1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

Analysis

max time kernel
42s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Size

4.8MB
MD5

98512fdc1d3b34e2196ca5b34e14f29c
SHA1

460f2bbed2bc7419c1664d7f8a9e284e5b9bea83
SHA256

1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399
SHA512

ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0
SSDEEP

3072:patWqvozZqlXS99bMRfCh+T5bOCYEu05ukO3JJ:pMWqcIXS99bMZ5sCYE7O3P

Score

7^/10

collection discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
1084	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2188	cmd.exe
1152	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2412	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Token: SeDebugPrivilege	1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
Token: SeDebugPrivilege	1084	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 2796	396	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe	30
PID 396 wrote to memory of 2796	396	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe	30
PID 396 wrote to memory of 2796	396	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe	30
PID 2796 wrote to memory of 2644	2796	cmd.exe	32
PID 2796 wrote to memory of 2644	2796	cmd.exe	32
PID 2796 wrote to memory of 2644	2796	cmd.exe	32
PID 2796 wrote to memory of 2412	2796	cmd.exe	33
PID 2796 wrote to memory of 2412	2796	cmd.exe	33
PID 2796 wrote to memory of 2412	2796	cmd.exe	33
PID 2796 wrote to memory of 2976	2796	cmd.exe	34
PID 2796 wrote to memory of 2976	2796	cmd.exe	34
PID 2796 wrote to memory of 2976	2796	cmd.exe	34
PID 2660 wrote to memory of 1608	2660	taskeng.exe	36
PID 2660 wrote to memory of 1608	2660	taskeng.exe	36
PID 2660 wrote to memory of 1608	2660	taskeng.exe	36
PID 2796 wrote to memory of 1084	2796	cmd.exe	37
PID 2796 wrote to memory of 1084	2796	cmd.exe	37
PID 2796 wrote to memory of 1084	2796	cmd.exe	37
PID 1608 wrote to memory of 2188	1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe	38
PID 1608 wrote to memory of 2188	1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe	38
PID 1608 wrote to memory of 2188	1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe	38
PID 2188 wrote to memory of 2128	2188	cmd.exe	40
PID 2188 wrote to memory of 2128	2188	cmd.exe	40
PID 2188 wrote to memory of 2128	2188	cmd.exe	40
PID 2188 wrote to memory of 1152	2188	cmd.exe	41
PID 2188 wrote to memory of 1152	2188	cmd.exe	41
PID 2188 wrote to memory of 1152	2188	cmd.exe	41
PID 2188 wrote to memory of 1820	2188	cmd.exe	42
PID 2188 wrote to memory of 1820	2188	cmd.exe	42
PID 2188 wrote to memory of 1820	2188	cmd.exe	42
PID 1608 wrote to memory of 1688	1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe	43
PID 1608 wrote to memory of 1688	1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe	43
PID 1608 wrote to memory of 1688	1608	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe	43
PID 1688 wrote to memory of 1080	1688	cmd.exe	45
PID 1688 wrote to memory of 1080	1688	cmd.exe	45
PID 1688 wrote to memory of 1080	1688	cmd.exe	45
PID 1688 wrote to memory of 1156	1688	cmd.exe	46
PID 1688 wrote to memory of 1156	1688	cmd.exe	46
PID 1688 wrote to memory of 1156	1688	cmd.exe	46
PID 1688 wrote to memory of 756	1688	cmd.exe	47
PID 1688 wrote to memory of 756	1688	cmd.exe	47
PID 1688 wrote to memory of 756	1688	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe

C:\Users\Admin\AppData\Local\Temp\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
"C:\Users\Admin\AppData\Local\Temp\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2644
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:2412
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2976
- - C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
    "C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1084

C:\Windows\system32\taskeng.exe
taskeng.exe {9BBAB288-0384-4BA1-AC14-F68161A44BE2} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
  C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1608
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2128
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1152
  - - C:\Windows\system32\findstr.exe
      findstr /R /C:"[ ]:[ ]"
      4⤵
      PID:1820
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1080
  - - C:\Windows\system32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1156
  - - C:\Windows\system32\findstr.exe
      findstr "SSID BSSID Signal"
      4⤵
      PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe

Filesize
4.8MB

MD5
98512fdc1d3b34e2196ca5b34e14f29c

SHA1
460f2bbed2bc7419c1664d7f8a9e284e5b9bea83

SHA256
1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

SHA512
ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4260.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4282.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/396-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

Filesize
4KB

Download
memory/396-1-0x0000000001290000-0x00000000012C4000-memory.dmp

Filesize
208KB

Download
memory/396-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/396-5-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/1608-9-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download