2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a

General

Target

2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
Size

1003KB
MD5

9cac744095b6f061f0d4a1ae1d06de94
SHA1

cee4c0bb627929baa9e9fe2f3d124862e04a96a1
SHA256

2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a
SHA512

dbd7cc51f9a16ad28de4ccbe41f8d90a71d51f07d9eea8f761b97adf31df3f237035623c3cf4d3d304776e8d621ecfb432ea8ec1188e3c7cb057a63eac6859c9

Score

7^/10

collection persistence spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Foamex International Inc = "C:\\Users\\Admin\\AppData\\Roaming\\Foamex International Inc\\Foamex International Inc.exe"	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 checkip.dyndns.org

flow	ioc
13	checkip.dyndns.org

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

pid	process
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

description pid process

Token: SeDebugPrivilege 484 2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

description	pid	process
Token: SeDebugPrivilege	484	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

outlook_office_path 1 IoCs

Processes:

2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

outlook_win_path 1 IoCs

Processes:

2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe

C:\Users\Admin\AppData\Local\Temp\2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe
"C:\Users\Admin\AppData\Local\Temp\2f3a8a7c3b690511b284328d72b0ec17733f158b998b4e46c9fa5a12aadfa65a.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/484-130-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/484-131-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads