Analysis Overview
SHA256
ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea
Threat Level: Known bad
The file ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea was found to be: Known bad.
Malicious Activity Summary
Phoenix Keylogger
Phoenix Keylogger payload
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Suspicious use of AdjustPrivilegeToken
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-24 20:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-24 20:55
Reported
2022-07-25 17:45
Platform
win7-20220718-en
Max time kernel
45s
Max time network
141s
Command Line
Signatures
Phoenix Keylogger
Phoenix Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ifconfig.me | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe
"C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ifconfig.me | udp |
| US | 34.160.111.145:80 | ifconfig.me | tcp |
| US | 8.8.8.8:53 | smtp.sclooke.com | udp |
Files
memory/1908-54-0x0000000000E00000-0x0000000000E24000-memory.dmp
memory/1908-55-0x0000000000360000-0x000000000039A000-memory.dmp
memory/1908-56-0x00000000768F1000-0x00000000768F3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-24 20:55
Reported
2022-07-25 17:46
Platform
win10v2004-20220722-en
Max time kernel
76s
Max time network
134s
Command Line
Signatures
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ifconfig.me | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe
"C:\Users\Admin\AppData\Local\Temp\ef886b4f433a603dfc4c7512a6f62188a8e5d6f0058b2481628195802f9de0ea.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 142.250.179.206:80 | tcp | |
| IE | 20.50.80.210:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | ifconfig.me | udp |
| US | 34.160.111.145:80 | ifconfig.me | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | smtp.sclooke.com | udp |
Files
memory/2384-132-0x00000000001C0000-0x00000000001E4000-memory.dmp
memory/2384-133-0x00000000055A0000-0x0000000005B44000-memory.dmp
memory/2384-134-0x00000000050E0000-0x000000000517C000-memory.dmp
memory/2384-135-0x0000000006000000-0x0000000006066000-memory.dmp
memory/2384-136-0x00000000065D0000-0x0000000006792000-memory.dmp
memory/2384-137-0x0000000006520000-0x00000000065B2000-memory.dmp
memory/2384-138-0x00000000064F0000-0x00000000064FA000-memory.dmp