Malware Analysis Report

2024-10-23 21:33

Sample ID 220521-pl8dsaagdj
Target 44fee899ebeec1324a812d88a40d9f68824baec113e7520385d1f6a658e2ec84
SHA256 44fee899ebeec1324a812d88a40d9f68824baec113e7520385d1f6a658e2ec84
Tags
masslogger collection coreentity ransomware rezer0 spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44fee899ebeec1324a812d88a40d9f68824baec113e7520385d1f6a658e2ec84

Threat Level: Known bad

The file 44fee899ebeec1324a812d88a40d9f68824baec113e7520385d1f6a658e2ec84 was found to be: Known bad.

Malicious Activity Summary

masslogger collection coreentity ransomware rezer0 spyware stealer

MassLogger log file

MassLogger

CoreEntity .NET Packer

MassLogger Main Payload

ReZer0 packer

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

outlook_office_path

outlook_win_path

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 12:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 12:26

Reported

2022-05-21 12:38

Platform

win7-20220414-en

Max time kernel

144s

Max time network

217s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe"

Signatures

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1944 set thread context of 904 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 1944 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe

"C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjpUwXOPn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1EC8.tmp"

C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 us2.smtp.mailhostbox.com udp
US 162.222.225.16:587 us2.smtp.mailhostbox.com tcp

Files

memory/1944-54-0x0000000000BC0000-0x0000000000CAE000-memory.dmp

memory/1944-55-0x0000000075E51000-0x0000000075E53000-memory.dmp

memory/1944-56-0x0000000000510000-0x0000000000518000-memory.dmp

memory/1944-57-0x0000000007740000-0x00000000077EE000-memory.dmp

memory/2008-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1EC8.tmp

MD5 0f36dca8af388ea9b4d50aba65a51fd1
SHA1 2acb584eaf9a66f02752b6995232f0dcb53ddd05
SHA256 4cee823565380d93bf1cd68f10f367e11fd04fe98e44cb692bf2ab71d0f5aa4e
SHA512 b9bc902e7ccef5e0c1065c11a5b4d0b957e79dc422563c73aed1d16cc9d2d4b171c80b10ffec188e4f37a2c1b995470f81d60bca571af3c31a9d76e70daa41cb

memory/904-60-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-61-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-63-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-64-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-65-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-66-0x00000000004A183E-mapping.dmp

memory/904-68-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-70-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-72-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-74-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-76-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-78-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-80-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-82-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-84-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-86-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-88-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-90-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-92-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-94-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-96-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-98-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-100-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-102-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-104-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-106-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-108-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-110-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-112-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-114-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-116-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-118-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-120-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-122-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/904-572-0x0000000004D30000-0x0000000004D74000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 12:26

Reported

2022-05-21 12:37

Platform

win10v2004-20220414-en

Max time kernel

180s

Max time network

194s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2500 set thread context of 4612 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 2500 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 2500 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 2500 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 2500 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 2500 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 2500 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe
PID 2500 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe

"C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LjpUwXOPn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp68FB.tmp"

C:\Users\Admin\AppData\Local\Temp\TT COPY osdnsufsuifhsifudsujdfs,,,,.exe

"{path}"

Network

Country Destination Domain Proto
US 67.26.211.254:80 tcp
US 67.26.211.254:80 tcp
US 209.197.3.8:80 tcp
IE 13.69.239.73:443 tcp
US 67.24.169.254:80 tcp
US 67.24.169.254:80 tcp
US 67.26.207.254:80 tcp
US 67.26.211.254:80 tcp
US 67.26.211.254:80 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 api.ipify.org udp
MY 110.4.46.52:587 tcp

Files

memory/2500-130-0x0000000000270000-0x000000000035E000-memory.dmp

memory/2500-131-0x0000000007610000-0x0000000007BB4000-memory.dmp

memory/2500-132-0x0000000007100000-0x0000000007192000-memory.dmp

memory/2500-133-0x00000000070A0000-0x00000000070AA000-memory.dmp

memory/2500-134-0x000000000ADB0000-0x000000000AE4C000-memory.dmp

memory/4356-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp68FB.tmp

MD5 b8dd0826b2fd9c0874da9312be81d750
SHA1 68a900e07ea2dcb78f2a07b7c0beaa752d8b1e1e
SHA256 6fb9ee2f881c79e33c5f6c32f0cbe9eb8194fafe0ff216653310769f6e32e7b2
SHA512 17ff6f9ba522f673e86074083502bfbac335515e6002ef9451ed841c9f5a88652178c8689bc29816c612489e92eb57a6c1abc36ede68fa05c7f57fd0474b4c7c

memory/4612-137-0x0000000000000000-mapping.dmp

memory/4612-138-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-140-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-142-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-144-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-146-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-148-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-150-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-152-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-154-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-156-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-158-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-160-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-162-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-164-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-166-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-168-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-170-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-172-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-174-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-176-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-178-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-180-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-182-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-184-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-186-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-188-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-190-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-192-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-194-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-196-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-198-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-200-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4612-639-0x0000000006590000-0x00000000065F6000-memory.dmp

memory/4612-640-0x0000000006C40000-0x0000000006C90000-memory.dmp