Malware Analysis Report

2024-11-30 15:03

Sample ID 241029-dk52gstdkb
Target 19587843766.zip
SHA256 c826176d5559847add9c3c252ef65a3ef684ad52af36a0571bc5e26e00b3dfb9
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c826176d5559847add9c3c252ef65a3ef684ad52af36a0571bc5e26e00b3dfb9

Threat Level: Known bad

The file 19587843766.zip was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

VIPKeylogger

Vipkeylogger family

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of local email clients

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

outlook_win_path

outlook_office_path

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 03:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 03:05

Reported

2024-10-29 03:07

Platform

win7-20240903-en

Max time kernel

117s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 2932 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 2932 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 2932 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 2932 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 2932 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 2932 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 2932 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 2932 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe

"C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VbOcmCITQ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VbOcmCITQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE5CD.tmp"

C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe

"C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2932-0-0x000000007466E000-0x000000007466F000-memory.dmp

memory/2932-1-0x0000000000C50000-0x0000000000D48000-memory.dmp

memory/2932-2-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/2932-3-0x00000000041E0000-0x00000000042A0000-memory.dmp

memory/2932-4-0x00000000006E0000-0x00000000006FE000-memory.dmp

memory/2932-5-0x000000007466E000-0x000000007466F000-memory.dmp

memory/2932-6-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/2932-7-0x0000000000600000-0x000000000068C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE5CD.tmp

MD5 d8850dad8f5ed3690d2bee3293c29e05
SHA1 92593cb6518a9d67ce289f9c63d2378a1df16725
SHA256 70d5dc60a17794517534f0e7fbe9d2b7b34d85c82343299de11123634831ace9
SHA512 f8b6e80e1e4b84b47fb135a7a8ec2d1fe89e2fd244aefc06d11e1935a23813838759eb66872feb446582edd217762059ff62aad78ce609bd164939bfed88f32f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AVTUXBGX5UKSY0VZLQKO.temp

MD5 8f9d6abefb6bf12ad44ce1b8b82f95b7
SHA1 59f24c2a4d5421d75296a4865765d1938330b3da
SHA256 eb5d9d01bb8734ce84c4e23f87fb5dbc8cfaa4c88376b21b67ff1b3fe077f074
SHA512 eb1adfd4b58b51b88db6204260e6ccf23f9b88cd6d8dca7c5af8192fb5ed257aa08d2713a2fc1f3740573c650b55d8879e87ffe22dfbac647a85fa3dc6c97d6a

memory/1496-20-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1496-22-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1496-24-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1496-26-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1496-31-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1496-30-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1496-29-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1496-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2932-32-0x0000000074660000-0x0000000074D4E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 03:05

Reported

2024-10-29 03:07

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\schtasks.exe
PID 3196 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\schtasks.exe
PID 3196 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Windows\SysWOW64\schtasks.exe
PID 3196 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 3196 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 3196 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 3196 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 3196 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 3196 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 3196 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe
PID 3196 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe

"C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VbOcmCITQ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VbOcmCITQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE9A4.tmp"

C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe

"C:\Users\Admin\AppData\Local\Temp\20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 8.8.8.8:53 168.6.122.193.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3196-0-0x000000007500E000-0x000000007500F000-memory.dmp

memory/3196-1-0x0000000000DE0000-0x0000000000ED8000-memory.dmp

memory/3196-2-0x0000000005F50000-0x00000000064F4000-memory.dmp

memory/3196-3-0x00000000058C0000-0x0000000005952000-memory.dmp

memory/3196-5-0x0000000005960000-0x000000000596A000-memory.dmp

memory/3196-4-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3196-7-0x0000000005D20000-0x0000000005D3E000-memory.dmp

memory/3196-6-0x0000000006DE0000-0x0000000006EA0000-memory.dmp

memory/3196-8-0x000000007500E000-0x000000007500F000-memory.dmp

memory/3196-9-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3196-10-0x0000000003180000-0x000000000320C000-memory.dmp

memory/3196-11-0x000000000E890000-0x000000000E92C000-memory.dmp

memory/3256-16-0x0000000004E20000-0x0000000004E56000-memory.dmp

memory/3256-17-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3256-19-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3256-18-0x00000000054E0000-0x0000000005B08000-memory.dmp

memory/3256-20-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/2172-21-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3256-23-0x0000000005CF0000-0x0000000005D56000-memory.dmp

memory/3256-26-0x0000000005D60000-0x0000000005DC6000-memory.dmp

memory/2172-25-0x0000000075000000-0x00000000757B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvxhql0n.0fx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3256-32-0x0000000005DD0000-0x0000000006124000-memory.dmp

memory/3256-22-0x0000000005C50000-0x0000000005C72000-memory.dmp

memory/2172-37-0x0000000075000000-0x00000000757B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE9A4.tmp

MD5 44fa5e65d9c330916b200024513bfc8f
SHA1 1a655a5e328f34e8786549e09eac49c851c7ca23
SHA256 2d2a16b04499c83660b94bcfb34b1d20186f377c5de2b7e6ec140107251371f4
SHA512 c08226cdfd90db289233bd5eb860892703b67c06ab66c8cc0d328dfff5323f627bfab9a43a58d08078f718e39fa3363e9d7d283267d99a211762afbf70c4d19b

memory/3256-47-0x0000000006400000-0x000000000641E000-memory.dmp

memory/3256-49-0x0000000006750000-0x000000000679C000-memory.dmp

memory/4480-48-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3196-51-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3256-53-0x0000000070570000-0x00000000705BC000-memory.dmp

memory/3256-52-0x00000000075A0000-0x00000000075D2000-memory.dmp

memory/3256-63-0x00000000069A0000-0x00000000069BE000-memory.dmp

memory/3256-64-0x00000000075E0000-0x0000000007683000-memory.dmp

memory/3256-66-0x0000000007720000-0x000000000773A000-memory.dmp

memory/3256-65-0x0000000007D60000-0x00000000083DA000-memory.dmp

memory/3256-67-0x0000000007790000-0x000000000779A000-memory.dmp

memory/2172-68-0x0000000070570000-0x00000000705BC000-memory.dmp

memory/3256-78-0x00000000079A0000-0x0000000007A36000-memory.dmp

memory/3256-79-0x0000000007920000-0x0000000007931000-memory.dmp

memory/3256-80-0x0000000007950000-0x000000000795E000-memory.dmp

memory/3256-81-0x0000000007960000-0x0000000007974000-memory.dmp

memory/3256-82-0x0000000007A60000-0x0000000007A7A000-memory.dmp

memory/3256-83-0x0000000007A40000-0x0000000007A48000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2172-90-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3256-89-0x0000000075000000-0x00000000757B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e93fb0f17ed1f1e1d75f0e698d509398
SHA1 9c5d1d84d95be9d041bffa0dcdd76c625a33aa7a
SHA256 4cfd67b09e362da5fa5a51f7806719658b32744ba64a04cd0dba2e548c1152f5
SHA512 6ee47f0d16ce1ac411f77f1057228024144999f6dd225fd1a8f89971aba702118f266c7812d3eb8efc20c93861697e97c1d345571cfb8c2eba3223848594b1d9

memory/4480-91-0x0000000006460000-0x0000000006622000-memory.dmp

memory/4480-92-0x0000000006300000-0x0000000006350000-memory.dmp