Analysis Overview
SHA256
0410a74a0b1bd7b7a626e2c1efb3c7e91c6f0571a42dd447c86a4afe382ba18b
Threat Level: Known bad
The file 0410a74a0b1bd7b7a626e2c1efb3c7e91c6f0571a42dd447c86a4afe382ba18b was found to be: Known bad.
Malicious Activity Summary
MassLogger log file
MassLogger
ReZer0 packer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
outlook_win_path
Delays execution with timeout.exe
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 03:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 03:34
Reported
2022-05-21 05:20
Platform
win7-20220414-en
Max time kernel
59s
Max time network
55s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1980 set thread context of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe |
| PID 1616 set thread context of 1524 | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IapdeqiYxjrvsQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC70.tmp"
C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"
C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"
C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC39E.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IapdeqiYxjrvsQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD6FF.tmp"
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 54.91.59.199:80 | api.ipify.org | tcp |
Files
memory/1980-54-0x00000000002B0000-0x0000000000368000-memory.dmp
memory/1980-55-0x00000000768D1000-0x00000000768D3000-memory.dmp
memory/1980-56-0x00000000002A0000-0x00000000002A8000-memory.dmp
memory/1980-57-0x0000000005170000-0x000000000521E000-memory.dmp
memory/1120-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC70.tmp
| MD5 | ac6d80bf25675aefd5cc746dfbf63b04 |
| SHA1 | 421facc246f710e1e0abc25c8f8f518890d149d6 |
| SHA256 | f580a5f04654984fd80701c64fd2339547db3f7b6fc4abafae20961c80921680 |
| SHA512 | 1268c557f06e7b5b76cc0c94efdd88d342fa9f07edd94a6f691974dc58c69d1456baa255263ca57c95a370d9ae5274541c730140d83402f5b1d6fc1d0aea5602 |
memory/1732-60-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-61-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-63-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-64-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-65-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-66-0x00000000004A1A5E-mapping.dmp
memory/1732-68-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-70-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-72-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-74-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-76-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-78-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-80-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-82-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-84-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-86-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-88-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-90-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-92-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-94-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-96-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-98-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-100-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-102-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-104-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-108-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-106-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-110-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-112-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-114-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-116-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-118-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-120-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1732-122-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/1628-572-0x0000000000000000-mapping.dmp
memory/800-573-0x0000000000000000-mapping.dmp
memory/1668-574-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC39E.tmp.bat
| MD5 | c0129017e1f1dfd85de7e6fc11e8adc1 |
| SHA1 | b0a1b7edec8a5e7d2b47bf5e03cd67e62b8d70fe |
| SHA256 | 9b76f48a22b668bcbf36feb67bafa528009b3ff87d73b65d2a9fa42c47715762 |
| SHA512 | 6b54f426fa7035703bfbc5fad3bef6f5df1729edfe2e8e713d77a45d7a274c0287ce1bbc74a5f68737c7dcfb9d9153b071e45b722d2bdb72046b3cacd9659622 |
memory/1028-576-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
memory/1616-579-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
memory/1616-581-0x0000000000260000-0x0000000000318000-memory.dmp
memory/1504-583-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD6FF.tmp
| MD5 | ac6d80bf25675aefd5cc746dfbf63b04 |
| SHA1 | 421facc246f710e1e0abc25c8f8f518890d149d6 |
| SHA256 | f580a5f04654984fd80701c64fd2339547db3f7b6fc4abafae20961c80921680 |
| SHA512 | 1268c557f06e7b5b76cc0c94efdd88d342fa9f07edd94a6f691974dc58c69d1456baa255263ca57c95a370d9ae5274541c730140d83402f5b1d6fc1d0aea5602 |
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
memory/1524-595-0x00000000004A1A5E-mapping.dmp
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
memory/1524-601-0x0000000000400000-0x00000000004A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt
| MD5 | dd4c9d18d412811d8c0da01d6b465703 |
| SHA1 | 061cf7b8dcb6b0be2834c5795b2f5ec917791380 |
| SHA256 | 5532fc69b2753a1a303a55945098f139570da207b7230857efa994f3759b3bc5 |
| SHA512 | bb6ff296e0893237b8ab92bec484e0f35956d0b45c7ef7fc2827e054ebf3763278d57e51d0190df61ba97ffbe08f7d26b8ec6aff0ec9eaee7008fb45b3cba5a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 03:34
Reported
2022-05-21 05:20
Platform
win10v2004-20220414-en
Max time kernel
132s
