Analysis Overview
SHA256
aab70901013847089e10888514b8c7673849cd612822a5321398e58f8a0b6981
Threat Level: Known bad
The file 25092024050624092024Ordendecompra.P7696.z was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Suspicious use of NtCreateUserProcessOtherParentProcess
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Browser Information Discovery
Unsigned PE
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-25 07:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-25 07:34
Reported
2024-09-25 07:37
Platform
win10v2004-20240910-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4828 created 3480 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | C:\Windows\Explorer.EXE |
VIPKeylogger
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4828 wrote to memory of 3972 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 4828 wrote to memory of 3972 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 4828 wrote to memory of 3972 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr
"C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr" /S
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 172.67.200.96:80 | filetransfer.io | tcp |
| US | 172.67.200.96:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | s26.filetransfer.io | udp |
| US | 104.21.13.139:443 | s26.filetransfer.io | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 96.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.13.21.104.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 73.247.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.201.50.20.in-addr.arpa | udp |
Files
memory/4828-0-0x00007FFFB8BE3000-0x00007FFFB8BE5000-memory.dmp
memory/4828-1-0x000002A99A050000-0x000002A99A0B2000-memory.dmp
memory/4828-2-0x000002A99A460000-0x000002A99A466000-memory.dmp
memory/4828-3-0x00007FFFB8BE0000-0x00007FFFB96A1000-memory.dmp
memory/4828-4-0x000002A9B4770000-0x000002A9B4894000-memory.dmp
memory/4828-12-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-22-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-68-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-66-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-64-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-62-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-60-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-58-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-54-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-52-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-50-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-48-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-44-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-42-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-40-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-38-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-36-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-34-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-30-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-28-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-26-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-24-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-20-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-18-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-16-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-14-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-10-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-6-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-56-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-46-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-32-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-8-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-5-0x000002A9B4770000-0x000002A9B488E000-memory.dmp
memory/4828-1079-0x00007FFFB8BE0000-0x00007FFFB96A1000-memory.dmp
memory/4828-1080-0x000002A9B4890000-0x000002A9B492E000-memory.dmp
memory/4828-1081-0x000002A9B4930000-0x000002A9B497C000-memory.dmp
memory/4828-1085-0x00007FFFB8BE0000-0x00007FFFB96A1000-memory.dmp
memory/4828-1086-0x00007FFFB8BE0000-0x00007FFFB96A1000-memory.dmp
memory/4828-1087-0x00007FFFB8BE0000-0x00007FFFB96A1000-memory.dmp
memory/4828-1088-0x00007FFFB8BE3000-0x00007FFFB8BE5000-memory.dmp
memory/4828-1089-0x00007FFFB8BE0000-0x00007FFFB96A1000-memory.dmp
memory/4828-1090-0x000002A9B5A50000-0x000002A9B5AA4000-memory.dmp
memory/3972-1092-0x000002006EE80000-0x000002006EECB000-memory.dmp
memory/4828-1093-0x00007FFFB8BE0000-0x00007FFFB96A1000-memory.dmp
memory/3972-1094-0x00007FFFB8BE3000-0x00007FFFB8BE5000-memory.dmp
memory/3972-1095-0x0000020070A40000-0x0000020070A86000-memory.dmp
memory/3972-1096-0x00007FFFB8BE0000-0x00007FFFB96A1000-memory.dmp
memory/3972-1097-0x00007FFFB8BE0000-0x00007FFFB96A1000-memory.dmp
memory/3972-1098-0x00007FFFB8BE0000-0x00007FFFB96A1000-memory.dmp
memory/3972-1099-0x00007FFFB8BE3000-0x00007FFFB8BE5000-memory.dmp
memory/3972-1100-0x0000020072860000-0x0000020072A22000-memory.dmp
memory/3972-1101-0x0000020070B10000-0x0000020070B60000-memory.dmp
memory/3972-1102-0x00007FFFB8BE0000-0x00007FFFB96A1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-25 07:34
Reported
2024-09-25 07:37
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2600 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | C:\Windows\system32\WerFault.exe |
| PID 2600 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | C:\Windows\system32\WerFault.exe |
| PID 2600 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr
"C:\Users\Admin\AppData\Local\Temp\QUOTATION_SEPQTRA071244PDF.scr" /S
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2600 -s 1692
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 104.21.13.139:80 | filetransfer.io | tcp |
| US | 104.21.13.139:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | s26.filetransfer.io | udp |
| US | 104.21.13.139:443 | s26.filetransfer.io | tcp |
Files
memory/2600-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp
memory/2600-1-0x0000000001350000-0x00000000013B2000-memory.dmp
memory/2600-2-0x0000000000580000-0x0000000000586000-memory.dmp
memory/2600-3-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp
memory/2600-4-0x000000001C240000-0x000000001C364000-memory.dmp
memory/2600-5-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-14-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-6-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-39-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-8-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-63-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-10-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-12-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-16-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-22-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-68-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-66-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-64-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-60-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-58-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-56-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-54-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-52-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-50-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-48-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-46-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-44-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-42-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-40-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-36-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-34-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-32-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-30-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-28-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-26-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-24-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-20-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-18-0x000000001C240000-0x000000001C35E000-memory.dmp
memory/2600-1079-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp
memory/2600-1080-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp
memory/2600-1081-0x0000000001270000-0x000000000130E000-memory.dmp
memory/2600-1082-0x0000000000A30000-0x0000000000A7C000-memory.dmp
memory/2600-1083-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp
memory/2600-1084-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp
memory/2600-1085-0x0000000001110000-0x0000000001164000-memory.dmp