934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206

Analysis

max time kernel
145s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
16/06/2024, 09:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Size

971KB
MD5

9f727f8074ee96ebafec98ce52ce9686
SHA1

24eb44b7df3b0feed72667dfca25ec2d754de591
SHA256

934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206
SHA512

dcf4158d16fd82f1a9e176e45f5907cc3770abe0911fed9dfc39ef097ffba80eae3f76b29079633c6799f8a10053eb7a57d81c231b65b0bea41bcbfa41532682
SSDEEP

12288:FQoNdlQfjQfRti8d1+2efpThJ/V8XIB5Opg+DBxRhNGZmK:Fr3ufph4XID2RK

Score

7^/10

collection persistence spyware stealer

Malware Config

Signatures

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/3812-0-0x000002DDD6A30000-0x000002DDD6B26000-memory.dmp	net_reactor

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\PowerSu.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe"	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3812	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
3812	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
3812	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
3812	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe

C:\Users\Admin\AppData\Local\Temp\934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe
"C:\Users\Admin\AppData\Local\Temp\934dd6cd9571839de7c40a6d26881b56759bd1267a5f4baab39e47f42c8c8206.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dkjdeywuon.tmpdb

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gfihnhs.tmpdb

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
memory/3812-0-0x000002DDD6A30000-0x000002DDD6B26000-memory.dmp

Filesize
984KB

Download
memory/3812-1-0x00007FFD70AD3000-0x00007FFD70AD5000-memory.dmp

Filesize
8KB

Download
memory/3812-2-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/3812-3-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/3812-10-0x000002DDF1C70000-0x000002DDF1D49000-memory.dmp

Filesize
868KB

Download
memory/3812-11-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/3812-12-0x000002DDF2030000-0x000002DDF2108000-memory.dmp

Filesize
864KB

Download
memory/3812-13-0x000002DDF2110000-0x000002DDF2226000-memory.dmp

Filesize
1.1MB

Download
memory/3812-14-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/3812-28-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-36-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-77-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-75-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-73-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-71-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-69-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-67-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-65-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-63-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-61-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-59-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-57-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-55-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-53-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-50-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-48-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-46-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-44-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-42-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-40-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-38-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-34-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-32-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-30-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-26-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-24-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-22-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-16-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-51-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/3812-20-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-18-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-15-0x000002DDF2110000-0x000002DDF2220000-memory.dmp

Filesize
1.1MB

Download
memory/3812-2308-0x000002DDD7000000-0x000002DDD7008000-memory.dmp

Filesize
32KB

Download
memory/3812-2309-0x000002DDF2390000-0x000002DDF242E000-memory.dmp

Filesize
632KB

Download
memory/3812-2310-0x000002DDF2430000-0x000002DDF247C000-memory.dmp

Filesize
304KB

Download
memory/3812-2311-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/3812-2312-0x000002DDF24C0000-0x000002DDF24EC000-memory.dmp

Filesize
176KB

Download
memory/3812-2313-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/3812-2314-0x000002DDF2540000-0x000002DDF25BA000-memory.dmp

Filesize
488KB

Download
memory/3812-2326-0x000002DDF2660000-0x000002DDF26B0000-memory.dmp

Filesize
320KB

Download
memory/3812-2371-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/3812-2372-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/3812-2375-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download