Malware Analysis Report

2024-09-22 10:47

Sample ID 240729-qxz28a1arr
Target 49bc9d05c7563d08947c3dabce5c4a47_JaffaCakes118
SHA256 a611726fce2fb740e19f3713cd5106554ad38323e2e07754790e2863d6121d77
Tags
hawkeye collection credential_access discovery keylogger persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a611726fce2fb740e19f3713cd5106554ad38323e2e07754790e2863d6121d77

Threat Level: Known bad

The file 49bc9d05c7563d08947c3dabce5c4a47_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hawkeye collection credential_access discovery keylogger persistence spyware stealer trojan upx

HawkEye

Credentials from Password Stores: Credentials from Web Browsers

NirSoft WebBrowserPassView

Detected Nirsoft tools

NirSoft MailPassView

Checks computer location settings

UPX packed file

Executes dropped EXE

Deletes itself

Uses the VBS compiler for execution

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-29 13:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 13:39

Reported

2024-07-29 17:37

Platform

win7-20240704-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe
PID 2116 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe
PID 2116 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe
PID 2116 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe
PID 2476 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2476 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2476 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2476 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2476 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2476 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2476 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1252 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1252 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1252 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1252 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1252 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1252 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1252 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2452 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe

"C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe"

C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe

"C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:443 whatismyipaddress.com tcp
US 104.19.222.79:443 whatismyipaddress.com tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
RU 77.88.21.158:587 smtp.yandex.com tcp

Files

memory/2116-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2116-1-0x0000000000260000-0x0000000000266000-memory.dmp

memory/2476-8-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2476-6-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2476-11-0x00000000005B0000-0x0000000000638000-memory.dmp

memory/2476-10-0x00000000005B0000-0x0000000000638000-memory.dmp

memory/2116-7-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2476-3-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2476-5-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2116-2-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2476-22-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2476-23-0x0000000000400000-0x000000000051D000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 3e03ff51909c69388af076fb28211308
SHA1 ac7bf8faacdcd0c4fc5f28cbf2a61ba6c723229d
SHA256 e0fe96154b8014ef6a40088e32dcf4fadfceb5de67dc82c9c04d9ff70b4c0f9a
SHA512 804b5028988570b1d678586d6c0e02f3a03293e299beca8746899dfce635e0d026e172597cbde6a0a46c39e4624baf7b7b324fdd0c6f32abc21be6bb2ea15d1d

memory/2476-34-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1252-39-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2452-52-0x0000000000A70000-0x0000000000AF8000-memory.dmp

memory/2452-49-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2452-51-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2452-50-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 4faeb26ed008892d9aa99779dcdf5651
SHA1 55c0d65bf691afc5062cd463743b271a643f02f7
SHA256 abb64cd0cc40d7c39ad4dadcd8eccbeb8e567dc22e65685031a5d17b3805902a
SHA512 6ed93f46f942d1621cc233676bdf787e31bcdb6aef81af84dc22d5dbfaee0d34e861c4f6db0b149ca747495c1e05f6d418e6fefe2c13295adddabf5721409c21

memory/1532-68-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1532-69-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1532-71-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-72-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1532-73-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1796-74-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1796-75-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1796-77-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1796-83-0x0000000000400000-0x0000000000458000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-29 13:39

Reported

2024-07-29 18:12

Platform

win10v2004-20240729-en

Max time kernel

145s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe
PID 4488 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe
PID 4488 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe
PID 4580 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 4580 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 4580 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 3668 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 3668 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 3668 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 5020 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5020 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe

"C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe"

C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe

"C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:443 whatismyipaddress.com tcp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 158.21.88.77.in-addr.arpa udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4488-0-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/4488-2-0x0000000000830000-0x0000000000831000-memory.dmp

memory/4488-1-0x0000000000800000-0x0000000000806000-memory.dmp

memory/4580-3-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4580-6-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4580-11-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4488-12-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4580-10-0x00000000009F0000-0x0000000000A78000-memory.dmp

memory/4580-8-0x00000000009F0000-0x0000000000A78000-memory.dmp

memory/4580-9-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4580-5-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4580-23-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 3e03ff51909c69388af076fb28211308
SHA1 ac7bf8faacdcd0c4fc5f28cbf2a61ba6c723229d
SHA256 e0fe96154b8014ef6a40088e32dcf4fadfceb5de67dc82c9c04d9ff70b4c0f9a
SHA512 804b5028988570b1d678586d6c0e02f3a03293e299beca8746899dfce635e0d026e172597cbde6a0a46c39e4624baf7b7b324fdd0c6f32abc21be6bb2ea15d1d

memory/4580-34-0x0000000000400000-0x000000000051D000-memory.dmp

memory/3668-36-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/5020-57-0x0000000000400000-0x000000000051D000-memory.dmp

memory/5020-53-0x0000000000400000-0x000000000051D000-memory.dmp

memory/3668-45-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/5020-44-0x0000000000970000-0x00000000009F8000-memory.dmp

memory/5020-42-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 4faeb26ed008892d9aa99779dcdf5651
SHA1 55c0d65bf691afc5062cd463743b271a643f02f7
SHA256 abb64cd0cc40d7c39ad4dadcd8eccbeb8e567dc22e65685031a5d17b3805902a
SHA512 6ed93f46f942d1621cc233676bdf787e31bcdb6aef81af84dc22d5dbfaee0d34e861c4f6db0b149ca747495c1e05f6d418e6fefe2c13295adddabf5721409c21

memory/4848-64-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4848-65-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4848-67-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4848-66-0x0000000000420000-0x00000000004E9000-memory.dmp

memory/5020-68-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1216-69-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1216-70-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f94dc819ca773f1e3cb27abbc9e7fa27
SHA1 9a7700efadc5ea09ab288544ef1e3cd876255086
SHA256 a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA512 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

memory/1216-77-0x0000000000400000-0x0000000000458000-memory.dmp