Analysis Overview
SHA256
009d89b65b1914214cdfe607769aa035dc2c66ca5b713a1c19e4e5088df26abf
Threat Level: Known bad
The file 009d89b65b1914214cdfe607769aa035dc2c66ca5b713a1c19e4e5088df26abf was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger log file
MassLogger Main Payload
ReZer0 packer
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
outlook_office_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 03:36
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 03:36
Reported
2022-05-21 05:20
Platform
win10v2004-20220414-en
Max time kernel
141s
Max time network
170s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 984 set thread context of 1432 | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OgbBYOJqnGVf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEEE4.tmp"
C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| NL | 104.97.14.81:80 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | mail.privateemail.com | udp |
| US | 198.54.122.135:587 | mail.privateemail.com | tcp |
Files
memory/984-130-0x0000000000430000-0x000000000051C000-memory.dmp
memory/984-131-0x00000000054A0000-0x0000000005A44000-memory.dmp
memory/984-132-0x0000000004EF0000-0x0000000004F82000-memory.dmp
memory/984-133-0x0000000004EA0000-0x0000000004EAA000-memory.dmp
memory/984-134-0x0000000008790000-0x000000000882C000-memory.dmp
memory/4176-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEEE4.tmp
| MD5 | ea61e23938d47e531cf0168470e0e589 |
| SHA1 | 242460134e6d2c30025566f39f3d1595e87b9720 |
| SHA256 | 9124048fab9ef78a6599a9f915504298398ec00781e18ca2619d3ec470d665ed |
| SHA512 | b172bbc1975d194c7e5975142d86c1e4bbe2f5fa49c63b64482bdea8222c5a33de9af04146da4d8a6643011300cfadcabe8d0fb55d77a2c4e77407903618d6b6 |
memory/1432-137-0x0000000000000000-mapping.dmp
memory/1432-138-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift_Copy_Payment.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/1432-141-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-143-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-145-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-147-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-149-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-151-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-153-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-155-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-157-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-159-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-161-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-163-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-165-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-167-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-169-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-171-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-173-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-175-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-177-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-179-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-181-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-183-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-185-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-187-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-189-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-191-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-193-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-195-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-197-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-199-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-201-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1432-656-0x0000000005A80000-0x0000000005AE6000-memory.dmp
memory/1432-657-0x0000000008780000-0x00000000087D0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 03:36
Reported
2022-05-21 05:20
Platform
win7-20220414-en
Max time kernel
115s
Max time network
117s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1660 set thread context of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OgbBYOJqnGVf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FD8.tmp"
C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.220.57.224:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | mail.privateemail.com | udp |
| US | 198.54.122.135:587 | mail.privateemail.com | tcp |
Files
memory/1660-54-0x00000000013E0000-0x00000000014CC000-memory.dmp
memory/1660-55-0x0000000076781000-0x0000000076783000-memory.dmp
memory/1660-56-0x0000000000420000-0x0000000000434000-memory.dmp
memory/1660-57-0x00000000051C0000-0x0000000005278000-memory.dmp
memory/1756-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2FD8.tmp
| MD5 | 409a9a3b18ced5422c9cf80dcb51d54e |
| SHA1 | 81969efc0eb08152071b31079accb12a35892e61 |
| SHA256 | d9513a490e767ee37dbe0a34e016b7e4196fa15b1844d6fc174a4a5f6532072a |
| SHA512 | 0f667b31f3d0e4344ca77dc67b99e575df4e18521762bb1286d80b77a8dcf47f82dccaabf58d68c45ffc79fac48b9e8449696271b5561221ceb4ac7acbdcef92 |
memory/1712-60-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-61-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-63-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-64-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-65-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-66-0x00000000004ACBAE-mapping.dmp
memory/1712-68-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-70-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-72-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-74-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-76-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-78-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-80-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-82-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-84-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-86-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-88-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-90-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-92-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-94-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-96-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-98-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-100-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-102-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-104-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-106-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-108-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-110-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-112-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-114-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-116-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-118-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-120-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-122-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1712-587-0x0000000000530000-0x0000000000574000-memory.dmp
memory/1712-589-0x0000000004D75000-0x0000000004D86000-memory.dmp
memory/1712-590-0x0000000001380000-0x0000000001394000-memory.dmp