Max time network
150s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3484 set thread context of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe |
| PID 4756 set thread context of 4960 | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IapdeqiYxjrvsQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB99.tmp"
C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"
C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"
C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAAF5.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IapdeqiYxjrvsQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp"
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.67:443 | tcp | |
| US | 52.182.143.208:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 54.91.59.199:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | mail.privateemail.com | udp |
| US | 198.54.122.135:587 | mail.privateemail.com | tcp |
| NL | 20.190.160.75:443 | tcp | |
| NL | 20.190.160.134:443 | tcp |
Files
memory/3484-130-0x0000000000AE0000-0x0000000000B98000-memory.dmp
memory/3484-131-0x0000000005A80000-0x0000000006024000-memory.dmp
memory/3484-132-0x0000000005570000-0x0000000005602000-memory.dmp
memory/3484-133-0x0000000005700000-0x000000000570A000-memory.dmp
memory/3484-134-0x00000000077C0000-0x000000000785C000-memory.dmp
memory/4528-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB99.tmp
| MD5 | 04c33888a157708c2a0ad52d9ddfad53 |
| SHA1 | a016eebe11e1cb80db8e46ced14f810ffff3ce7f |
| SHA256 | 1784f131dcb5411b85b06ba1cba60e6bab81895a552db04cd7fab3e7af406b09 |
| SHA512 | 040bbd69bf21c8163969d107e33a8fd9524e28bf3ee512caf4e68cdef73843f02a2f9037147436232e34626cb89b14de202c7b1cc5bcd09f57bee9bb087cffbb |
memory/3460-137-0x0000000000000000-mapping.dmp
memory/5116-138-0x0000000000000000-mapping.dmp
memory/2032-139-0x0000000000000000-mapping.dmp
memory/2032-140-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-142-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-144-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-146-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-148-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-150-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-152-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-154-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-156-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-158-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-160-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-162-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-164-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-166-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-168-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-170-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-172-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-174-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-176-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-178-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-180-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-182-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-184-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-186-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-188-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-190-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-192-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-194-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-196-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-198-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-200-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-202-0x0000000000400000-0x00000000004A6000-memory.dmp
memory/2032-641-0x0000000006B60000-0x0000000006BC6000-memory.dmp
memory/3576-642-0x0000000000000000-mapping.dmp
memory/3924-643-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER .exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/5112-645-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAAF5.tmp.bat
| MD5 | 18fc892a100ff2055e7277e19da9a04d |
| SHA1 | b025c65a7fc311c8ec068b286268d554cd46dde9 |
| SHA256 | 2cfbe402d4b49b686515398e5eb689991abba475ea884d6740c711273be9e937 |
| SHA512 | eeaed1f8e3337114bd7aee1cd0a1c22151d2b2199fdbd3a77fb6085056f6ef37056999f7b189effc72f1aef5cf7988bbb8f961c682b59d5edacf883e8cd23f0f |
memory/4976-647-0x0000000000000000-mapping.dmp
memory/4756-648-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
memory/2364-651-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp
| MD5 | 04c33888a157708c2a0ad52d9ddfad53 |
| SHA1 | a016eebe11e1cb80db8e46ced14f810ffff3ce7f |
| SHA256 | 1784f131dcb5411b85b06ba1cba60e6bab81895a552db04cd7fab3e7af406b09 |
| SHA512 | 040bbd69bf21c8163969d107e33a8fd9524e28bf3ee512caf4e68cdef73843f02a2f9037147436232e34626cb89b14de202c7b1cc5bcd09f57bee9bb087cffbb |
memory/3940-653-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
memory/4960-655-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
| MD5 | e6f2ef791f0ec1869a975fa14248e8a1 |
| SHA1 | bca1cf7d10b095100273065d9e59fd1107afd353 |
| SHA256 | c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500 |
| SHA512 | 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b |
C:\Users\Admin\AppData\Local\Temp\19E979543A\Log.txt
| MD5 | 778aca6268a395ca519edf05ef7ebf66 |
| SHA1 | 6a9460effda3d5f02e2445e0f01812fc2fe60456 |
| SHA256 | 7dfec20687e2eee0a7ea24b7c1371cab87e21c6febacf82d104e12bf12203a64 |
| SHA512 | 70967db5040ec24454e18cad007b66e4c2e5dc8c6b80e8fdb5394166ef1a2f78513126cd9f2ff4e5d843d5609e16cddc7e17764c8abb661f9c6bf4e5bc806098 |
memory/4960-1159-0x0000000007D30000-0x0000000007D80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |