General
Target

PO 4800049984.exe

Filesize

405KB

Completed

21-05-2022 12:49

Task

behavioral2

Score
7/10
MD5

ad5ecefbac91d7cee3191da22872e2ec

SHA1

c4c6bc3ce6e2ee682982403e97eb5364ebd9b01d

SHA256

301c31d38f7cb13d8128b53666c66e251d7a398c1b0fdae66d52ab0d377852ef

SHA256

0375ba09e09e00c63aa8d20d3c25751139c2b5bfc98f8664258349b696a0edc001c5070a38968325887943b8b07a8c6b8f89a8ca1c10c41db7113c2ae568cd87

Malware Config
Signatures 14

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Checks computer location settings
    PO 4800049984.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\NationPO 4800049984.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles
    PO 4800049984.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676PO 4800049984.exe
    Key opened\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676PO 4800049984.exe
    Key opened\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676PO 4800049984.exe
  • Adds Run key to start application
    PO 4800049984.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"PO 4800049984.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    2880schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    PO 4800049984.exe

    Reported IOCs

    pidprocess
    4472PO 4800049984.exe
    4472PO 4800049984.exe
  • Suspicious behavior: RenamesItself
    PO 4800049984.exe

    Reported IOCs

    pidprocess
    4472PO 4800049984.exe
  • Suspicious use of AdjustPrivilegeToken
    PO 4800049984.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4472PO 4800049984.exe
  • Suspicious use of WriteProcessMemory
    PO 4800049984.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4472 wrote to memory of 28804472PO 4800049984.exeschtasks.exe
    PID 4472 wrote to memory of 28804472PO 4800049984.exeschtasks.exe
    PID 4472 wrote to memory of 28804472PO 4800049984.exeschtasks.exe
  • outlook_office_path
    PO 4800049984.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676PO 4800049984.exe
  • outlook_win_path
    PO 4800049984.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676PO 4800049984.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\PO 4800049984.exe
    "C:\Users\Admin\AppData\Local\Temp\PO 4800049984.exe"
    Checks computer location settings
    Accesses Microsoft Outlook profiles
    Adds Run key to start application
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: RenamesItself
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    outlook_office_path
    outlook_win_path
    PID:4472
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eGVoQgH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B70.tmp"
      Creates scheduled task(s)
      PID:2880
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\tmp4B70.tmp

                  MD5

                  cb9d93ebd2ad9dd3f91837e0dedbb328

                  SHA1

                  77d405c833dca690c65c5f34f671aeff2382e650

                  SHA256

                  29b53a9f52ee51f712767d11cb477aa54d87ff16c5a7c277ce1c73357d6d3e99

                  SHA512

                  f97caf56d724df54c90d409633529541902a1a4d9f058036d68b8342f099f8fb72d437743ad626dffbb0305b04eba33058327bb28420ac90fb58af5c0ce69920

                • memory/2880-134-0x0000000000000000-mapping.dmp

                • memory/4472-130-0x00000000009C0000-0x0000000000A2C000-memory.dmp

                • memory/4472-131-0x00000000059B0000-0x0000000005F54000-memory.dmp

                • memory/4472-132-0x0000000005400000-0x0000000005492000-memory.dmp

                • memory/4472-133-0x00000000062A0000-0x000000000633C000-memory.dmp

                • memory/4472-136-0x0000000006F20000-0x0000000006F86000-memory.dmp

                • memory/4472-137-0x00000000068F0000-0x0000000006940000-memory.dmp

                • memory/4472-138-0x00000000068A0000-0x00000000068AA000-memory.dmp