Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-neq1gsgfhk
Target 969958fac3eeaf343eb4d790b9db320f8f70ad1d332cffec709c2b609609552c
SHA256 969958fac3eeaf343eb4d790b9db320f8f70ad1d332cffec709c2b609609552c
Tags
masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

969958fac3eeaf343eb4d790b9db320f8f70ad1d332cffec709c2b609609552c

Threat Level: Known bad

The file 969958fac3eeaf343eb4d790b9db320f8f70ad1d332cffec709c2b609609552c was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware spyware stealer

MassLogger log file

MassLogger

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 11:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 11:18

Reported

2022-05-21 11:39

Platform

win7-20220414-en

Max time kernel

79s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1928 set thread context of 580 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1928 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1928 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1928 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1928 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1928 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1928 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1928 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1928 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe

"C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ycNQvjaCvnS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEABD.tmp"

C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp

Files

memory/1928-54-0x0000000001210000-0x00000000012FC000-memory.dmp

memory/1928-55-0x0000000000330000-0x000000000033A000-memory.dmp

memory/1928-56-0x0000000005850000-0x000000000590E000-memory.dmp

memory/1928-57-0x0000000005AC0000-0x0000000005B78000-memory.dmp

memory/992-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEABD.tmp

MD5 6ecc73262c966473448bd03f413caca0
SHA1 51319c40745fc3815f78cae9ae6e0f73c7166324
SHA256 e69494c7c29686b1f45057367e49307ead467937413a566b6f932b8ff214c0cc
SHA512 90f062d3dcdc2a2c231fef4aa44f60f9a3aeb04080984409b2892054cb3def5ac3c807dc2f0d222aa092e101258e2d75ba24c831adf6b866f7cdc16fb15fee9d

memory/580-60-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/580-61-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/580-63-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/580-64-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/580-65-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/580-66-0x00000000004B2DCE-mapping.dmp

memory/580-68-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/580-70-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/580-71-0x0000000000F60000-0x0000000000FD8000-memory.dmp

memory/580-72-0x0000000076011000-0x0000000076013000-memory.dmp

memory/580-73-0x0000000004DB5000-0x0000000004DC6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 11:18

Reported

2022-05-21 11:38

Platform

win10v2004-20220414-en

Max time kernel

156s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1624 set thread context of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Windows\SysWOW64\schtasks.exe
PID 1624 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Windows\SysWOW64\schtasks.exe
PID 1624 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Windows\SysWOW64\schtasks.exe
PID 1624 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1624 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1624 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1624 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1624 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1624 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1624 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe
PID 1624 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe

"C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ycNQvjaCvnS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp"

C:\Users\Admin\AppData\Local\Temp\Peace Transit Order 1670.exe

"{path}"

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
IE 13.69.239.72:443 tcp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
NL 8.248.5.254:80 tcp

Files

memory/1624-130-0x0000000000500000-0x00000000005EC000-memory.dmp

memory/1624-131-0x00000000051C0000-0x000000000525C000-memory.dmp

memory/1624-132-0x0000000005300000-0x0000000005392000-memory.dmp

memory/2764-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp

MD5 730ebdfe030fab3e5bb6e391ee9a1be8
SHA1 976df240fdbf3d691f0555aec542c0ff7d00d658
SHA256 5999ff0fc8a7312cb57034842e74ddc98186c6164fcd28160d0eddd40348181f
SHA512 c17b8c6aa45a039c7a2533d09502c4a4fbfaba1012db0827b4ada0def9a6b2252ff2ff5f94f6942094f7dd6395e75d3fcc38d537706abc7ba5561eb1382e2c02

memory/4732-135-0x0000000000000000-mapping.dmp

memory/4732-136-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Peace Transit Order 1670.exe.log

MD5 ad1c7f6525cfeb54c0487efd38b0e26c
SHA1 ed3da94723ac7e3828a9e93d68418bb810592f3b
SHA256 0a534a3d0fa82e6a427164c5f6e702cac7e4afc9967af9bc5ddba4f84ab33276
SHA512 48d625e6be5391d91d95c2850226fe39bb2411cb72139797699cfe126e6b066182e83950a8ea67e63b64a66b0d45f58d8bc97cab0363d55c2fd88c0d1d28009c

memory/4732-138-0x0000000005BC0000-0x0000000006164000-memory.dmp

memory/4732-139-0x00000000057A0000-0x0000000005806000-memory.dmp

memory/4732-140-0x00000000070D0000-0x00000000070DA000-memory.dmp

memory/4732-141-0x00000000070E0000-0x0000000007130000-memory.dmp