f085f0ece42084f2ce26c28a27ebc9457ae32b2ecd632b3073500b7e17805659

General

Target

Doc-102PO-207841001jpg.exe
Size

2.1MB
MD5

0596aefc251ba32dcb538593b0616568
SHA1

9ceb68e35b93711e8247512c21ad2ccd6b8da938
SHA256

f085f0ece42084f2ce26c28a27ebc9457ae32b2ecd632b3073500b7e17805659
SHA512

da0d4d63ce9ecfc3d892b20f55be6769a5d28a77d9c3b7f4cb22abc51e3be604c102c1e6b7c4d7464dc8dc3f4730b204654c82292ad8899004e90cd7b4a66a5d
SSDEEP

49152:gbB0FQB5MLPlG5/8uMLq0u5hRD5pbjX7i4l8B/oy6kRMF4mK/LPS/yYCxL:g90sW0dRfj7O/oyBqi/TS/yYCxL

Score

7^/10

collection persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Doc-102PO-207841001jpg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Doc-102PO-207841001jpg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

Processes:

Doc-102PO-207841001jpg.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Doc-102PO-207841001jpg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Doc-102PO-207841001jpg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Coxsx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Vfiatkcr\\Coxsx.exe\""	Doc-102PO-207841001jpg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Doc-102PO-207841001jpg.exe

description pid process target process

PID 5028 set thread context of 4788 5028 Doc-102PO-207841001jpg.exe Doc-102PO-207841001jpg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4952 ipconfig.exe
4444 ipconfig.exe

description	pid	process	target process
PID 5028 set thread context of 4788	5028	Doc-102PO-207841001jpg.exe	Doc-102PO-207841001jpg.exe

pid	process
4952	ipconfig.exe
4444	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exeDoc-102PO-207841001jpg.exe

pid	process
5064	powershell.exe
5064	powershell.exe
4788	Doc-102PO-207841001jpg.exe
4788	Doc-102PO-207841001jpg.exe
4788	Doc-102PO-207841001jpg.exe
4788	Doc-102PO-207841001jpg.exe
4788	Doc-102PO-207841001jpg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Doc-102PO-207841001jpg.exepowershell.exeDoc-102PO-207841001jpg.exe

description	pid	process
Token: SeDebugPrivilege	5028	Doc-102PO-207841001jpg.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	4788	Doc-102PO-207841001jpg.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Doc-102PO-207841001jpg.execmd.execmd.exe

description	pid	process	target process
PID 5028 wrote to memory of 2180	5028	Doc-102PO-207841001jpg.exe	cmd.exe
PID 5028 wrote to memory of 2180	5028	Doc-102PO-207841001jpg.exe	cmd.exe
PID 2180 wrote to memory of 4952	2180	cmd.exe	ipconfig.exe
PID 2180 wrote to memory of 4952	2180	cmd.exe	ipconfig.exe
PID 5028 wrote to memory of 5064	5028	Doc-102PO-207841001jpg.exe	powershell.exe
PID 5028 wrote to memory of 5064	5028	Doc-102PO-207841001jpg.exe	powershell.exe
PID 5028 wrote to memory of 3772	5028	Doc-102PO-207841001jpg.exe	cmd.exe
PID 5028 wrote to memory of 3772	5028	Doc-102PO-207841001jpg.exe	cmd.exe
PID 3772 wrote to memory of 4444	3772	cmd.exe	ipconfig.exe
PID 3772 wrote to memory of 4444	3772	cmd.exe	ipconfig.exe
PID 5028 wrote to memory of 4788	5028	Doc-102PO-207841001jpg.exe	Doc-102PO-207841001jpg.exe
PID 5028 wrote to memory of 4788	5028	Doc-102PO-207841001jpg.exe	Doc-102PO-207841001jpg.exe
PID 5028 wrote to memory of 4788	5028	Doc-102PO-207841001jpg.exe	Doc-102PO-207841001jpg.exe
PID 5028 wrote to memory of 4788	5028	Doc-102PO-207841001jpg.exe	Doc-102PO-207841001jpg.exe
PID 5028 wrote to memory of 4788	5028	Doc-102PO-207841001jpg.exe	Doc-102PO-207841001jpg.exe
PID 5028 wrote to memory of 4788	5028	Doc-102PO-207841001jpg.exe	Doc-102PO-207841001jpg.exe

outlook_office_path 1 IoCs

Processes:

Doc-102PO-207841001jpg.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe

outlook_win_path 1 IoCs

Processes:

Doc-102PO-207841001jpg.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Doc-102PO-207841001jpg.exe

C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe
"C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/release
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:4952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/renew
2⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\system32\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:4444

C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe
C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Doc-102PO-207841001jpg.exe.log
Filesize
1KB

MD5
819dc687f4da92e5850508c10429fc9f

SHA1
d3441a3c46ddc99d03583be6b2ab02615baa60be

SHA256
357a8ea90e614160a9179ac7eb5e3ff159855a037b1bd0deecbd7d3e3a243119

SHA512
671735133e2643d2ec84511cb0a89dad9082e6255020fef4cd4e37b7a7207a06a36f4f22c646ce6854d6e244b2b9e090dc87aa3309a349d5b20a1a014bf1f7ee

Download Submit
memory/2180-135-0x0000000000000000-mapping.dmp

Download
memory/3772-142-0x0000000000000000-mapping.dmp

Download
memory/4444-143-0x0000000000000000-mapping.dmp

Download
memory/4788-150-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

Filesize
10.8MB

Download
memory/4788-148-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

Filesize
10.8MB

Download
memory/4788-146-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

Filesize
10.8MB

Download
memory/4788-144-0x0000000140000000-0x0000000140098000-memory.dmp

Filesize
608KB

Download
memory/4788-145-0x0000000140000000-mapping.dmp

Download
memory/4952-136-0x0000000000000000-mapping.dmp

Download
memory/5028-139-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

Filesize
10.8MB

Download
memory/5028-147-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

Filesize
10.8MB

Download
memory/5028-132-0x000001ED907F0000-0x000001ED90A0A000-memory.dmp

Filesize
2.1MB

Download
memory/5028-134-0x000001EDAAED0000-0x000001EDAAEF2000-memory.dmp

Filesize
136KB

Download
memory/5028-133-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-141-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-140-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-138-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads