Malware Analysis Report

2024-12-07 22:47

Sample ID 240511-j7fb8sgd2w
Target 2976-34-0x0000000000400000-0x0000000000417000-memory.dmp
SHA256 d680f58a9803eb57e4564754e91fbad12f92a0850d14cb6e0b145d868edaa213
Tags
gg remcos collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d680f58a9803eb57e4564754e91fbad12f92a0850d14cb6e0b145d868edaa213

Threat Level: Known bad

The file 2976-34-0x0000000000400000-0x0000000000417000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

gg remcos collection spyware stealer

Remcos family

Nirsoft

NirSoft MailPassView

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 08:18

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 08:18

Reported

2024-05-11 08:21

Platform

win7-20240508-en

Max time kernel

120s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe"

Signatures

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1268 set thread context of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 set thread context of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 set thread context of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 set thread context of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 set thread context of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 set thread context of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 set thread context of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 set thread context of 772 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 set thread context of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 1268 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\gpnbdkkjwffbfloxwfedmqpc"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\jkauecvlsnxnprcbfqrfxvjtvug"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\tmfffvgegvpssgynobdyahwcwjqrlc"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\iipwyan"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\skugytxdvwq"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\veizzdiwjeipcu"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\ptwqvkciebmiovonlztyrkmjlodtoxhrk"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\anjjwc"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\kqobxvydg"

Network

Country Destination Domain Proto
SE 62.102.148.185:9771 tcp
SE 62.102.148.185:9771 tcp
SE 62.102.148.185:9771 tcp
SE 62.102.148.185:9771 tcp
SE 62.102.148.185:9771 tcp

Files

memory/3000-1-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3000-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3000-26-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2804-42-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1964-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2804-43-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2804-41-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2804-40-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1964-46-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1964-37-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3000-36-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2804-35-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2804-32-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2804-31-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2804-29-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2804-27-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3000-24-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1964-25-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1964-23-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1964-22-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1964-21-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3000-20-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3000-6-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3000-5-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3000-3-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1964-15-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1964-13-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1964-11-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3000-10-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3000-50-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2804-51-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1616-73-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1616-80-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1428-81-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2404-105-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1428-102-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2404-98-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1616-96-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iipwyan

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2928-144-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1108-152-0x0000000000400000-0x000000000041E000-memory.dmp

memory/772-149-0x0000000000400000-0x0000000000424000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 08:18

Reported

2024-05-11 08:21

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe"

Signatures

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4304 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
PID 4304 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\nenhmphiwgzz"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\ygsanisksordvad"

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe

C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\aaxsfaddgwkqxgzuxmu"

Network

Country Destination Domain Proto
SE 62.102.148.185:9771 tcp
US 8.8.8.8:53 185.148.102.62.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
SE 62.102.148.185:9771 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
SE 62.102.148.185:9771 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2608-1-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2608-5-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2608-11-0x0000000000400000-0x0000000000457000-memory.dmp

memory/408-23-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1568-21-0x0000000000400000-0x0000000000424000-memory.dmp

memory/408-20-0x0000000000400000-0x000000000041E000-memory.dmp

memory/408-14-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1568-10-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2608-9-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1568-8-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1568-7-0x0000000000400000-0x0000000000424000-memory.dmp

memory/408-19-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1568-3-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2608-26-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nenhmphiwgzz

MD5 e2c3e1c6ab6bae4a7f568e5d17ba539a
SHA1 536259010db44571f4de092c992e4af328d3916c
SHA256 1b6b484d9695b66276a1470468cf3269a102af126968401719dba7d051aff88a
SHA512 b047018ee243294d03b229129541bd185fa58e5d3d965bb3f7d3a58b43a18221cd5ddeedc63c48974e781c0a114b7cb84a03d823f2be27a5524e58ec5b599cf9