Malware Analysis Report

2024-11-16 13:08

Sample ID 241105-mz8klaslgj
Target aea90786fd4ecf5e2f9ad8b1cdce01f40df97f5f852231e9733d3deda4eb70e0
SHA256 aea90786fd4ecf5e2f9ad8b1cdce01f40df97f5f852231e9733d3deda4eb70e0
Tags
agenttesla redline sectoprat cheat collection discovery infostealer keylogger rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aea90786fd4ecf5e2f9ad8b1cdce01f40df97f5f852231e9733d3deda4eb70e0

Threat Level: Known bad

The file aea90786fd4ecf5e2f9ad8b1cdce01f40df97f5f852231e9733d3deda4eb70e0 was found to be: Known bad.

Malicious Activity Summary

agenttesla redline sectoprat cheat collection discovery infostealer keylogger rat spyware stealer trojan

SectopRAT

Redline family

SectopRAT payload

Sectoprat family

RedLine

Agenttesla family

AgentTesla

RedLine payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

outlook_office_path

Suspicious use of WriteProcessMemory

outlook_win_path

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 10:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 10:55

Reported

2024-11-05 10:57

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2212 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2212 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2212 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2212 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2212 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2212 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2212 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2272 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe
PID 2272 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe
PID 2272 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

"C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe"

C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

"C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
GB 193.47.61.37:38369 tcp
US 8.8.8.8:53 mail.kirtidevelopers.com udp
US 162.144.104.113:587 mail.kirtidevelopers.com tcp
US 8.8.8.8:53 113.104.144.162.in-addr.arpa udp
GB 193.47.61.37:38369 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp

Files

memory/2212-0-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

memory/2212-1-0x0000000000C60000-0x0000000000D6A000-memory.dmp

memory/2212-2-0x0000000005CA0000-0x0000000006244000-memory.dmp

memory/2212-3-0x0000000005790000-0x0000000005822000-memory.dmp

memory/2212-4-0x0000000005770000-0x000000000577A000-memory.dmp

memory/2212-5-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/2212-6-0x0000000005A80000-0x0000000005A98000-memory.dmp

memory/2212-7-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

memory/2212-8-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/2212-9-0x0000000005C90000-0x0000000005C9C000-memory.dmp

memory/2212-10-0x00000000081D0000-0x000000000829E000-memory.dmp

memory/2212-11-0x0000000008360000-0x00000000083FC000-memory.dmp

memory/2212-12-0x0000000008680000-0x0000000008718000-memory.dmp

memory/2272-13-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/2272-16-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/2212-17-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/2272-18-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/2272-19-0x0000000005470000-0x0000000005488000-memory.dmp

memory/2272-20-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/2272-22-0x0000000006DA0000-0x0000000006DF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe

MD5 aab98addfc64d836a4501bf2ac185a27
SHA1 a1f2dc4392e876d86291be089bd240bf50403ea5
SHA256 65b0592dfb7b89a3a110ce3e61904690dd6ee38e7f1290e0a9047e2a9ceb9454
SHA512 cd5aaa4f5a6471b6a179d454f3745c9bc68c3616c3ac472ca444bb3b694522e4370981a81e1ed4480e3cb5b84b10deee2ac42f9d87ba81a27b57c64b7852398c

memory/4480-33-0x0000000000560000-0x000000000057E000-memory.dmp

memory/4480-34-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/4480-35-0x0000000005460000-0x0000000005A78000-memory.dmp

memory/4480-36-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

memory/4480-37-0x0000000004E80000-0x0000000004EBC000-memory.dmp

memory/4480-42-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/4480-41-0x0000000004EC0000-0x0000000004F0C000-memory.dmp

memory/4480-43-0x00000000050F0000-0x00000000051FA000-memory.dmp

memory/2272-44-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/4480-45-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/4480-46-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 10:55

Reported

2024-11-05 10:57

Platform

win7-20241010-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2888 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2888 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2888 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2888 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2888 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2888 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2888 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2888 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
PID 2740 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe
PID 2740 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe
PID 2740 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe
PID 2740 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

"C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe"

C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

"C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
GB 193.47.61.37:38369 tcp
US 8.8.8.8:53 mail.kirtidevelopers.com udp
US 162.144.104.113:587 mail.kirtidevelopers.com tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp
GB 193.47.61.37:38369 tcp

Files

memory/2888-0-0x0000000073DCE000-0x0000000073DCF000-memory.dmp

memory/2888-1-0x00000000009A0000-0x0000000000AAA000-memory.dmp

memory/2888-2-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/2888-3-0x00000000003D0000-0x00000000003E8000-memory.dmp

memory/2888-4-0x0000000073DCE000-0x0000000073DCF000-memory.dmp

memory/2888-5-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/2888-6-0x00000000003F0000-0x00000000003FC000-memory.dmp

memory/2888-7-0x0000000008250000-0x000000000831E000-memory.dmp

memory/2888-8-0x00000000050A0000-0x0000000005138000-memory.dmp

memory/2740-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2740-17-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2740-21-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2740-19-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2740-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2740-13-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2740-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2740-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2740-22-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/2888-23-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/2740-24-0x0000000073DC0000-0x00000000744AE000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe

MD5 aab98addfc64d836a4501bf2ac185a27
SHA1 a1f2dc4392e876d86291be089bd240bf50403ea5
SHA256 65b0592dfb7b89a3a110ce3e61904690dd6ee38e7f1290e0a9047e2a9ceb9454
SHA512 cd5aaa4f5a6471b6a179d454f3745c9bc68c3616c3ac472ca444bb3b694522e4370981a81e1ed4480e3cb5b84b10deee2ac42f9d87ba81a27b57c64b7852398c

memory/2188-32-0x0000000000A40000-0x0000000000A5E000-memory.dmp

memory/2740-36-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/2740-37-0x0000000073DC0000-0x00000000744AE000-memory.dmp