8acc355f817bd975a4d642082de46b9b555cd78cf41f1bcb9049157fb9ad33fa

Analysis

max time kernel
143s
max time network
157s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe
Size

2.0MB
MD5

18d1a10285383dbf8a2343e4b9c1fc3c
SHA1

e0a53fa4e9f303e87dfe612a9495290ea27e21d3
SHA256

952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534
SHA512

d3000f6115555a836661617e36c5af4bc61acfdff5b51b94136b8497de3a2b8d4b449dc1307726f434774500e960ae6f0f0c5bda94a041ca384f17cfbd32da46
SSDEEP

49152:MvVl3ySej9XajZGssKdpH/AoBbuejcxh7ZOGx74fp:a3CSekIT+AUNjMFZOGx70

Score

7^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

4tK193Ap.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 4tK193Ap.exe
Executes dropped EXE 2 IoCs

Processes:

gO8uT51.exe4tK193Ap.exe

pid process

1508 gO8uT51.exe
2740 4tK193Ap.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	4tK193Ap.exe

pid	process
1508	gO8uT51.exe
2740	4tK193Ap.exe

Loads dropped DLL 11 IoCs

Processes:

952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exegO8uT51.exe4tK193Ap.exeWerFault.exe

pid	process
2068	952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe
1508	gO8uT51.exe
1508	gO8uT51.exe
2740	4tK193Ap.exe
2740	4tK193Ap.exe
2740	4tK193Ap.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

4tK193Ap.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4tK193Ap.exe
Key opened	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4tK193Ap.exe
Key opened	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4tK193Ap.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4tK193Ap.exe952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exegO8uT51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	4tK193Ap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gO8uT51.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ipinfo.io
4 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

4tK193Ap.exe

pid process

2740 4tK193Ap.exe
2740 4tK193Ap.exe
2740 4tK193Ap.exe
2740 4tK193Ap.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1900 2740 WerFault.exe 4tK193Ap.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2628 schtasks.exe
2592 schtasks.exe

flow	ioc
3	ipinfo.io
4	ipinfo.io

pid	process
2740	4tK193Ap.exe
2740	4tK193Ap.exe
2740	4tK193Ap.exe
2740	4tK193Ap.exe

pid	pid_target	process	target process
1900	2740	WerFault.exe	4tK193Ap.exe

pid	process
2628	schtasks.exe
2592	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4tK193Ap.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	4tK193Ap.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4tK193Ap.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4tK193Ap.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4tK193Ap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4tK193Ap.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4tK193Ap.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4tK193Ap.exe

pid process

2740 4tK193Ap.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4tK193Ap.exe

description pid process

Token: SeDebugPrivilege 2740 4tK193Ap.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4tK193Ap.exe

pid process

2740 4tK193Ap.exe

pid	process
2740	4tK193Ap.exe

description	pid	process
Token: SeDebugPrivilege	2740	4tK193Ap.exe

pid	process
2740	4tK193Ap.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exegO8uT51.exe4tK193Ap.execmd.execmd.exe

description	pid	process	target process
PID 2068 wrote to memory of 1508	2068	952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe	gO8uT51.exe
PID 2068 wrote to memory of 1508	2068	952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe	gO8uT51.exe
PID 2068 wrote to memory of 1508	2068	952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe	gO8uT51.exe
PID 2068 wrote to memory of 1508	2068	952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe	gO8uT51.exe
PID 2068 wrote to memory of 1508	2068	952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe	gO8uT51.exe
PID 2068 wrote to memory of 1508	2068	952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe	gO8uT51.exe
PID 2068 wrote to memory of 1508	2068	952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe	gO8uT51.exe
PID 1508 wrote to memory of 2740	1508	gO8uT51.exe	4tK193Ap.exe
PID 1508 wrote to memory of 2740	1508	gO8uT51.exe	4tK193Ap.exe
PID 1508 wrote to memory of 2740	1508	gO8uT51.exe	4tK193Ap.exe
PID 1508 wrote to memory of 2740	1508	gO8uT51.exe	4tK193Ap.exe
PID 1508 wrote to memory of 2740	1508	gO8uT51.exe	4tK193Ap.exe
PID 1508 wrote to memory of 2740	1508	gO8uT51.exe	4tK193Ap.exe
PID 1508 wrote to memory of 2740	1508	gO8uT51.exe	4tK193Ap.exe
PID 2740 wrote to memory of 2780	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2780	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2780	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2780	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2780	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2780	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2780	2740	4tK193Ap.exe	cmd.exe
PID 2780 wrote to memory of 2628	2780	cmd.exe	schtasks.exe
PID 2780 wrote to memory of 2628	2780	cmd.exe	schtasks.exe
PID 2780 wrote to memory of 2628	2780	cmd.exe	schtasks.exe
PID 2780 wrote to memory of 2628	2780	cmd.exe	schtasks.exe
PID 2780 wrote to memory of 2628	2780	cmd.exe	schtasks.exe
PID 2780 wrote to memory of 2628	2780	cmd.exe	schtasks.exe
PID 2780 wrote to memory of 2628	2780	cmd.exe	schtasks.exe
PID 2740 wrote to memory of 2640	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2640	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2640	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2640	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2640	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2640	2740	4tK193Ap.exe	cmd.exe
PID 2740 wrote to memory of 2640	2740	4tK193Ap.exe	cmd.exe
PID 2640 wrote to memory of 2592	2640	cmd.exe	schtasks.exe
PID 2640 wrote to memory of 2592	2640	cmd.exe	schtasks.exe
PID 2640 wrote to memory of 2592	2640	cmd.exe	schtasks.exe
PID 2640 wrote to memory of 2592	2640	cmd.exe	schtasks.exe
PID 2640 wrote to memory of 2592	2640	cmd.exe	schtasks.exe
PID 2640 wrote to memory of 2592	2640	cmd.exe	schtasks.exe
PID 2640 wrote to memory of 2592	2640	cmd.exe	schtasks.exe
PID 2740 wrote to memory of 1900	2740	4tK193Ap.exe	WerFault.exe
PID 2740 wrote to memory of 1900	2740	4tK193Ap.exe	WerFault.exe
PID 2740 wrote to memory of 1900	2740	4tK193Ap.exe	WerFault.exe
PID 2740 wrote to memory of 1900	2740	4tK193Ap.exe	WerFault.exe
PID 2740 wrote to memory of 1900	2740	4tK193Ap.exe	WerFault.exe
PID 2740 wrote to memory of 1900	2740	4tK193Ap.exe	WerFault.exe
PID 2740 wrote to memory of 1900	2740	4tK193Ap.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

4tK193Ap.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4tK193Ap.exe

outlook_win_path 1 IoCs

Processes:

4tK193Ap.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4tK193Ap.exe

C:\Users\Admin\AppData\Local\Temp\952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe
"C:\Users\Admin\AppData\Local\Temp\952317229d1e77340b65639145073369a7e1a0a38718e05819c9c4791ecd5534.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gO8uT51.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gO8uT51.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4tK193Ap.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4tK193Ap.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:2628

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 2420
4⤵
- Loads dropped DLL
- Program crash
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
06ac7269ff88878634bc805ad0d6079d

SHA1
bee17309be0572a84af486bf5c17a2db4dc1eb5b

SHA256
d2eb01c950214f79e65b425ffd9b9bf1007192035a7ffef76a25fd7c61a2d4ea

SHA512
de16c4461d0e7f895922c27ab62c2a5dcdd0ca9a3b46f3c5b440b7a347dd06b2c129744cb641dfc17f7ea68eb6a2c2979df255245bd5cd29cb11caf7e1a72bf3

Download Submit
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
Filesize
659KB

