Analysis Overview
SHA256
12e7f4deb08d8ad253b59bb4d63f3f73705c4af7f564c5b5e8436e9034d29541
Threat Level: Known bad
The file 12e7f4deb08d8ad253b59bb4d63f3f73705c4af7f564c5b5e8436e9034d29541 was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger log file
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 03:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 03:27
Reported
2022-05-21 05:10
Platform
win7-20220414-en
Max time kernel
66s
Max time network
120s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1564 set thread context of 1772 | N/A | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe
"C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HHrmVSdbBcd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96E4.tmp"
C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
Files
memory/1564-54-0x00000000011A0000-0x00000000012C8000-memory.dmp
memory/1564-55-0x0000000000370000-0x000000000037A000-memory.dmp
memory/1564-56-0x0000000000970000-0x0000000000A10000-memory.dmp
memory/2028-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp96E4.tmp
| MD5 | e5064213772650475187f48cd7552988 |
| SHA1 | 7f7d3a5cd1d8f3ce9a8cd689e5ba277b7922204f |
| SHA256 | 3675d421b0312ceb760b4050c70e83ad6e686c137556fd17fdafe2ca5223c3c5 |
| SHA512 | 8a70fac894bea2d33338ba8eb994f68e886653c8d6ec2505bf23d156c309372375bb6228d8b7b916b4c172bace14a8c6db5627a38b8d3707dac449ad7846ac09 |
memory/1772-59-0x0000000000400000-0x000000000049A000-memory.dmp
memory/1772-60-0x0000000000400000-0x000000000049A000-memory.dmp
memory/1772-62-0x0000000000400000-0x000000000049A000-memory.dmp
memory/1772-63-0x0000000000400000-0x000000000049A000-memory.dmp
memory/1772-64-0x0000000000400000-0x000000000049A000-memory.dmp
memory/1772-65-0x000000000049434E-mapping.dmp
memory/1772-67-0x0000000000400000-0x000000000049A000-memory.dmp
memory/1772-69-0x0000000000400000-0x000000000049A000-memory.dmp
memory/1772-70-0x0000000000510000-0x0000000000554000-memory.dmp
memory/1772-71-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
memory/1772-72-0x0000000004DB5000-0x0000000004DC6000-memory.dmp
memory/1772-73-0x0000000000BE0000-0x0000000000BF4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 03:27
Reported
2022-05-21 05:09
Platform
win10v2004-20220414-en
Max time kernel
112s
Max time network
140s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3852 set thread context of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe
"C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HHrmVSdbBcd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp66E8.tmp"
C:\Users\Admin\AppData\Local\Temp\Fișă de plată 0005102002 20.07.2020.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| GB | 51.104.15.252:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.220.57.224:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
Files
memory/3852-130-0x0000000000EA0000-0x0000000000FC8000-memory.dmp
memory/3852-131-0x0000000007E10000-0x0000000007EAC000-memory.dmp
memory/3852-132-0x0000000007EB0000-0x0000000007F42000-memory.dmp
memory/3852-133-0x00000000089C0000-0x0000000008F64000-memory.dmp
memory/2368-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp66E8.tmp
| MD5 | 58a2d442c3047a9a54170c0e2e0e9ca2 |
| SHA1 | 738a2c35a06e6a06482cc3aa78d22c5ed37621dd |
| SHA256 | bd44e89d5006500654dcb11e4903bc3c2442dbb5b146b12d39c567589fecec35 |
| SHA512 | 85e80bce1b3169b69146c7c95b4c52f82f21958f8bc4b1f4c6358db11c6566b8d28df21d3114df60ddc3c6b5da92a6f215f49682991ae4968d0c13449aae652c |
memory/2268-136-0x0000000000000000-mapping.dmp
memory/2268-137-0x0000000000400000-0x000000000049A000-memory.dmp
memory/2268-138-0x00000000053A0000-0x0000000005406000-memory.dmp
memory/2268-139-0x0000000007080000-0x000000000708A000-memory.dmp
memory/2268-140-0x0000000007090000-0x00000000070E0000-memory.dmp