Analysis
-
max time kernel
417s -
max time network
409s -
platform
windows7_x64 -
resource
win7-20220812-es -
resource tags
arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows -
submitted
29-11-2022 21:25
Static task
static1
Behavioral task
behavioral1
Sample
Fact63867.msi
Resource
win7-20220812-es
Behavioral task
behavioral2
Sample
Fact63867.msi
Resource
win10v2004-20220812-es
General
-
Target
Fact63867.msi
-
Size
6.2MB
-
MD5
ed4a51080ca004ea566ac94a3c73e89d
-
SHA1
6928d42a8324c0d93be8655d32c9c5712c8ffcd9
-
SHA256
b324bf2765637c425eea72826c3a1524873fc8b2dc7c06cf9f5b3312bde8861a
-
SHA512
9e5c2f08639edd4bf3a05463a031a4e60a51854bf4f3ed213a1b5e06878e28a7dc951a8039fa35b3024ea8b6c15b833c439ac81908828545a062a0a152e7d14f
-
SSDEEP
98304:5YItM2AfnWKKLLS4MDCMPXbGSfK/8JzDuXcVCfDH22JG3w392SscX7e8iN:pMnlKLO4OLO2DuXcVyvKy2
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
CI9.5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CI9.5.exe -
Blocklisted process makes network request 3 IoCs
Processes:
MsiExec.exeflow pid process 4 592 MsiExec.exe 6 592 MsiExec.exe 7 592 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
CI9.5.exepid process 996 CI9.5.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
CI9.5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CI9.5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CI9.5.exe -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exeCI9.5.exepid process 592 MsiExec.exe 592 MsiExec.exe 592 MsiExec.exe 592 MsiExec.exe 592 MsiExec.exe 996 CI9.5.exe 996 CI9.5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\ubJq6elBW\lqfcokdmym.zkl themida \Users\Admin\AppData\Roaming\ubJq6elBW\lqfcokdmym.zkl themida behavioral1/memory/996-82-0x0000000003160000-0x0000000004E3A000-memory.dmp themida behavioral1/memory/996-83-0x0000000003160000-0x0000000004E3A000-memory.dmp themida behavioral1/memory/996-84-0x0000000003160000-0x0000000004E3A000-memory.dmp themida behavioral1/memory/996-85-0x0000000003160000-0x0000000004E3A000-memory.dmp themida behavioral1/memory/996-86-0x0000000003160000-0x0000000004E3A000-memory.dmp themida behavioral1/memory/996-87-0x0000000003160000-0x0000000004E3A000-memory.dmp themida behavioral1/memory/996-88-0x0000000003160000-0x0000000004E3A000-memory.dmp themida behavioral1/memory/996-89-0x0000000003160000-0x0000000004E3A000-memory.dmp themida behavioral1/memory/996-90-0x0000000003160000-0x0000000004E3A000-memory.dmp themida behavioral1/memory/996-91-0x0000000003160000-0x0000000004E3A000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
MsiExec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\mUphNGn = "\"C:\\Users\\Admin\\AppData\\Roaming\\ubJq6elBW\\CI9.5.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\ubJq6elBW\\CI9.5.ahk\" " MsiExec.exe -
Processes:
CI9.5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CI9.5.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io 4 ipinfo.io 9 ipinfo.io -
Drops file in System32 directory 14 IoCs
Processes:
OUTLOOK.EXEdescription ioc process File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
