590c7796e1c5f3d371350e97ae155b9655acd590228ee4eeb573eb6f3dd13018

General

Target

pc2phone.exe
Size

196KB
MD5

c3f8f8e4390dbeeae12c7b86c767122d
SHA1

a3f385fa227e4266e330d919e943b4b91f70dad3
SHA256

23fe6dd586cb5ecf3a5603c0475bbe55d088fbba7a4718c8f05590459e97c413
SHA512

9a6d26cbb0ef04aa92c4fb26cfff571c17b1d4c7db7f8c83a7cb958290e0ad26ffe04df380940c33fdadd476a0a4514cb62322972a292abeb2a0fc2c0c9dd61f
SSDEEP

3072:Azi7eCYDnulWznEbiwx91gZbv5vTL38JGCAmUPCF2NHzVAeyr3mII0b4Fi:n7eCYLud0bhLYUqANJkr3F40

Score

6^/10

collection persistence

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinGS = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\mstolcr.exe"	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

2916 svchost.exe

pid	process
2916	svchost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

pc2phone.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3004	pc2phone.exe
Token: SeSecurityPrivilege	3004	pc2phone.exe
Token: SeTakeOwnershipPrivilege	3004	pc2phone.exe
Token: SeLoadDriverPrivilege	3004	pc2phone.exe
Token: SeSystemProfilePrivilege	3004	pc2phone.exe
Token: SeSystemtimePrivilege	3004	pc2phone.exe
Token: SeProfSingleProcessPrivilege	3004	pc2phone.exe
Token: SeIncBasePriorityPrivilege	3004	pc2phone.exe
Token: SeCreatePagefilePrivilege	3004	pc2phone.exe
Token: SeBackupPrivilege	3004	pc2phone.exe
Token: SeRestorePrivilege	3004	pc2phone.exe
Token: SeShutdownPrivilege	3004	pc2phone.exe
Token: SeDebugPrivilege	3004	pc2phone.exe
Token: SeSystemEnvironmentPrivilege	3004	pc2phone.exe
Token: SeRemoteShutdownPrivilege	3004	pc2phone.exe
Token: SeUndockPrivilege	3004	pc2phone.exe
Token: SeManageVolumePrivilege	3004	pc2phone.exe
Token: 33	3004	pc2phone.exe
Token: 34	3004	pc2phone.exe
Token: 35	3004	pc2phone.exe
Token: 36	3004	pc2phone.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pc2phone.exe

description	pid	process	target process
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe
PID 3004 wrote to memory of 2916	3004	pc2phone.exe	svchost.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\pc2phone.exe
"C:\Users\Admin\AppData\Local\Temp\pc2phone.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- outlook_win_path
PID:2916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\mstolcr.exe
Filesize
196KB

MD5
c3f8f8e4390dbeeae12c7b86c767122d

SHA1
a3f385fa227e4266e330d919e943b4b91f70dad3

SHA256
23fe6dd586cb5ecf3a5603c0475bbe55d088fbba7a4718c8f05590459e97c413

SHA512
9a6d26cbb0ef04aa92c4fb26cfff571c17b1d4c7db7f8c83a7cb958290e0ad26ffe04df380940c33fdadd476a0a4514cb62322972a292abeb2a0fc2c0c9dd61f

Download Submit
memory/2916-133-0x0000000000000000-mapping.dmp

Download
memory/2916-137-0x0000000010410000-0x000000001045C000-memory.dmp

Filesize
304KB

Download
memory/2916-138-0x0000000010410000-0x000000001045C000-memory.dmp

Filesize
304KB

Download
memory/3004-134-0x0000000010410000-0x000000001045C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads