Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-pljenaagar
Target 53c05a4b75e539caed8efe3f60af055da27c014c2f8ba6f9a05981fc2e073e59
SHA256 53c05a4b75e539caed8efe3f60af055da27c014c2f8ba6f9a05981fc2e073e59
Tags
masslogger agilenet collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53c05a4b75e539caed8efe3f60af055da27c014c2f8ba6f9a05981fc2e073e59

Threat Level: Known bad

The file 53c05a4b75e539caed8efe3f60af055da27c014c2f8ba6f9a05981fc2e073e59 was found to be: Known bad.

Malicious Activity Summary

masslogger agilenet collection ransomware spyware stealer

MassLogger Main Payload

MassLogger

MassLogger log file

Masslogger family

Obfuscated with Agile.Net obfuscator

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 12:24

Signatures

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Masslogger family

masslogger

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 12:24

Reported

2022-05-21 12:36

Platform

win7-20220414-en

Max time kernel

100s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 560 set thread context of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 560 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe

"C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 162.159.133.233:443 tcp
US 8.8.8.8:53 ftp.sisbg.net udp
BG 91.196.125.137:21 ftp.sisbg.net tcp

Files

memory/560-54-0x00000000003F0000-0x0000000000532000-memory.dmp

memory/560-55-0x00000000003B0000-0x00000000003C4000-memory.dmp

memory/560-56-0x00000000003D0000-0x00000000003D8000-memory.dmp

memory/560-57-0x0000000000550000-0x0000000000558000-memory.dmp

memory/560-58-0x00000000009A0000-0x00000000009A8000-memory.dmp

memory/1736-59-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-60-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-62-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-63-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-65-0x00000000004A20FE-mapping.dmp

memory/1736-67-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-66-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-71-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-74-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-75-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-76-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-77-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-78-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-79-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-80-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-81-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-82-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-84-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-85-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-87-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-88-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-89-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-90-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-91-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-92-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-93-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-94-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-96-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-97-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-98-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-99-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-100-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-102-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-103-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-105-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-106-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-108-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-110-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-111-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-112-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-114-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-116-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-118-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-119-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-122-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-124-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-123-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-121-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-120-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-117-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-115-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-113-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-109-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-107-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-104-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-101-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-95-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-86-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-83-0x0000000000090000-0x0000000000138000-memory.dmp

memory/1736-325-0x0000000004230000-0x0000000004274000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 12:24

Reported

2022-05-21 12:36

Platform

win10v2004-20220414-en

Max time kernel

91s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2992 set thread context of 4424 N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe

"C:\Users\Admin\AppData\Local\Temp\PAGO_ADJ.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
NL 104.97.14.81:80 tcp
NL 52.178.17.2:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
FR 2.18.109.224:443 tcp
US 104.18.24.243:80 tcp
NL 104.123.41.162:80 tcp
US 8.8.8.8:53 ftp.sisbg.net udp
BG 91.196.125.137:21 ftp.sisbg.net tcp

Files

memory/2992-130-0x0000000000540000-0x0000000000682000-memory.dmp

memory/2992-131-0x0000000005600000-0x0000000005BA4000-memory.dmp

memory/2992-132-0x0000000005150000-0x00000000051E2000-memory.dmp

memory/2992-133-0x00000000052F0000-0x0000000005334000-memory.dmp

memory/4424-134-0x0000000000000000-mapping.dmp

memory/4424-135-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-137-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-139-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-141-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-143-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-147-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-145-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-149-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-151-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-153-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-155-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-157-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-159-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-161-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-163-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-165-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-167-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-169-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-171-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-173-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-175-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-177-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-181-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-179-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-183-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-185-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-187-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-189-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-191-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-193-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-195-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-197-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4424-634-0x0000000006050000-0x00000000060B6000-memory.dmp

memory/4424-635-0x00000000063F0000-0x00000000063FA000-memory.dmp

memory/4424-636-0x0000000006830000-0x0000000006880000-memory.dmp

memory/4424-637-0x0000000006A20000-0x0000000006ABC000-memory.dmp