MsiExec.exeCI9.5.exepid process 592 MsiExec.exe 996 CI9.5.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exeOUTLOOK.EXEdescription ioc process File opened for modification C:\Windows\Installer\6c1d13.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1DED.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI37A8.tmp msiexec.exe File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\Installer\6c1d13.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI27FC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI286B.tmp msiexec.exe File created C:\Windows\Installer\6c1d15.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI37E7.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c1d15.ipi msiexec.exe File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE -
Processes:
OUTLOOK.EXECI9.5.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" CI9.5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" CI9.5.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" CI9.5.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE -
Modifies registry class 64 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\ = "_BusinessCardView" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\ = "_Table" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ = "_Rule" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\ = "_AddressRuleCondition" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\ = "InspectorEvents_10" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\ = "OlkContactPhotoEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\ = "_PlaySoundRuleAction" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\ = "InspectorEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\ = "_ContactsModule" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
CI9.5.exeOUTLOOK.EXEpid process 996 CI9.5.exe 548 OUTLOOK.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
msiexec.exeMsiExec.exeCI9.5.exepid process 2028 msiexec.exe 2028 msiexec.exe 592 MsiExec.exe 996 CI9.5.exe 592 MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OUTLOOK.EXEpid process 548 OUTLOOK.EXE -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1328 msiexec.exe Token: SeIncreaseQuotaPrivilege 1328 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeSecurityPrivilege 2028 msiexec.exe Token: SeCreateTokenPrivilege 1328 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1328 msiexec.exe Token: SeLockMemoryPrivilege 1328 msiexec.exe Token: SeIncreaseQuotaPrivilege 1328 msiexec.exe Token: SeMachineAccountPrivilege 1328 msiexec.exe Token: SeTcbPrivilege 1328 msiexec.exe Token: SeSecurityPrivilege 1328 msiexec.exe Token: SeTakeOwnershipPrivilege 1328 msiexec.exe Token: SeLoadDriverPrivilege 1328 msiexec.exe Token: SeSystemProfilePrivilege 1328 msiexec.exe Token: SeSystemtimePrivilege 1328 msiexec.exe Token: SeProfSingleProcessPrivilege 1328 msiexec.exe Token: SeIncBasePriorityPrivilege 1328 msiexec.exe Token: SeCreatePagefilePrivilege 1328 msiexec.exe Token: SeCreatePermanentPrivilege 1328 msiexec.exe Token: SeBackupPrivilege 1328 msiexec.exe Token: SeRestorePrivilege 1328 msiexec.exe Token: SeShutdownPrivilege 1328 msiexec.exe Token: SeDebugPrivilege 1328 msiexec.exe Token: SeAuditPrivilege 1328 msiexec.exe Token: SeSystemEnvironmentPrivilege 1328 msiexec.exe Token: SeChangeNotifyPrivilege 1328 msiexec.exe Token: SeRemoteShutdownPrivilege 1328 msiexec.exe Token: SeUndockPrivilege 1328 msiexec.exe Token: SeSyncAgentPrivilege 1328 msiexec.exe Token: SeEnableDelegationPrivilege 1328 msiexec.exe Token: SeManageVolumePrivilege 1328 msiexec.exe Token: SeImpersonatePrivilege 1328 msiexec.exe Token: SeCreateGlobalPrivilege 1328 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
