Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-d52jssbhcp
Target 009d89b65b1914214cdfe607769aa035dc2c66ca5b713a1c19e4e5088df26abf
SHA256 009d89b65b1914214cdfe607769aa035dc2c66ca5b713a1c19e4e5088df26abf
Tags
masslogger collection ransomware spyware stealer rezer0
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

009d89b65b1914214cdfe607769aa035dc2c66ca5b713a1c19e4e5088df26abf

Threat Level: Known bad

The file 009d89b65b1914214cdfe607769aa035dc2c66ca5b713a1c19e4e5088df26abf was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware spyware stealer rezer0

MassLogger

MassLogger log file

MassLogger Main Payload

ReZer0 packer

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 03:36

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 03:36

Reported

2022-05-21 05:20

Platform

win10v2004-20220414-en

Max time kernel

141s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 984 set thread context of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 984 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 984 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 984 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 984 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 984 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 984 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 984 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 984 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe

"C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OgbBYOJqnGVf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEEE4.tmp"

C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe

"{path}"

Network

Country Destination Domain Proto
NL 104.97.14.81:80 tcp
IE 20.54.110.249:443 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 mail.privateemail.com udp
US 198.54.122.135:587 mail.privateemail.com tcp

Files

memory/984-130-0x0000000000430000-0x000000000051C000-memory.dmp

memory/984-131-0x00000000054A0000-0x0000000005A44000-memory.dmp

memory/984-132-0x0000000004EF0000-0x0000000004F82000-memory.dmp

memory/984-133-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

memory/984-134-0x0000000008790000-0x000000000882C000-memory.dmp

memory/4176-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEEE4.tmp

MD5 ea61e23938d47e531cf0168470e0e589
SHA1 242460134e6d2c30025566f39f3d1595e87b9720
SHA256 9124048fab9ef78a6599a9f915504298398ec00781e18ca2619d3ec470d665ed
SHA512 b172bbc1975d194c7e5975142d86c1e4bbe2f5fa49c63b64482bdea8222c5a33de9af04146da4d8a6643011300cfadcabe8d0fb55d77a2c4e77407903618d6b6

memory/1432-137-0x0000000000000000-mapping.dmp

memory/1432-138-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift_Copy_Payment.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1432-141-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-143-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-145-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-147-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-149-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-151-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-153-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-155-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-157-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-159-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-161-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-163-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-165-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-167-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-169-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-171-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-173-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-175-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-177-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-179-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-181-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-183-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-185-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-187-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-189-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-191-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-193-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-195-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-197-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-199-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-201-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1432-656-0x0000000005A80000-0x0000000005AE6000-memory.dmp

memory/1432-657-0x0000000008780000-0x00000000087D0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 03:36

Reported

2022-05-21 05:20

Platform

win7-20220414-en

Max time kernel

115s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1660 set thread context of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 1660 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 1660 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 1660 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 1660 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 1660 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 1660 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 1660 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe
PID 1660 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe

"C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OgbBYOJqnGVf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FD8.tmp"

C:\Users\Admin\AppData\Local\Temp\Swift_Copy_Payment.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 mail.privateemail.com udp
US 198.54.122.135:587 mail.privateemail.com tcp

Files

memory/1660-54-0x00000000013E0000-0x00000000014CC000-memory.dmp

memory/1660-55-0x0000000076781000-0x0000000076783000-memory.dmp

memory/1660-56-0x0000000000420000-0x0000000000434000-memory.dmp

memory/1660-57-0x00000000051C0000-0x0000000005278000-memory.dmp

memory/1756-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2FD8.tmp

MD5 409a9a3b18ced5422c9cf80dcb51d54e
SHA1 81969efc0eb08152071b31079accb12a35892e61
SHA256 d9513a490e767ee37dbe0a34e016b7e4196fa15b1844d6fc174a4a5f6532072a
SHA512 0f667b31f3d0e4344ca77dc67b99e575df4e18521762bb1286d80b77a8dcf47f82dccaabf58d68c45ffc79fac48b9e8449696271b5561221ceb4ac7acbdcef92

memory/1712-60-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-61-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-63-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-64-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-65-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-66-0x00000000004ACBAE-mapping.dmp

memory/1712-68-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-70-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-72-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-74-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-76-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-78-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-80-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-82-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-84-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-86-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-88-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-90-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-92-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-94-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-96-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-98-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-100-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-102-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-104-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-106-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-108-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-110-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-112-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-114-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-116-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-118-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-120-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-122-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1712-587-0x0000000000530000-0x0000000000574000-memory.dmp

memory/1712-589-0x0000000004D75000-0x0000000004D86000-memory.dmp

memory/1712-590-0x0000000001380000-0x0000000001394000-memory.dmp