Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-dyfzhsbecm
Target 198f0de0ad9295ded03239d689b9a6e64ce4d694dfdfd27bc002230d1886e38b
SHA256 198f0de0ad9295ded03239d689b9a6e64ce4d694dfdfd27bc002230d1886e38b
Tags
masslogger collection coreentity evasion rezer0 spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

198f0de0ad9295ded03239d689b9a6e64ce4d694dfdfd27bc002230d1886e38b

Threat Level: Known bad

The file 198f0de0ad9295ded03239d689b9a6e64ce4d694dfdfd27bc002230d1886e38b was found to be: Known bad.

Malicious Activity Summary

masslogger collection coreentity evasion rezer0 spyware stealer

MassLogger Main Payload

MassLogger

MassLogger log file

Modifies visibility of file extensions in Explorer

CoreEntity .NET Packer

ReZer0 packer

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 03:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 03:24

Reported

2022-05-21 05:03

Platform

win7-20220414-en

Max time kernel

90s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ORDER202.exe"

Signatures

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Modifies visibility of file extensions in Explorer

evasion

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1492 set thread context of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\SysWOW64\schtasks.exe
PID 1492 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\SysWOW64\schtasks.exe
PID 1492 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\SysWOW64\schtasks.exe
PID 1492 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\SysWOW64\schtasks.exe
PID 1492 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ORDER202.exe

"C:\Users\Admin\AppData\Local\Temp\ORDER202.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hkEmZYRoabC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD4A.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 tbgf.xyz udp
US 34.102.136.180:587 tbgf.xyz tcp

Files

memory/1492-54-0x0000000001020000-0x0000000001112000-memory.dmp

memory/1492-55-0x0000000000F50000-0x000000000101A000-memory.dmp

memory/1492-56-0x0000000074C81000-0x0000000074C83000-memory.dmp

memory/1492-57-0x00000000004A0000-0x00000000004A8000-memory.dmp

memory/1492-58-0x0000000007890000-0x000000000793E000-memory.dmp

memory/1312-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD4A.tmp

MD5 9d4c14cf45fc912249672eec091ecdd5
SHA1 3567289b2edd8dd4a042706710c2c7bf53a55897
SHA256 bf8d2379a38ba747abbaf150bfd8d10285069cd82e13cc8af20df78b5616304b
SHA512 20fab2e71483101a431edd47c4abae68d761149b12add0a7cf8046bd5589d9e72ed970e0e54e3c93f01b642125bd6342f19519fbe00d53136a54e71318a6fa59

memory/1988-61-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-62-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-64-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-65-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-66-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-67-0x00000000004A1E2E-mapping.dmp

memory/1988-69-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-71-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-73-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-75-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-77-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-79-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-81-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-83-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-85-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-87-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-89-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-91-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-93-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-95-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-97-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-99-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-101-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-103-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-105-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-107-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-109-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-111-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-113-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-115-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-117-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-119-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-121-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-123-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1988-571-0x0000000004C30000-0x0000000004C74000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 03:24

Reported

2022-05-21 05:03

Platform

win10v2004-20220414-en

Max time kernel

106s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ORDER202.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Modifies visibility of file extensions in Explorer

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ORDER202.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4828 set thread context of 4740 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\SysWOW64\schtasks.exe
PID 4828 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\SysWOW64\schtasks.exe
PID 4828 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\SysWOW64\schtasks.exe
PID 4828 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4828 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4828 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4828 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4828 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4828 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4828 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4828 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4828 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4828 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4828 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\ORDER202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ORDER202.exe

"C:\Users\Admin\AppData\Local\Temp\ORDER202.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hkEmZYRoabC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F3E.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

Network

Country Destination Domain Proto
US 13.89.178.26:443 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 tbgf.xyz udp
US 34.102.136.180:587 tbgf.xyz tcp

Files

memory/4828-130-0x00000000000A0000-0x0000000000192000-memory.dmp

memory/4828-131-0x0000000007670000-0x0000000007C14000-memory.dmp

memory/4828-132-0x0000000007160000-0x00000000071F2000-memory.dmp

memory/4828-133-0x0000000007100000-0x000000000710A000-memory.dmp

memory/4828-134-0x0000000009990000-0x0000000009A2C000-memory.dmp

memory/2088-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2F3E.tmp

MD5 5f3b8012c2dac08869c4241594b55fa2
SHA1 d7bb06856c8561fd3d9b93700f877e30634d1002
SHA256 17505127dd776ded11e44ce620c99366e897bdcd49a3f27f1ed8214e216dfe80
SHA512 0cf4b0474c04641adf32697a9acee849ea54a9872a2b9b805ac11508c3a824896c838833b91fc779f95bbd21dfcc053ee91252938ab5abc2f027af1960b7752c

memory/2196-137-0x0000000000000000-mapping.dmp

memory/4740-138-0x0000000000000000-mapping.dmp

memory/4740-139-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-141-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-143-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-145-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-147-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-149-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-151-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-153-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-155-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-157-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-159-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-161-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-165-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-163-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-167-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-169-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-171-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-173-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-175-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-177-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-179-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-181-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-183-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-185-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-187-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-189-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-191-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-193-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-195-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-197-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-199-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-201-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4740-638-0x0000000006040000-0x00000000060A6000-memory.dmp

memory/4740-639-0x0000000006D60000-0x0000000006DB0000-memory.dmp