msiexec.exeCI9.5.exeOUTLOOK.EXEpid process 1328 msiexec.exe 996 CI9.5.exe 996 CI9.5.exe 996 CI9.5.exe 1328 msiexec.exe 548 OUTLOOK.EXE 548 OUTLOOK.EXE 548 OUTLOOK.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
CI9.5.exeOUTLOOK.EXEpid process 996 CI9.5.exe 996 CI9.5.exe 996 CI9.5.exe 548 OUTLOOK.EXE 548 OUTLOOK.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CI9.5.exeOUTLOOK.EXEpid process 996 CI9.5.exe 548 OUTLOOK.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 2028 wrote to memory of 592 2028 msiexec.exe MsiExec.exe PID 2028 wrote to memory of 592 2028 msiexec.exe MsiExec.exe PID 2028 wrote to memory of 592 2028 msiexec.exe MsiExec.exe PID 2028 wrote to memory of 592 2028 msiexec.exe MsiExec.exe PID 2028 wrote to memory of 592 2028 msiexec.exe MsiExec.exe PID 2028 wrote to memory of 592 2028 msiexec.exe MsiExec.exe PID 2028 wrote to memory of 592 2028 msiexec.exe MsiExec.exe PID 592 wrote to memory of 996 592 MsiExec.exe CI9.5.exe PID 592 wrote to memory of 996 592 MsiExec.exe CI9.5.exe PID 592 wrote to memory of 996 592 MsiExec.exe CI9.5.exe PID 592 wrote to memory of 996 592 MsiExec.exe CI9.5.exe -
outlook_win_path 1 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fact63867.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FC29856E33815918B1DB0312325724172⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.exe"C:\Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.exe" "C:\Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.ahk"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.ahkFilesize
183B
MD5a78489926d3672d229eab3f9c8c23bae
SHA1783d99204ddc7a1c3bba7e9f48ccd65c5f56fc9b
SHA25607e6a2c9a716ffebc7af7c2cda06419e085cd079e2ffb0821b2049a066f2fed2
SHA5129620d904b963e345dc91ec378c7f5b6590d6f728e80f97c851427a20b91bf878e3dbbde8d0fbf129f83ffc9b748ee3265c39d294feb14bc260a84ba09a80b74f
-
C:\Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.exeFilesize
889KB
MD503c469798bf1827d989f09f346ce95f7
SHA105e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238
-
C:\Users\Admin\AppData\Roaming\ubJq6elBW\lqfcokdmym.zklFilesize
11.1MB
MD5e285914e9a3566935297e68dce21f06b
SHA1eef34022b4077139c770b7b132843ad4c5125878
SHA25636d8e17d5ffb53127544b18a4b1770cac29d4eebe7b5af7968e8d760ddca0529
SHA51233b8750cae07a61b43e913ead9a57f31ce63a12c99bf9f7eaa872ebd262957841463765fd8d0d8ab93e351b8da034b2bcdbb0a0329e7a9fdaa565fd2a3e5cd95
-
C:\Windows\Installer\MSI1DED.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
C:\Windows\Installer\MSI27FC.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
C:\Windows\Installer\MSI286B.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
C:\Windows\Installer\MSI37E7.tmpFilesize
5.6MB
MD5afb959b80485c54d9826079f19f082fb
SHA11ccd9c54b0cbcf2430bf7e6da9b3848702cf0b2c
SHA25650c6fd23e092687df69dfd82ed40e14fe55e667a47e8dd2884ab936de75d7a4f
SHA512c0165196d2ca411dc15e34cb9d30bd09a14a0049c78d6c6e647ea55d5de6f84f3c2813db56e5fe19f26c901690d55145835d317826bbe7aded898515a4f690c8
-
\Users\Admin\AppData\Local\Temp\4207d22d.dllFilesize
8KB
MD5d8f4ab8284f0fda871d6834e24bc6f37
SHA1641948e44a1dcfd0ef68910768eb4b1ea6b49d10
SHA256c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912
SHA512f65a916041846718306567d33273c3d0f41e0b26589cf6db46ec6c788ba0d87a708c94979d3bd0609142badca9e7129690b92169a07dcf7cd8c66698827d2fa0
-
\Users\Admin\AppData\Roaming\ubJq6elBW\CI9.5.exeFilesize
889KB
MD503c469798bf1827d989f09f346ce95f7
