91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bafb4856a31ae27271fbd2ee1574a4f.exe
Size

9.1MB
MD5

1bafb4856a31ae27271fbd2ee1574a4f
SHA1

b8b3649d959524df2c4e8a94434fc0de90f95005
SHA256

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff
SHA512

e71e6ab8f548c379f49ae60e8a179ed13d41a9e9862707f15513af083f754a4585b1567491bc08ecbbd3fb700e307b8114600c9aed297932a34b5f0fe1cebe25
SSDEEP

3072:YaHDgOV/hchoS9bFr/l2Z40o6MLKkZPDOxAWP0:YmM8/DS9bF7knxMFb7D

Score

7^/10

collection discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2852	1bafb4856a31ae27271fbd2ee1574a4f.exe
1276	1bafb4856a31ae27271fbd2ee1574a4f.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1bafb4856a31ae27271fbd2ee1574a4f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1bafb4856a31ae27271fbd2ee1574a4f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1bafb4856a31ae27271fbd2ee1574a4f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1bafb4856a31ae27271fbd2ee1574a4f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1bafb4856a31ae27271fbd2ee1574a4f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1bafb4856a31ae27271fbd2ee1574a4f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1528	cmd.exe
1716	netsh.exe
1656	cmd.exe
2768	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2536	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1bafb4856a31ae27271fbd2ee1574a4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1bafb4856a31ae27271fbd2ee1574a4f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1bafb4856a31ae27271fbd2ee1574a4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1bafb4856a31ae27271fbd2ee1574a4f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1bafb4856a31ae27271fbd2ee1574a4f.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2852	1bafb4856a31ae27271fbd2ee1574a4f.exe
2852	1bafb4856a31ae27271fbd2ee1574a4f.exe
2852	1bafb4856a31ae27271fbd2ee1574a4f.exe
1276	1bafb4856a31ae27271fbd2ee1574a4f.exe
1276	1bafb4856a31ae27271fbd2ee1574a4f.exe
1276	1bafb4856a31ae27271fbd2ee1574a4f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	1bafb4856a31ae27271fbd2ee1574a4f.exe
Token: SeDebugPrivilege	2852	1bafb4856a31ae27271fbd2ee1574a4f.exe
Token: SeDebugPrivilege	1276	1bafb4856a31ae27271fbd2ee1574a4f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2756	2216	1bafb4856a31ae27271fbd2ee1574a4f.exe	30
PID 2216 wrote to memory of 2756	2216	1bafb4856a31ae27271fbd2ee1574a4f.exe	30
PID 2216 wrote to memory of 2756	2216	1bafb4856a31ae27271fbd2ee1574a4f.exe	30
PID 2756 wrote to memory of 2780	2756	cmd.exe	32
PID 2756 wrote to memory of 2780	2756	cmd.exe	32
PID 2756 wrote to memory of 2780	2756	cmd.exe	32
PID 2756 wrote to memory of 2536	2756	cmd.exe	33
PID 2756 wrote to memory of 2536	2756	cmd.exe	33
PID 2756 wrote to memory of 2536	2756	cmd.exe	33
PID 2756 wrote to memory of 2828	2756	cmd.exe	34
PID 2756 wrote to memory of 2828	2756	cmd.exe	34
PID 2756 wrote to memory of 2828	2756	cmd.exe	34
PID 2756 wrote to memory of 2852	2756	cmd.exe	35
