861bc492e059dd01b309812ef24197e64ce23c32dcb09af887cffab4399bde1c

Analysis

max time kernel
143s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe
Size

2.0MB
MD5

72fb4b278b6a9927a7d8a7801e5bb672
SHA1

7c27b347c171974bc21697165177c93717b8fc30
SHA256

7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59
SHA512

49c752c3773b998e7ecce4d2acbcfe769c0e6ae0b2661e99085614982a840ad15c682344c4554478bfe6f9ed6fa9e5dc7d8cfd122db6e69b7ecd6de1398adf38
SSDEEP

49152:qL8Zj+zbbJ+ejFvwvHw+SKZDH/CQesuengxRztOQxHAfS:rj+n1+e2o9WCkNnYFtOQxH8

Score

7^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

4IQ909YE.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 4IQ909YE.exe
Executes dropped EXE 2 IoCs

Processes:

Jl8SY93.exe4IQ909YE.exe

pid process

2272 Jl8SY93.exe
2860 4IQ909YE.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	4IQ909YE.exe

pid	process
2272	Jl8SY93.exe
2860	4IQ909YE.exe

Loads dropped DLL 11 IoCs

Processes:

7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exeJl8SY93.exe4IQ909YE.exeWerFault.exe

pid	process
3028	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe
2272	Jl8SY93.exe
2272	Jl8SY93.exe
2860	4IQ909YE.exe
2860	4IQ909YE.exe
2860	4IQ909YE.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

4IQ909YE.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4IQ909YE.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4IQ909YE.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4IQ909YE.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exeJl8SY93.exe4IQ909YE.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Jl8SY93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	4IQ909YE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ipinfo.io
4 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

4IQ909YE.exe

pid process

2860 4IQ909YE.exe
2860 4IQ909YE.exe
2860 4IQ909YE.exe
2860 4IQ909YE.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2948 2860 WerFault.exe 4IQ909YE.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2736 schtasks.exe
2576 schtasks.exe

flow	ioc
3	ipinfo.io
4	ipinfo.io

pid	process
2860	4IQ909YE.exe
2860	4IQ909YE.exe
2860	4IQ909YE.exe
2860	4IQ909YE.exe

pid	pid_target	process	target process
2948	2860	WerFault.exe	4IQ909YE.exe

pid	process
2736	schtasks.exe
2576	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4IQ909YE.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4IQ909YE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4IQ909YE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4IQ909YE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	4IQ909YE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4IQ909YE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4IQ909YE.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4IQ909YE.exe

pid process

2860 4IQ909YE.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4IQ909YE.exe

description pid process

Token: SeDebugPrivilege 2860 4IQ909YE.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4IQ909YE.exe

pid process

2860 4IQ909YE.exe

pid	process
2860	4IQ909YE.exe

description	pid	process
Token: SeDebugPrivilege	2860	4IQ909YE.exe

pid	process
2860	4IQ909YE.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exeJl8SY93.exe4IQ909YE.execmd.execmd.exe

description	pid	process	target process
PID 3028 wrote to memory of 2272	3028	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	Jl8SY93.exe
PID 3028 wrote to memory of 2272	3028	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	Jl8SY93.exe
PID 3028 wrote to memory of 2272	3028	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	Jl8SY93.exe
PID 3028 wrote to memory of 2272	3028	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	Jl8SY93.exe
PID 3028 wrote to memory of 2272	3028	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	Jl8SY93.exe
PID 3028 wrote to memory of 2272	3028	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	Jl8SY93.exe
PID 3028 wrote to memory of 2272	3028	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	Jl8SY93.exe
PID 2272 wrote to memory of 2860	2272	Jl8SY93.exe	4IQ909YE.exe
PID 2272 wrote to memory of 2860	2272	Jl8SY93.exe	4IQ909YE.exe
PID 2272 wrote to memory of 2860	2272	Jl8SY93.exe	4IQ909YE.exe
PID 2272 wrote to memory of 2860	2272	Jl8SY93.exe	4IQ909YE.exe
PID 2272 wrote to memory of 2860	2272	Jl8SY93.exe	4IQ909YE.exe
PID 2272 wrote to memory of 2860	2272	Jl8SY93.exe	4IQ909YE.exe
PID 2272 wrote to memory of 2860	2272	Jl8SY93.exe	4IQ909YE.exe
PID 2860 wrote to memory of 2592	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2592	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2592	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2592	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2592	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2592	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2592	2860	4IQ909YE.exe	cmd.exe
PID 2592 wrote to memory of 2736	2592	cmd.exe	schtasks.exe
PID 2592 wrote to memory of 2736	2592	cmd.exe	schtasks.exe
PID 2592 wrote to memory of 2736	2592	cmd.exe	schtasks.exe
PID 2592 wrote to memory of 2736	2592	cmd.exe	schtasks.exe
PID 2592 wrote to memory of 2736	2592	cmd.exe	schtasks.exe
PID 2592 wrote to memory of 2736	2592	cmd.exe	schtasks.exe
PID 2592 wrote to memory of 2736	2592	cmd.exe	schtasks.exe
PID 2860 wrote to memory of 2628	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2628	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2628	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2628	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2628	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2628	2860	4IQ909YE.exe	cmd.exe
PID 2860 wrote to memory of 2628	2860	4IQ909YE.exe	cmd.exe
PID 2628 wrote to memory of 2576	2628	cmd.exe	schtasks.exe
PID 2628 wrote to memory of 2576	2628	cmd.exe	schtasks.exe
PID 2628 wrote to memory of 2576	2628	cmd.exe	schtasks.exe
PID 2628 wrote to memory of 2576	2628	cmd.exe	schtasks.exe
PID 2628 wrote to memory of 2576	2628	cmd.exe	schtasks.exe
PID 2628 wrote to memory of 2576	2628	cmd.exe	schtasks.exe
PID 2628 wrote to memory of 2576	2628	cmd.exe	schtasks.exe
PID 2860 wrote to memory of 2948	2860	4IQ909YE.exe	WerFault.exe
PID 2860 wrote to memory of 2948	2860	4IQ909YE.exe	WerFault.exe
PID 2860 wrote to memory of 2948	2860	4IQ909YE.exe	WerFault.exe
PID 2860 wrote to memory of 2948	2860	4IQ909YE.exe	WerFault.exe
PID 2860 wrote to memory of 2948	2860	4IQ909YE.exe	WerFault.exe
PID 2860 wrote to memory of 2948	2860	4IQ909YE.exe	WerFault.exe
PID 2860 wrote to memory of 2948	2860	4IQ909YE.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

