ru | udp |
| RU | 77.88.21.158:587 | smtp.yandex.ru | tcp |
Files
memory/2040-54-0x0000000000980000-0x0000000000A80000-memory.dmp
memory/2040-55-0x0000000005C50000-0x0000000005D2C000-memory.dmp
memory/2040-56-0x0000000000640000-0x0000000000654000-memory.dmp
memory/2040-57-0x0000000005F10000-0x0000000005FC8000-memory.dmp
memory/1784-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8518.tmp
| MD5 | 632983e1c563da4f8529159afcf45fd0 |
| SHA1 | cf4d787bfe93edf2f1f0f770104e7f3e2721c110 |
| SHA256 | bd6b913378dd8232e8f8c3c5a3b949bf63410993039f5c0e51e80331b4a427cd |
| SHA512 | 80c0bf2593e4a3acff9715d117bd8e050e8a9bc6dfcaaa0f07b7a79c6d960a593babd99197d260cf37687ac546d37538944dfad2ec66c72f661f00f6bf2768e3 |
memory/1120-60-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-61-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-63-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-64-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-66-0x00000000004ACD7E-mapping.dmp
memory/1120-65-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-68-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-70-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-72-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-74-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-76-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-78-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-80-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-82-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-84-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-86-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-90-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-88-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-92-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-94-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-96-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-98-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-100-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-102-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-104-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-110-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-108-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-112-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-106-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-114-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-116-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-118-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-120-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-122-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-124-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1120-587-0x00000000007D0000-0x0000000000814000-memory.dmp
memory/1120-589-0x0000000005005000-0x0000000005016000-memory.dmp
memory/1120-590-0x00000000021D0000-0x00000000021E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 03:28
Reported
2022-05-21 05:11
Platform
win10v2004-20220414-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2408 set thread context of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
"C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZyngPFdO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp"
C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\RK__PO_2.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 20.189.173.1:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.25.243:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.220.57.224:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.ru | udp |
| RU | 77.88.21.158:587 | smtp.yandex.ru | tcp |
Files
memory/2408-130-0x00000000006B0000-0x00000000007B0000-memory.dmp
memory/2408-131-0x000000000AE50000-0x000000000B3F4000-memory.dmp
memory/2408-132-0x000000000AA40000-0x000000000AAD2000-memory.dmp
memory/2408-133-0x000000000A9C0000-0x000000000A9CA000-memory.dmp
memory/2408-134-0x000000000E190000-0x000000000E22C000-memory.dmp
memory/4012-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp
| MD5 | 1175547db226a3ea782db17c1e2a651d |
| SHA1 | a27659e0affe6609e8b2e9fe8e4ff5852295284e |
| SHA256 | c093ea4ed31764d241444855db605d9885a63b14022838d3b7e9b018934c84ed |
| SHA512 | 6bee2eabbd33dd497ef75c99ec94eba3992bc58b02961442b3e8672200ae945f6d116cb0e9b0ae8478a9fabd387b59b79b8c4bd7b599dd62d1101e1ea251c7bf |
memory/3708-137-0x0000000000000000-mapping.dmp
memory/4948-138-0x0000000000000000-mapping.dmp
memory/2032-139-0x0000000000000000-mapping.dmp
memory/2032-140-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RK__PO_2.exe.log
| MD5 | 400f1cc1a0a0ce1cdabda365ab3368ce |
| SHA1 | 1ecf683f14271d84f3b6063493dce00ff5f42075 |
| SHA256 | c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765 |
| SHA512 | 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45 |
memory/2032-143-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-145-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-147-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-149-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-151-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-153-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-155-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-157-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-159-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-161-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-163-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-165-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-167-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-169-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-171-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-173-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-175-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-177-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-179-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-181-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-183-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-185-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-187-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-189-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-191-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-193-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-195-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-197-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-199-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-201-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-203-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2032-658-0x00000000052E0000-0x0000000005346000-memory.dmp
memory/2032-659-0x0000000006870000-0x00000000068C0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-05-21 03:28
Reported
2022-05-21 05:10
Platform
win7-20220414-en
Max time kernel
122s
Max time network
141s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1348 set thread context of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
"C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hffwylP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp587D.tmp"
C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.ru | udp |
| RU | 77.88.21.158:587 | smtp.yandex.ru | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| NL | 104.110.191.14:80 | repository.certum.pl | tcp |
Files
memory/1348-54-0x0000000001010000-0x000000000110E000-memory.dmp
memory/1348-55-0x0000000007F90000-0x000000000806C000-memory.dmp
memory/1348-56-0x0000000000450000-0x0000000000464000-memory.dmp
memory/1348-57-0x0000000005D40000-0x0000000005DF8000-memory.dmp
memory/1632-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp587D.tmp
| MD5 | 65197dfa78bbca84590ea14307adef72 |
| SHA1 | 31237357c5154fe6384c3f21bdf88444213455b5 |
| SHA256 | 6a9393a1c262013842cac1bfbd6738e8bac5ec47e5637361488ff3709a00fb77 |
| SHA512 | 3c89e59b4e326ee0aac7913f749109190cf28027399b1c57d7a732b9e905d943f0a5666b40881ed58f10a89362d25f9dd0ab14c5fd226819b64199777b8b2f2e |
memory/1980-60-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-61-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-63-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-64-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-66-0x00000000004AC9AE-mapping.dmp
memory/1980-65-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-68-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-70-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-72-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-74-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-76-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-78-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-80-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-82-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-84-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-86-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-88-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-90-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-92-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-96-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-94-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-98-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-100-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-102-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-104-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-106-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-108-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-110-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-114-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-112-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-116-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-118-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-120-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-122-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-124-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1980-587-0x0000000000C60000-0x0000000000CA4000-memory.dmp
memory/1980-589-0x0000000000CD5000-0x0000000000CE6000-memory.dmp
memory/1980-590-0x0000000000D10000-0x0000000000D24000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-05-21 03:28
Reported
2022-05-21 05:11
Platform
win10v2004-20220414-en
Max time kernel
112s
Max time network
131s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4732 set thread context of 1764 | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
"C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hffwylP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFA6.tmp"
C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe
"{path}"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RK__PO_N.exe'
Network
| Country | Destination | Domain | Proto |
| US | 20.42.65.85:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
Files
memory/4732-130-0x0000000000080000-0x000000000017E000-memory.dmp
memory/4732-131-0x000000000A830000-0x000000000ADD4000-memory.dmp
memory/4732-132-0x000000000A420000-0x000000000A4B2000-memory.dmp
memory/4732-133-0x000000000A380000-0x000000000A38A000-memory.dmp
memory/4732-134-0x000000000DBC0000-0x000000000DC5C000-memory.dmp
memory/3476-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBFA6.tmp
| MD5 | 541e13162b02b801210b581259326985 |
| SHA1 | 40a7b5e6a0a7cade43dd40f81143ae68223ebc9f |
| SHA256 | a4fbb92255c1350690efdcdb768e19442eecb00330571d4fdaf530c45c19d604 |
| SHA512 | 4f839d09db90b8771ff9d2db77781a283ddeeb40a6e543518c4c302787462b87d4b2193543ce6545ff1f6638468a8de7d737edf5fdaa55e4dd95c0fea24177b8 |
memory/1764-137-0x0000000000000000-mapping.dmp
memory/1764-138-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RK__PO_N.exe.log
| MD5 | 400f1cc1a0a0ce1cdabda365ab3368ce |
| SHA1 | 1ecf683f14271d84f3b6063493dce00ff5f42075 |
| SHA256 | c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765 |
| SHA512 | 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45 |
memory/1764-141-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-143-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-145-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-147-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-149-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-151-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-153-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-155-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-157-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-159-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-161-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-163-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-165-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-167-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-169-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-171-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-173-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-175-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-177-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-179-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-181-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-183-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-185-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-187-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-189-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-191-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-193-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-195-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-197-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-199-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-201-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1764-656-0x0000000005D50000-0x0000000005DB6000-memory.dmp
memory/3640-657-0x0000000000000000-mapping.dmp
memory/4904-658-0x0000000000000000-mapping.dmp
memory/4904-659-0x0000000004B70000-0x0000000004BA6000-memory.dmp
memory/4904-660-0x00000000051E0000-0x0000000005808000-memory.dmp
memory/4904-661-0x00000000059A0000-0x00000000059C2000-memory.dmp
memory/4904-662-0x0000000005A40000-0x0000000005AA6000-memory.dmp
memory/4904-663-0x0000000006130000-0x000000000614E000-memory.dmp
memory/4904-664-0x0000000007990000-0x000000000800A000-memory.dmp
memory/4904-665-0x0000000006630000-0x000000000664A000-memory.dmp
memory/4904-666-0x00000000073B0000-0x0000000007446000-memory.dmp
memory/4904-667-0x0000000006700000-0x0000000006722000-memory.dmp