Analysis Overview
SHA256
9d5b467c6b68ab75c8153df07b72abd63fda9bd3dfcc045cb6fb65c17b1db482
Threat Level: Known bad
The file 0257ddd147e983c710726ab6fa0f8e32 was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
A310logger
StormKitty
A310logger Executable
Reads user/profile data of web browsers
Executes dropped EXE
Reads local data of messenger clients
Loads dropped DLL
Looks up geolocation information via web service
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
outlook_win_path
outlook_office_path
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-29 19:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-29 19:53
Reported
2023-12-29 22:37
Platform
win7-20231215-en
Max time kernel
166s
Max time network
146s
Command Line
Signatures
A310logger
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
A310logger Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2904 set thread context of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe |
| PID 2268 set thread context of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
| PID 2268 set thread context of 2308 | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
| PID 2268 set thread context of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe
"C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe"
C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe
"C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
Files
memory/2904-1-0x0000000000320000-0x0000000000420000-memory.dmp
memory/2904-2-0x0000000000130000-0x0000000000132000-memory.dmp
memory/2268-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2268-5-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2728-14-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2728-12-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2728-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2728-10-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2728-18-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2728-8-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2728-20-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2728-22-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2728-23-0x0000000073E20000-0x00000000743CB000-memory.dmp
memory/2728-24-0x0000000073E20000-0x00000000743CB000-memory.dmp
memory/2728-25-0x0000000000300000-0x0000000000340000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFBEE.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarFC7D.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 343341241e30a1b70bfff96f05126807 |
| SHA1 | 7d843706d5fa4869dc5b85f3c37ca92038a69118 |
| SHA256 | 7a8eb20759d6e4ab18c18be47c6f291fda83ba052525ffe29c0697d0fb8c5a0e |
| SHA512 | bf0b68431418c00afe598be83f311de7bcfda49120e4e36a87e9bb8769cbb0cad3019faf47170e156c62b357570ea0297f5acbe9a0665c75296c4ce00a7776b6 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
| MD5 | 1bad0cbd09b05a21157d8255dc801778 |
| SHA1 | ff284bba12f011b72e20d4c9537d6c455cdbf228 |
| SHA256 | 218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9 |
| SHA512 | 4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533 |
memory/268-96-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp
memory/268-95-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp
memory/2728-97-0x0000000073E20000-0x00000000743CB000-memory.dmp
memory/2268-98-0x0000000000400000-0x0000000000430000-memory.dmp
memory/268-100-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp
memory/2308-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2308-113-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2308-115-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2308-116-0x0000000073D40000-0x00000000742EB000-memory.dmp
memory/2308-117-0x0000000002310000-0x0000000002350000-memory.dmp
memory/2308-118-0x0000000073D40000-0x00000000742EB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a58a1539496acdb1d3745bdcbaddb0b6 |
| SHA1 | e2e5d9cee6242cc8115d410ad145c11179f223d8 |
| SHA256 | e4bebd9b8fd0f0804bca383897fd6a6b466dd92a5befdd80ee5cbb04d5678cba |
| SHA512 | 45a2da8192fe4c5d9049f96ee72347b8e95212a0920c5c55bc6d98c5325153b7ddcb8f7a3f438013cd26d3a11cb8a20829af64dc5a7afc00e036b1b4608ff336 |
memory/820-142-0x000007FEF4770000-0x000007FEF510D000-memory.dmp
memory/820-143-0x0000000000C30000-0x0000000000CB0000-memory.dmp
memory/820-144-0x000007FEF4770000-0x000007FEF510D000-memory.dmp
memory/820-145-0x000007FEF4770000-0x000007FEF510D000-memory.dmp
memory/2308-146-0x0000000073D40000-0x00000000742EB000-memory.dmp
