Malware Analysis Report

2024-11-30 14:51

Sample ID 240926-b5fafszdll
Target 654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
SHA256 654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53

Threat Level: Known bad

The file 654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

VIPKeylogger

Command and Scripting Interpreter: PowerShell

Reads user/profile data of local email clients

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-26 01:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-26 01:43

Reported

2024-09-26 01:45

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe

"C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hguaKfzQDB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hguaKfzQDB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp86EB.tmp"

C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe

"C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe"

C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe

"C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe"

C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe

"C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 mail.renatoazenha.com udp
PT 94.126.169.119:587 mail.renatoazenha.com tcp
PT 94.126.169.119:587 mail.renatoazenha.com tcp

Files

memory/2792-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

memory/2792-1-0x0000000001360000-0x000000000143E000-memory.dmp

memory/2792-2-0x0000000074E80000-0x000000007556E000-memory.dmp

memory/2792-3-0x0000000000430000-0x0000000000442000-memory.dmp

memory/2792-4-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

memory/2792-5-0x0000000074E80000-0x000000007556E000-memory.dmp

memory/2792-6-0x0000000005270000-0x00000000052FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ccc47f3cff346c4dfede642f3d6e91c0
SHA1 ca9f10c444076d00043552c665bf42c05b592340
SHA256 80574d6c56ea277e369c47f3e3e5c23b9a61a15f61bae59ff6f49783d4b7189b
SHA512 fc721e646ddb372cf5b981ac41d649c391a346cbb1467e6dce5371c7ff3acff6c2ee6e7fc4ad75d8a5c21885bb5887ed41c020e84fd86fbea88f8cb39aac0b03

C:\Users\Admin\AppData\Local\Temp\tmp86EB.tmp

MD5 ac350f4908104a06e99614dbf193456c
SHA1 087a2d30106c1ed082bdcd1d1a1497586d07ebfd
SHA256 dcf5554a2f5f028c814579609d104a2d6fcbc6423c9e2f771d940b73b52dd1ab
SHA512 2a97ba2b4b165af666be66e1a46d5e9b2ca1735700edf82c09a7493ffb4d5171e8c06b6411b56364a084e74b2964166b648fbc6c2358b3dd08f4ec73c092fb17

memory/2628-20-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2628-21-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2628-28-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2628-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2628-31-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2628-25-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2628-23-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2628-29-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2792-32-0x0000000074E80000-0x000000007556E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-26 01:43

Reported

2024-09-26 01:45

Platform

win10v2004-20240802-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 1760 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 1760 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 1760 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 1760 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 1760 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 1760 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe
PID 1760 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe

"C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hguaKfzQDB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hguaKfzQDB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpABEF.tmp"

C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe

"C:\Users\Admin\AppData\Local\Temp\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 mail.renatoazenha.com udp
PT 94.126.169.119:587 mail.renatoazenha.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
PT 94.126.169.119:587 mail.renatoazenha.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1760-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

memory/1760-1-0x0000000000CA0000-0x0000000000D7E000-memory.dmp

memory/1760-2-0x0000000005D50000-0x00000000062F4000-memory.dmp

memory/1760-3-0x00000000057A0000-0x0000000005832000-memory.dmp

memory/1760-4-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/1760-5-0x0000000005750000-0x000000000575A000-memory.dmp

memory/1760-6-0x0000000006DE0000-0x0000000006DF2000-memory.dmp

memory/1760-7-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

memory/1760-8-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/1760-9-0x00000000070F0000-0x000000000717C000-memory.dmp

memory/1760-10-0x00000000097B0000-0x000000000984C000-memory.dmp

memory/1560-15-0x0000000002710000-0x0000000002746000-memory.dmp

memory/1560-16-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/1560-17-0x0000000005250000-0x0000000005878000-memory.dmp

memory/1560-18-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/1560-19-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/2200-20-0x0000000074C00000-0x00000000753B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpABEF.tmp

MD5 7af9ec6f7514e911f05c82578daa7783
SHA1 869f3db3b595245a8e415e00a1a18d409c955f29
SHA256 ffd6c6e5fbdd3b4d3a68351cfd5737e450f0134543d11d068c3082b3c681611a
SHA512 b3e9626c8559eb901e32850759d836a5968fc48b6946fee8a95d340e4df2513c5be01b9027b0c9e910df9fd387ec1b21f1a5089af2b880ec475540de14a1eb5f

memory/2200-22-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/2200-28-0x0000000005F60000-0x0000000005F82000-memory.dmp

memory/2200-33-0x0000000074C00000-0x00000000753B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2bobcg1w.fwr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1560-44-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/1832-45-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1560-46-0x0000000005C60000-0x0000000005FB4000-memory.dmp

memory/1560-43-0x0000000005A20000-0x0000000005A86000-memory.dmp

memory/1760-49-0x0000000074C00000-0x00000000753B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1560-50-0x0000000005C20000-0x0000000005C3E000-memory.dmp

memory/1560-51-0x0000000006350000-0x000000000639C000-memory.dmp

memory/1560-52-0x0000000006560000-0x0000000006592000-memory.dmp

memory/1560-53-0x0000000071190000-0x00000000711DC000-memory.dmp

memory/1560-63-0x00000000065C0000-0x00000000065DE000-memory.dmp

memory/1560-64-0x0000000007020000-0x00000000070C3000-memory.dmp

memory/1560-66-0x0000000007120000-0x000000000713A000-memory.dmp

memory/1560-65-0x0000000007A40000-0x00000000080BA000-memory.dmp

memory/1560-67-0x0000000007190000-0x000000000719A000-memory.dmp

memory/2200-68-0x0000000071190000-0x00000000711DC000-memory.dmp

memory/1560-78-0x00000000075B0000-0x0000000007646000-memory.dmp

memory/1560-79-0x0000000007530000-0x0000000007541000-memory.dmp

memory/1560-80-0x0000000007560000-0x000000000756E000-memory.dmp

memory/1560-81-0x0000000007570000-0x0000000007584000-memory.dmp

memory/2200-82-0x0000000007D50000-0x0000000007D6A000-memory.dmp

memory/1560-83-0x0000000007650000-0x0000000007658000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a52e4e2eaf0d9747f02ae3e155c2b386
SHA1 6c13ee37f9e498b72902003a384aece76b173317
SHA256 7cb11e9abffd9685769ae59bb84b6ad824f732cb770ae3bb79e8e6673196da2b
SHA512 c93b9030674f8bf010ae99f3463872a78ddb7ddcb687aa328747d1e974b844e99c5e770dd29860f25f2154d409c4ba200eb12399cec0b648d7661347a8bc000d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1560-89-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/2200-90-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/1832-91-0x00000000066A0000-0x0000000006862000-memory.dmp

memory/1832-92-0x0000000006520000-0x0000000006570000-memory.dmp

memory/1832-93-0x0000000006DA0000-0x00000000072CC000-memory.dmp