PID 2756 wrote to memory of 2852	2756	cmd.exe	35
PID 2756 wrote to memory of 2852	2756	cmd.exe	35
PID 2852 wrote to memory of 1528	2852	1bafb4856a31ae27271fbd2ee1574a4f.exe	36
PID 2852 wrote to memory of 1528	2852	1bafb4856a31ae27271fbd2ee1574a4f.exe	36
PID 2852 wrote to memory of 1528	2852	1bafb4856a31ae27271fbd2ee1574a4f.exe	36
PID 1528 wrote to memory of 1964	1528	cmd.exe	38
PID 1528 wrote to memory of 1964	1528	cmd.exe	38
PID 1528 wrote to memory of 1964	1528	cmd.exe	38
PID 1528 wrote to memory of 1716	1528	cmd.exe	39
PID 1528 wrote to memory of 1716	1528	cmd.exe	39
PID 1528 wrote to memory of 1716	1528	cmd.exe	39
PID 1528 wrote to memory of 2196	1528	cmd.exe	40
PID 1528 wrote to memory of 2196	1528	cmd.exe	40
PID 1528 wrote to memory of 2196	1528	cmd.exe	40
PID 2852 wrote to memory of 2784	2852	1bafb4856a31ae27271fbd2ee1574a4f.exe	41
PID 2852 wrote to memory of 2784	2852	1bafb4856a31ae27271fbd2ee1574a4f.exe	41
PID 2852 wrote to memory of 2784	2852	1bafb4856a31ae27271fbd2ee1574a4f.exe	41
PID 2784 wrote to memory of 2848	2784	cmd.exe	43
PID 2784 wrote to memory of 2848	2784	cmd.exe	43
PID 2784 wrote to memory of 2848	2784	cmd.exe	43
PID 2784 wrote to memory of 2724	2784	cmd.exe	44
PID 2784 wrote to memory of 2724	2784	cmd.exe	44
PID 2784 wrote to memory of 2724	2784	cmd.exe	44
PID 2784 wrote to memory of 1068	2784	cmd.exe	45
PID 2784 wrote to memory of 1068	2784	cmd.exe	45
PID 2784 wrote to memory of 1068	2784	cmd.exe	45
PID 2968 wrote to memory of 1276	2968	taskeng.exe	48
PID 2968 wrote to memory of 1276	2968	taskeng.exe	48
PID 2968 wrote to memory of 1276	2968	taskeng.exe	48
PID 1276 wrote to memory of 1656	1276	1bafb4856a31ae27271fbd2ee1574a4f.exe	49
PID 1276 wrote to memory of 1656	1276	1bafb4856a31ae27271fbd2ee1574a4f.exe	49
PID 1276 wrote to memory of 1656	1276	1bafb4856a31ae27271fbd2ee1574a4f.exe	49
PID 1656 wrote to memory of 2760	1656	cmd.exe	51
PID 1656 wrote to memory of 2760	1656	cmd.exe	51
PID 1656 wrote to memory of 2760	1656	cmd.exe	51
PID 1656 wrote to memory of 2768	1656	cmd.exe	52
PID 1656 wrote to memory of 2768	1656	cmd.exe	52
PID 1656 wrote to memory of 2768	1656	cmd.exe	52
PID 1656 wrote to memory of 2632	1656	cmd.exe	53
PID 1656 wrote to memory of 2632	1656	cmd.exe	53
PID 1656 wrote to memory of 2632	1656	cmd.exe	53
PID 1276 wrote to memory of 2756	1276	1bafb4856a31ae27271fbd2ee1574a4f.exe	54
PID 1276 wrote to memory of 2756	1276	1bafb4856a31ae27271fbd2ee1574a4f.exe	54
PID 1276 wrote to memory of 2756	1276	1bafb4856a31ae27271fbd2ee1574a4f.exe	54
PID 2756 wrote to memory of 2552	2756	cmd.exe	56
PID 2756 wrote to memory of 2552	2756	cmd.exe	56
PID 2756 wrote to memory of 2552	2756	cmd.exe	56
PID 2756 wrote to memory of 2324	2756	cmd.exe	57
PID 2756 wrote to memory of 2324	2756	cmd.exe	57
PID 2756 wrote to memory of 2324	2756	cmd.exe	57
PID 2756 wrote to memory of 2116	2756	cmd.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1bafb4856a31ae27271fbd2ee1574a4f.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1bafb4856a31ae27271fbd2ee1574a4f.exe