memory/2124-156-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2124-160-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2124-162-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2124-163-0x0000000073CF0000-0x000000007429B000-memory.dmp
memory/2124-164-0x0000000000370000-0x00000000003B0000-memory.dmp
memory/2124-165-0x0000000073CF0000-0x000000007429B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef6df9c5294251d659a547e68694972e |
| SHA1 | 095a9a3ab37455d18765eb1ddafe7bd3a9d7b6d9 |
| SHA256 | fe8edc1f54dee92df2ee2727acba577cbbb0d7bbdba399539ee89b4d54ee171b |
| SHA512 | 4373dbf67e7243c07e821c99cdca44695b4cfc9428562ad6dc0ef871f15809183742377b2737815a60603e5d58bbcf77656053469869b06e7fcd83360aa67885 |
memory/2784-189-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp
memory/2784-191-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp
memory/2784-190-0x0000000000950000-0x00000000009D0000-memory.dmp
memory/2124-192-0x0000000073CF0000-0x000000007429B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-29 19:53
Reported
2023-12-29 22:36
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
A310logger
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
A310logger Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4928 set thread context of 4016 | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe |
| PID 4016 set thread context of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
| PID 4016 set thread context of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
| PID 4016 set thread context of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe
"C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe"
C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe
"C:\Users\Admin\AppData\Local\Temp\0257ddd147e983c710726ab6fa0f8e32.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 97.114.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/4928-1-0x0000000000840000-0x0000000000940000-memory.dmp
memory/4016-5-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4016-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4928-2-0x00000000025A0000-0x00000000025A2000-memory.dmp
memory/4292-8-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4292-9-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/4292-11-0x0000000001800000-0x0000000001810000-memory.dmp
memory/4292-10-0x0000000074680000-0x0000000074C31000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
| MD5 | 1bad0cbd09b05a21157d8255dc801778 |
| SHA1 | ff284bba12f011b72e20d4c9537d6c455cdbf228 |
| SHA256 | 218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9 |
| SHA512 | 4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533 |
memory/2684-24-0x0000000001970000-0x0000000001980000-memory.dmp
memory/2684-23-0x00007FFC85E40000-0x00007FFC867E1000-memory.dmp
memory/2684-29-0x00007FFC85E40000-0x00007FFC867E1000-memory.dmp
memory/4292-31-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/2684-28-0x00007FFC85E40000-0x00007FFC867E1000-memory.dmp
memory/4016-32-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.log
| MD5 | 5370d1dff94d27a9a6cfab002a5c444b |
| SHA1 | fecadd9e884c57822ebeae897a3989c0e678fd1a |
| SHA256 | 0ddb4ec9a919c3566a4ab48ce605f24816e6fb2efdd6e4070a54a1f5912ec946 |
| SHA512 | 67a3787e49e7d8ea23b3e1766639b36e685cf404042bc270f5c43dc0b0f50623778cb98c013577b3a0a3b425b608ff4e944e29df3725425ce6383759fe7534eb |
memory/2756-36-0x0000000074390000-0x0000000074941000-memory.dmp
memory/2756-37-0x00000000012F0000-0x0000000001300000-memory.dmp
memory/2756-38-0x0000000074390000-0x0000000074941000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\MZ.exe.log
| MD5 | 3d238ac6dd6710907edf2ad7893a0ed2 |
| SHA1 | b07aaeeb31bdc6e94097a254be088b092dc1fb68 |
| SHA256 | 02d215d5b6ea166e6c4c4669547cbadecbb427d5baf394fbffc7ef374a967501 |
| SHA512 | c358aa68303aa99ebc019014b4c1fc2fbfa98733f1ea863bf78ca2b877dc5c610121115432d96504df9e43bdda637b067359b07228b6f129bc5ec9a01ed3ee24 |
memory/1632-51-0x00007FFC85AF0000-0x00007FFC86491000-memory.dmp
memory/1632-52-0x00007FFC85AF0000-0x00007FFC86491000-memory.dmp
memory/2756-53-0x0000000074390000-0x0000000074941000-memory.dmp
memory/616-56-0x0000000074390000-0x0000000074941000-memory.dmp
memory/616-57-0x00000000016C0000-0x00000000016D0000-memory.dmp
memory/616-58-0x0000000074390000-0x0000000074941000-memory.dmp
memory/4588-70-0x00007FFC85AF0000-0x00007FFC86491000-memory.dmp
memory/4588-71-0x00007FFC85AF0000-0x00007FFC86491000-memory.dmp
memory/616-72-0x0000000074390000-0x0000000074941000-memory.dmp