MD5
158aeb131b192de93861009be8d0437f

SHA1
b86f1a8c0992c3693de03aaca6e43aeda09f9302

SHA256
fc5ee59902d078e6348c71966759e2e0a00b7aed70380bb80bdbdc8b6777a0ea

SHA512
111d51894b5ea4648746cbedab02afcf60bcd70ba5668d04f60c9eb2fd1edcc63f8620a42854764f02d550dcf58482608978d33482128391e06849c57b1de266

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD1A3.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gO8uT51.exe
Filesize
223KB

MD5
333f6f91403710ca60b46143c6010068

SHA1
00fd04565b65d600ddc239ef5dc08e9b87125374

SHA256
99285ec6893753a0b1cc7337121f2581e3d4ce726addf4217371a2b122b838e9

SHA512
d0cc10b1a36d671c6213f7fe60ae4c6dcb64cf4c810206a8cfa63f00e128557e48e98664397e9dd442ff84ab2e762f6773ae418f5b0e8456743e7e59724119e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gO8uT51.exe
Filesize
392KB

MD5
89d3869d0547fe9351c369b68676243d

SHA1
30eda8650b92bbc1f936194f028ec05737ea4af3

SHA256
93498ef4ba30a8babb45249657bb0fbadc90bbb7c787fd5d3a5d66c328855750

SHA512
3874b9a4e6e7a00fe0452ee0938a82e35609666928fb801b9b6cea75d90f3a4051e455f9e9b395f202cd7b5d02591c9dd3ce6b4d0572e3f206412561fa9c719b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4tK193Ap.exe
Filesize
22KB

MD5
13f6993f7c00f4c09efc70a2dd8e3898

SHA1
40179af9f041e1709c9c6072ad6144f633605fa5

SHA256
ca6be28900b0c38bc74fe75274998d63f4002858c6c43a59c133618b2da5989b

SHA512
7a647405c9b859525875684a68d93819e04f52625186d2089d6de483517da1c251e8137ae3de52901833969645032e492da2659e022fcdc13e61cdfa31fc092b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4tK193Ap.exe
Filesize
5KB

MD5
ad4fe48e470214e21f3a324ae44511f9

SHA1
b00686c34741b4f3325b6083cbba61f83f59613b

SHA256
3a79c599970598ac9c02b276e23adb1515081abffa62a251739a3ca843e0f8bb

SHA512
3c0460109704fb9e22160ec1b3a7c85a60bc064941517de33a7fdb896e6cf69accd1a8c62242d3caa78a93eea143f30c87391d014cb7611969d1c32abc8e4f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD232.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSrxfD2gQCHYYp\AVlmIvd7IgrwWeb Data
Filesize
92KB

MD5
38a918d4a69a50fed0c73514cf46360c

SHA1
4eb300432ac32153a8653f6ecf1a4f49f1704609

SHA256
553a0a40f1c41da21597416a6bc540f5054b3c90a1b7ba7a3c79952338c24a6a

SHA512
c19fd6815bda5c0f315bd0ff3f43a4951173e2d9d04f719f0c8fc93743e007903bf66c9a59c5af6804cf83f94b6e9a6d8859eb4bb06c23154613454d43db3e7f

Download Submit
\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
Filesize
953KB

MD5
a491b39e0cec4ed2cb9d210de8e592a6

SHA1
c640562c39a26c5ee3b4c3e8afe8b038c20ec202

SHA256
8425c27fc07c3196e85cd891f37ed79bb91d859ca3239e657afbc956df202902

SHA512
284b3356f9bd88d99ee7e266aab60b0f29e11c6b34f8d8c02e0cf1fa664af3d454bb88ec0279c5ef52e5b74bb47bf8b047cd31f9e98c59fc04cf6337248a7a5a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\gO8uT51.exe
Filesize
172KB

MD5
20de40075d9e0f3ba49aea9c2eee53f4

SHA1
67cbe5e341f0fb76ec44c9196a406f440f81478c

SHA256
20aab827f6512756843f472b3ec261b9cf9476c0efe792c83564acc1d0618bff

SHA512
b99ef204b46c9c3ea2ea328ea4f40d6f48996e9d1f78e4cb952d30762f67dfdba14b67870595f536a81603d6700fa9a79a44c36f6e78a938a07e9adc97fbcb7a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\gO8uT51.exe
Filesize
303KB