C:\Users\Admin\AppData\Local\Temp\1bafb4856a31ae27271fbd2ee1574a4f.exe
"C:\Users\Admin\AppData\Local\Temp\1bafb4856a31ae27271fbd2ee1574a4f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "1bafb4856a31ae27271fbd2ee1574a4f" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\1bafb4856a31ae27271fbd2ee1574a4f.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1bafb4856a31ae27271fbd2ee1574a4f.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\1bafb4856a31ae27271fbd2ee1574a4f.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2780
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:2536
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "1bafb4856a31ae27271fbd2ee1574a4f" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\1bafb4856a31ae27271fbd2ee1574a4f.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2828
- - C:\Users\Admin\AppData\Local\Starlabs\1bafb4856a31ae27271fbd2ee1574a4f.exe
    "C:\Users\Admin\AppData\Local\Starlabs\1bafb4856a31ae27271fbd2ee1574a4f.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1964
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1716
    - - C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        5⤵
        
        PID:2196
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2848
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2724
    - - C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        5⤵
        
        PID:1068

C:\Windows\system32\taskeng.exe
taskeng.exe {B9529C35-4A37-4CF6-9EC8-9A2D1F194BBE} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Starlabs\1bafb4856a31ae27271fbd2ee1574a4f.exe
  C:\Users\Admin\AppData\Local\Starlabs\1bafb4856a31ae27271fbd2ee1574a4f.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1276
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2760
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2768
  - - C:\Windows\system32\findstr.exe
      findstr /R /C:"[ ]:[ ]"
      4⤵
      PID:2632
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2552
  - - C:\Windows\system32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2324
  - - C:\Windows\system32\findstr.exe
      findstr "SSID BSSID Signal"
      4⤵
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f555e6f166a242a612543b968db34657

SHA1
2d873c3eb32d2d02ced7ed95809ed76d2fe320b1

SHA256
7af7f0a8afd017e18c9eb7393fdb5f21f03407de262a3e6275b3ad25906c60ff

SHA512
8cd60cf49604c00b80ced86dfe6bf82734f421f04a1869a19f20f809a35cdb39714b916dc7cdffbcb968648f8481285e4efb982fb4c73ee16ed0618a52822b24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
396c51ae7848d877ff2d2b711af51359

SHA1
4a4cb558d423d77d39e382b076e8ade8fd833cd1

SHA256
a1709a47fc3367edabf5c12dba0f12297e9a6cbf015da32b16c26780eae71ec8

SHA512
9c7753e2a772e98edc4160b546f673034395d031375657c98e88555944a68f0d30cf9e5c71051fa0214ac92bdc0b91d583f4dc6845ca4b664c7a720b5a844801

Download Submit
C:\Users\Admin\AppData\Local\Starlabs\1bafb4856a31ae27271fbd2ee1574a4f.exe

Filesize
9.1MB

MD5
1bafb4856a31ae27271fbd2ee1574a4f

SHA1
b8b3649d959524df2c4e8a94434fc0de90f95005

SHA256
91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff

SHA512
e71e6ab8f548c379f49ae60e8a179ed13d41a9e9862707f15513af083f754a4585b1567491bc08ecbbd3fb700e307b8114600c9aed297932a34b5f0fe1cebe25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7966.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7979.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\phgsswc3mw\p.dat

Filesize
4B

MD5
e41e164f7485ec4a28741a2d0ea41c74

SHA1
42251101ad6762320c4ac9b880b96fd0dfe5f6e5

SHA256
670d1430eca8c1f5fc91dd0089e0e62f2409eea629d3a826fe2f6def428e57a1

SHA512
4248e94c01c3c2f773167489925d730367584c0dc779c731432830523e0e12fb94c2069d353de004b8c3a10ac76753f3c57db4cc09cc6c76fb647ac0abef2fcb

Download Submit
memory/2216-0-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmp

Filesize
4KB

Download
memory/2216-1-0x0000000001220000-0x0000000001246000-memory.dmp

Filesize
152KB

Download
memory/2216-2-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

Filesize
9.9MB

Download
memory/2216-5-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

Filesize
9.9MB

Download
memory/2852-9-0x0000000000BD0000-0x0000000000BF6000-memory.dmp

Filesize
152KB

Download