4IQ909YE.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4IQ909YE.exe

outlook_win_path 1 IoCs

Processes:

4IQ909YE.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4IQ909YE.exe

C:\Users\Admin\AppData\Local\Temp\7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe
"C:\Users\Admin\AppData\Local\Temp\7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jl8SY93.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jl8SY93.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4IQ909YE.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4IQ909YE.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2860

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:2736

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 2400
4⤵
- Loads dropped DLL
- Program crash
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8428d9eba966084b419c8a8df2bb63b2

SHA1
1991bed16f3b068448938350ccbf1e5583d45b3d

SHA256
70478c29bd019fc0f0eb0355f3761795a567fb3df1009b3ca18f5bb72e2e4939

SHA512
61c32cbff57a29307ff1b71a41ffd14a8e8c90606d50ddfa2614d4ec27628199a03de1664c0a211a9ab9c993118add9102863defd493575bf362c563760775a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9A8D.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9B4B.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSVBT27KoUAfUm\Aj5OJMiceDm1Web Data
Filesize
92KB

MD5
c5ab22deca134f4344148b20687651f4

SHA1
c36513b27480dc2d134cefb29a44510a00ec988d

SHA256
1e9bd8064ca87d8441e2702005ef8df9a3647d5542740737abb8a70be7ec9512

SHA512
550f45132525e967d749106b9d3b114d17b066967527bfd5c66613d61b6f3995f87b0f3c09def19eed14b5b757f2501645b5103505d126f1dd66994f50e1257e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jl8SY93.exe
Filesize
1.9MB

MD5
cee5de19d672a855630b8ad8019d5e60

SHA1
39c084e2901d3aeddab3aaf51947557a234014fc

SHA256
ef4d5dd82c521bfe741b0782bb9f32081a518a485e5cf06ef67e108caa0c57fe

SHA512
04a4238bec8d5ff4ea080bef0df60da398087dd72c982b165f585c8f47519a632ef582a2ec91283469fc586b97ae100c7fe13c067d1357dff01ecad0074386e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\4IQ909YE.exe
Filesize
1.5MB

MD5
c2111e61e7ba399ef043c265c4215de2

SHA1
a7c1289cf1e2ae758d8c1ef409a9b4b8a468da1a

SHA256
606bc55fad2b4b1ec117c8df11571f153ac95736e6fcfa8dd8874d88eaa1a48b

SHA512
9f972eb5a7725507cef4d8a597d2872466a0883ef58d3c2cf1f5e59379129e9531978c73d1cf07ad47d7877f874af8486e182778b1d3acfbebba60bfb21509de

Download Submit
\Users\Admin\AppData\Local\Temp\tempAVSVBT27KoUAfUm\sqlite3.dll
Filesize
791KB

MD5
0fe0a178f711b623a8897e4b0bb040d1

SHA1
01ea412aeab3d331f825d93d7ee1f5fa6d3c46e6

SHA256
0c7cd52abdb6eb3e556d81caac398a127495e4a251ef600e6505a81385a1982d

SHA512
6c53c489c4464b9dc9a5dd31c48bb4afa65f7d6df9cc71e705cea2074ebd5e249cad4894eac6f6b308b3574633bc6e1706dfc5fda5f46c27f1e37d21e65fbc54

Download Submit
memory/2272-20-0x00000000024F0000-0x000000000294E000-memory.dmp

Filesize
4.4MB

Download
memory/2860-37-0x00000000009D0000-0x0000000000E2E000-memory.dmp

Filesize
4.4MB

Download
memory/2860-29-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/2860-23-0x00000000009D0000-0x0000000000E2E000-memory.dmp

Filesize
4.4MB

Download
memory/2860-22-0x00000000009D0000-0x0000000000E2E000-memory.dmp

Filesize
4.4MB

Download
memory/2860-99-0x00000000009D0000-0x0000000000E2E000-memory.dmp

Filesize
4.4MB

Download
memory/2860-100-0x00000000009D0000-0x0000000000E2E000-memory.dmp

Filesize
4.4MB

Download
memory/2860-21-0x0000000001220000-0x000000000167E000-memory.dmp

Filesize
4.4MB

Download
memory/2860-140-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/2860-146-0x00000000009D0000-0x0000000000E2E000-memory.dmp

Filesize
4.4MB

Download