MD5
2c31a33ef6021a1edca82b175ca90ea2

SHA1
2e35b15a8d4fc28d296aaf3c440528b7c747c899

SHA256
f0fb655c13cc8b61e246dd01269f3b447923f7cfca834300679bd5da6265a7f3

SHA512
d6ab7c1f600dbe17ebfd627de019e5f23668c88d25f6b046ebc459106c6d90727c51c45aa60b76ce55db856f5b96172edc7fc586b3ef2a7c805a5e7f50b9d62d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\4tK193Ap.exe
Filesize
167KB

MD5
85484287b099afc5df72bf88a23b077b

SHA1
de54d2b05f668c68ad76e48bdb31456a837fb515

SHA256
f3efc651db5e0b5a2445266d3609a6d71d5196ae950b06f49a547c8edb72a94c

SHA512
10fae2307362be4208a62e4fd4a54c70b5ec81b6b3a5616b5e9261cf8e57835f92f4543de66c18ee2abaa5a587a5ff5733531f666c025826e38f714638eeb1c8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\4tK193Ap.exe
Filesize
1.5MB

MD5
c2111e61e7ba399ef043c265c4215de2

SHA1
a7c1289cf1e2ae758d8c1ef409a9b4b8a468da1a

SHA256
606bc55fad2b4b1ec117c8df11571f153ac95736e6fcfa8dd8874d88eaa1a48b

SHA512
9f972eb5a7725507cef4d8a597d2872466a0883ef58d3c2cf1f5e59379129e9531978c73d1cf07ad47d7877f874af8486e182778b1d3acfbebba60bfb21509de

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\4tK193Ap.exe
Filesize
45KB

MD5
0c01e033c653f5590e3e70fe9309f3b1

SHA1
7c9fccbf071544c986df0222783e8add4d92b51a

SHA256
ef6639f3cfc5f9825a745707cd8ed29be60d5cce2f90c2f480c0f70400d04b5f

SHA512
24b8c05b1ce061dd69499bd1d69c051207870c377ac3dd2ba58f13760c0e529449608b24b3d02cbd1eb7dbd10cdf203d802d745dd5292c8d3e39e8f9dd53a642

Download Submit
\Users\Admin\AppData\Local\Temp\tempAVSrxfD2gQCHYYp\sqlite3.dll
Filesize
791KB

MD5
0fe0a178f711b623a8897e4b0bb040d1

SHA1
01ea412aeab3d331f825d93d7ee1f5fa6d3c46e6

SHA256
0c7cd52abdb6eb3e556d81caac398a127495e4a251ef600e6505a81385a1982d

SHA512
6c53c489c4464b9dc9a5dd31c48bb4afa65f7d6df9cc71e705cea2074ebd5e249cad4894eac6f6b308b3574633bc6e1706dfc5fda5f46c27f1e37d21e65fbc54

Download Submit
memory/1508-18-0x0000000002840000-0x0000000002C9E000-memory.dmp

Filesize
4.4MB

Download
memory/1508-38-0x0000000002840000-0x0000000002C9E000-memory.dmp

Filesize
4.4MB

Download
memory/2740-33-0x0000000000890000-0x0000000000CEE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-30-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2740-23-0x0000000000890000-0x0000000000CEE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-22-0x0000000000890000-0x0000000000CEE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-133-0x0000000000890000-0x0000000000CEE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-134-0x00000000012B0000-0x000000000170E000-memory.dmp

Filesize
4.4MB

Download
memory/2740-135-0x0000000000890000-0x0000000000CEE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-136-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2740-138-0x0000000000890000-0x0000000000CEE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-21-0x00000000012B0000-0x000000000170E000-memory.dmp

Filesize
4.4MB

Download
memory/2740-150-0x0000000000890000-0x0000000000CEE000-memory.dmp

Filesize
4.4MB

Download