Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-nfc51sdfb2
Target 60133d3766356f4132b983d2e34998d0bd6395aa9b79b38e8deef3512412ac51
SHA256 60133d3766356f4132b983d2e34998d0bd6395aa9b79b38e8deef3512412ac51
Tags
masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60133d3766356f4132b983d2e34998d0bd6395aa9b79b38e8deef3512412ac51

Threat Level: Known bad

The file 60133d3766356f4132b983d2e34998d0bd6395aa9b79b38e8deef3512412ac51 was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware spyware stealer

MassLogger log file

MassLogger

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 11:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 11:19

Reported

2022-05-21 11:48

Platform

win7-20220414-en

Max time kernel

151s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 972 set thread context of 1404 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Windows\SysWOW64\schtasks.exe
PID 972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Windows\SysWOW64\schtasks.exe
PID 972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Windows\SysWOW64\schtasks.exe
PID 972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Windows\SysWOW64\schtasks.exe
PID 972 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 972 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 972 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 972 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 972 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 972 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 972 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 972 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 972 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe

Processes

C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe

"C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF567.tmp"

C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe

"{path}"

Network

N/A

Files

memory/972-54-0x0000000000C20000-0x0000000000D76000-memory.dmp

memory/972-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

memory/972-56-0x0000000000340000-0x0000000000348000-memory.dmp

memory/972-57-0x00000000080C0000-0x0000000008182000-memory.dmp

memory/972-58-0x0000000005D90000-0x0000000005E52000-memory.dmp

memory/1964-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF567.tmp

MD5 ab15c7fe3dc23f51a8ed4545eb54a9cb
SHA1 206a5e711a5b8819deae10c568fa760a23d9308c
SHA256 2889f7b15e75b474bfa37c720f216861f138e8e39e1d2f807ce751a21086674b
SHA512 29b8f09dfa625fad63d6cae0fd9d9f9ea19a4b5a001138c5afb644c0d37f1cc2e7bf51a4242af433568b22b19613b1570a234474663cc659dd4ad54c7407a114

memory/1404-61-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1404-62-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1404-64-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1404-65-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1404-66-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1404-67-0x00000000004B2D6E-mapping.dmp

memory/1404-69-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1404-71-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1404-72-0x0000000002410000-0x0000000002488000-memory.dmp

memory/1404-74-0x0000000000BC5000-0x0000000000BD6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 11:19

Reported

2022-05-21 11:46

Platform

win10v2004-20220414-en

Max time kernel

104s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4120 set thread context of 64 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4120 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Windows\SysWOW64\schtasks.exe
PID 4120 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Windows\SysWOW64\schtasks.exe
PID 4120 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Windows\SysWOW64\schtasks.exe
PID 4120 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe

"C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD0BD.tmp"

C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe

"{path}"

Network

Country Destination Domain Proto
NL 104.97.14.81:80 tcp
NL 52.178.17.2:443 tcp
FR 2.18.109.224:443 tcp
US 104.18.24.243:80 tcp
NL 104.123.41.162:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 mail.privateemail.com udp
US 198.54.122.135:587 mail.privateemail.com tcp
US 8.253.208.120:80 tcp

Files

memory/4120-130-0x0000000000760000-0x00000000008B6000-memory.dmp

memory/4120-131-0x0000000005810000-0x0000000005DB4000-memory.dmp

memory/4120-132-0x0000000005260000-0x00000000052F2000-memory.dmp

memory/4120-133-0x0000000005410000-0x000000000541A000-memory.dmp

memory/4120-134-0x0000000008C70000-0x0000000008D0C000-memory.dmp

memory/4808-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD0BD.tmp

MD5 ab9f8a9574d9209cd8666decb37e33cc
SHA1 b768b98d37b96bcf5eeeb4bae10589a196b66db2
SHA256 2c052172f943620c36053efd2ab1d6ef9fbb671c55669b9f49430f0f7acd7704
SHA512 5059538580cce17a2c7516e3117297310455e38ff32d51c6e17ef188448ce3567f9c968ad478df725ed2ce8630ceee2340246264a6e60877895591a67d45da70

memory/64-137-0x0000000000000000-mapping.dmp

memory/64-138-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LUSA TEX ORDER 07282020 .exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/64-140-0x0000000005A50000-0x0000000005AB6000-memory.dmp

memory/64-141-0x0000000008380000-0x00000000083D0000-memory.dmp