Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-ndsspagfdj
Target e50a804199c2303cf419613432fcc39612d644a0373e72e5b15a96b56a0521d6
SHA256 e50a804199c2303cf419613432fcc39612d644a0373e72e5b15a96b56a0521d6
Tags
masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e50a804199c2303cf419613432fcc39612d644a0373e72e5b15a96b56a0521d6

Threat Level: Known bad

The file e50a804199c2303cf419613432fcc39612d644a0373e72e5b15a96b56a0521d6 was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware spyware stealer

MassLogger log file

MassLogger

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 11:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 11:17

Reported

2022-05-21 11:37

Platform

win7-20220414-en

Max time kernel

119s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1700 set thread context of 468 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Windows\SysWOW64\schtasks.exe
PID 1700 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Windows\SysWOW64\schtasks.exe
PID 1700 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Windows\SysWOW64\schtasks.exe
PID 1700 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Windows\SysWOW64\schtasks.exe
PID 1700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 1700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 1700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 1700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 1700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 1700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 1700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 1700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 1700 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64CC.tmp"

C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 ftp.hmpme.com udp
US 8.8.8.8:53 smtp.gmail.com udp
US 142.250.102.109:587 smtp.gmail.com tcp

Files

memory/1700-54-0x0000000000020000-0x000000000014A000-memory.dmp

memory/1700-55-0x0000000000590000-0x0000000000598000-memory.dmp

memory/1700-56-0x0000000000380000-0x0000000000426000-memory.dmp

memory/1700-57-0x0000000005BE0000-0x0000000005C84000-memory.dmp

memory/952-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp64CC.tmp

MD5 dc436ff5b60ef8168376c73a193ed25c
SHA1 0943c8a1a0851b7b79d31fadb488cce2e0444638
SHA256 949ee6cece73e1304479fc963d79d2fd8e6410f451c1ce0ae6fd6e1b40b70705
SHA512 1f66711762ef86444a1e4edd5e3105b2ca5e83ec72bc6c2e04c7b5a9de1f50df3a6a85c75fc54003e4ebb0c9d8061455a6ef2e544726536592fb32dbf99736bd

memory/468-60-0x0000000000400000-0x000000000049A000-memory.dmp

memory/468-61-0x0000000000400000-0x000000000049A000-memory.dmp

memory/468-63-0x0000000000400000-0x000000000049A000-memory.dmp

memory/468-64-0x0000000000400000-0x000000000049A000-memory.dmp

memory/468-65-0x0000000000400000-0x000000000049A000-memory.dmp

memory/468-66-0x000000000049481E-mapping.dmp

memory/468-68-0x0000000000400000-0x000000000049A000-memory.dmp

memory/468-70-0x0000000000400000-0x000000000049A000-memory.dmp

memory/468-71-0x00000000008B0000-0x00000000008F4000-memory.dmp

memory/468-72-0x0000000075841000-0x0000000075843000-memory.dmp

memory/468-73-0x0000000000875000-0x0000000000886000-memory.dmp

memory/468-74-0x0000000002160000-0x0000000002174000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 11:17

Reported

2022-05-21 11:39

Platform

win10v2004-20220414-en

Max time kernel

132s

Max time network

194s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3068 set thread context of 208 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 3068 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 3068 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 3068 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 3068 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 3068 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 3068 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe
PID 3068 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18F2.tmp"

C:\Users\Admin\AppData\Local\Temp\Purchase Order Sample.exe

"{path}"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 13.89.178.27:443 tcp
US 209.197.3.8:80 tcp
NL 88.221.144.179:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 ftp.hmpme.com udp
US 8.8.8.8:53 smtp.gmail.com udp
US 142.250.102.108:587 smtp.gmail.com tcp

Files

memory/3068-130-0x0000000000240000-0x000000000036A000-memory.dmp

memory/3068-131-0x0000000007320000-0x00000000073BC000-memory.dmp

memory/3068-132-0x0000000007560000-0x00000000075F2000-memory.dmp

memory/4204-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp18F2.tmp

MD5 072541fbcc0f05e7e00afb8876087822
SHA1 0a1a6ad25a4a546520fe21bed23b4dd56f5ea7f5
SHA256 8a98b2e2084e096028123a79228bc1b11f12179aecfbe53759b3e0805f973116
SHA512 07074f512ee920a787af3d49d982795121051cc5cd1ce01d115aab63cd800fd58f2f57e73dafb96151e57ada9d2e407e370abc9c56d8ab604d118dad93c1412d

memory/208-135-0x0000000000000000-mapping.dmp

memory/208-136-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order Sample.exe.log

MD5 bceb1b24038a079a8046db250ce33039
SHA1 95d2a21b00e5c127f023d2950afe052d2acba572
SHA256 d5237a1aac346aaff3cedaca0a567afa529b84a21676e4c7017c9f87cfb32d57
SHA512 182dc30cd1e600da9b7ea1ca12860fd82237b04de293899d19ab7edb8b2bcdb37e30d387bbdbb54acdbecdb8200f5a39d417abd91d2b4c11fd126a9e4d0f050e

memory/208-138-0x0000000005E20000-0x00000000063C4000-memory.dmp

memory/208-139-0x0000000005A60000-0x0000000005AC6000-memory.dmp

memory/208-140-0x0000000007710000-0x000000000771A000-memory.dmp

memory/208-141-0x00000000080E0000-0x0000000008130000-memory.dmp