SHA105e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238
-
\Users\Admin\AppData\Roaming\ubJq6elBW\lqfcokdmym.zklFilesize
11.1MB
MD5e285914e9a3566935297e68dce21f06b
SHA1eef34022b4077139c770b7b132843ad4c5125878
SHA25636d8e17d5ffb53127544b18a4b1770cac29d4eebe7b5af7968e8d760ddca0529
SHA51233b8750cae07a61b43e913ead9a57f31ce63a12c99bf9f7eaa872ebd262957841463765fd8d0d8ab93e351b8da034b2bcdbb0a0329e7a9fdaa565fd2a3e5cd95
-
\Windows\Installer\MSI1DED.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
\Windows\Installer\MSI27FC.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
\Windows\Installer\MSI286B.tmpFilesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
\Windows\Installer\MSI37E7.tmpFilesize
5.6MB
MD5afb959b80485c54d9826079f19f082fb
SHA11ccd9c54b0cbcf2430bf7e6da9b3848702cf0b2c
SHA25650c6fd23e092687df69dfd82ed40e14fe55e667a47e8dd2884ab936de75d7a4f
SHA512c0165196d2ca411dc15e34cb9d30bd09a14a0049c78d6c6e647ea55d5de6f84f3c2813db56e5fe19f26c901690d55145835d317826bbe7aded898515a4f690c8
-
memory/548-115-0x0000000072921000-0x0000000072923000-memory.dmpFilesize
8KB
-
memory/548-116-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/548-117-0x000000007390D000-0x0000000073918000-memory.dmpFilesize
44KB
-
memory/548-119-0x000000006CC31000-0x000000006CC33000-memory.dmpFilesize
8KB
-
memory/548-120-0x000000006C441000-0x000000006C443000-memory.dmpFilesize
8KB
-
memory/592-66-0x0000000002600000-0x000000000324A000-memory.dmpFilesize
12.3MB
-
memory/592-70-0x00000000025C0000-0x0000000003278000-memory.dmpFilesize
12.7MB
-
memory/592-73-0x00000000025C0000-0x0000000003278000-memory.dmpFilesize
12.7MB
-
memory/592-72-0x0000000002600000-0x000000000324A000-memory.dmpFilesize
12.3MB
-
memory/592-71-0x0000000002600000-0x000000000324A000-memory.dmpFilesize
12.3MB
-
memory/592-56-0x0000000000000000-mapping.dmp
-
memory/592-57-0x0000000075A81000-0x0000000075A83000-memory.dmpFilesize
8KB
-
memory/592-67-0x00000000025C0000-0x0000000003278000-memory.dmpFilesize
12.7MB
-
memory/592-69-0x0000000002600000-0x000000000324A000-memory.dmpFilesize
12.3MB
-
memory/592-114-0x00000000025C0000-0x0000000003278000-memory.dmpFilesize
12.7MB
-
memory/592-113-0x0000000002600000-0x000000000324A000-memory.dmpFilesize
12.3MB
-
memory/996-83-0x0000000003160000-0x0000000004E3A000-memory.dmpFilesize
28.9MB
-
memory/996-112-0x00000000777F0000-0x0000000077970000-memory.dmpFilesize
1.5MB
-
memory/996-89-0x0000000003160000-0x0000000004E3A000-memory.dmpFilesize
28.9MB
-
memory/996-90-0x0000000003160000-0x0000000004E3A000-memory.dmpFilesize
28.9MB
-
memory/996-91-0x0000000003160000-0x0000000004E3A000-memory.dmpFilesize
28.9MB
-
memory/996-93-0x0000000061E00000-0x0000000061EC1000-memory.dmpFilesize
772KB
-
memory/996-87-0x0000000003160000-0x0000000004E3A000-memory.dmpFilesize
28.9MB
-
memory/996-88-0x0000000003160000-0x0000000004E3A000-memory.dmpFilesize
28.9MB
-
memory/996-86-0x0000000003160000-0x0000000004E3A000-memory.dmpFilesize
28.9MB
-
memory/996-85-0x0000000003160000-0x0000000004E3A000-memory.dmpFilesize
28.9MB
-
memory/996-84-0x0000000003160000-0x0000000004E3A000-memory.dmpFilesize
28.9MB
-
memory/996-75-0x0000000000000000-mapping.dmp
-
memory/996-81-0x00000000777F0000-0x0000000077970000-memory.dmpFilesize
1.5MB
-
memory/996-82-0x0000000003160000-0x0000000004E3A000-memory.dmpFilesize
28.9MB
-
memory/1328-54-0x000007FEFC031000-0x000007FEFC033000-memory.dmpFilesize
8KB