Malware Analysis Report

2024-12-01 03:04

Sample ID 241108-drllesthpk
Target 8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
SHA256 8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad
Tags
collection discovery execution spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad

Threat Level: Likely malicious

The file 8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe was found to be: Likely malicious.

Malicious Activity Summary

collection discovery execution spyware stealer

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 03:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 03:14

Reported

2024-11-08 03:17

Platform

win7-20241010-en

Max time kernel

43s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 2528 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 2528 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 2528 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 2528 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 2528 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 2528 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 2528 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 2528 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe

"C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JIlApjvRxj.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2202.tmp"

C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe

"C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp

Files

memory/2528-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/2528-1-0x0000000000B60000-0x0000000000BEE000-memory.dmp

memory/2528-2-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/2528-3-0x0000000000420000-0x000000000043E000-memory.dmp

memory/2528-4-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/2528-5-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/2528-6-0x0000000005BD0000-0x0000000005C2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2202.tmp

MD5 224167864fa900c68ff92c65adc07736
SHA1 891df957312b5d85c59abd64e9cca2474d97af83
SHA256 b704356ad4234194d49cfff75482bec9d68550c701cc989768b55aec32ffd5ad
SHA512 1f1b53f5e521a5ff7c68fcfdd82ba555266e2729ac1d6b7ae6f7d815f7c3936c8f87d58692f2fce392666b7717ab15a70b6a66bc141f93228d8b412512c0d81f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8JWGKXVKS5ZDW8LKNFVN.temp

MD5 f0c2e9d56642eee06e0d8a69a8e5acae
SHA1 03efcefa1468b412e5b2428767b2fa3e5a532cf8
SHA256 554771c8728d8b30cd4bdf6705ace7abea1de713ea4ce19a18cfdcbae8c0e3f6
SHA512 84988c9638de4aa618116e3e136185819f8b12e43d9361d37444a53cf08da4b0bc9dd3266014a4561a885b09a302a234c77b033146e6d1d52c11771531f2070b

memory/644-30-0x0000000000400000-0x000000000041E000-memory.dmp

memory/644-29-0x0000000000400000-0x000000000041E000-memory.dmp

memory/644-28-0x0000000000400000-0x000000000041E000-memory.dmp

memory/644-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/644-25-0x0000000000400000-0x000000000041E000-memory.dmp

memory/644-23-0x0000000000400000-0x000000000041E000-memory.dmp

memory/644-21-0x0000000000400000-0x000000000041E000-memory.dmp

memory/644-19-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2528-31-0x0000000074B10000-0x00000000751FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 03:14

Reported

2024-11-08 03:17

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4456 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\schtasks.exe
PID 4456 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\schtasks.exe
PID 4456 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Windows\SysWOW64\schtasks.exe
PID 4456 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 4456 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 4456 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 4456 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 4456 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 4456 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 4456 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe
PID 4456 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe

"C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JIlApjvRxj.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp20A2.tmp"

C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe

"C:\Users\Admin\AppData\Local\Temp\8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4456-0-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

memory/4456-1-0x0000000000100000-0x000000000018E000-memory.dmp

memory/4456-2-0x0000000005100000-0x00000000056A4000-memory.dmp

memory/4456-3-0x0000000004BF0000-0x0000000004C82000-memory.dmp

memory/4456-4-0x0000000004B90000-0x0000000004B9A000-memory.dmp

memory/4456-5-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/4456-6-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

memory/4456-7-0x0000000007A10000-0x0000000007A2E000-memory.dmp

memory/4456-8-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

memory/4456-9-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/4456-10-0x00000000023F0000-0x000000000244E000-memory.dmp

memory/1936-15-0x0000000002B10000-0x0000000002B46000-memory.dmp

memory/1936-16-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/1936-17-0x00000000055E0000-0x0000000005C08000-memory.dmp

memory/1936-18-0x0000000074FE0000-0x0000000075790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp20A2.tmp

MD5 b11ba4cead102fbeb54f253602bc1484
SHA1 7be6ed5c02022817498ec7f7e9b9f3504b74a3bb
SHA256 a67674f93de1ce237b949048d19d3d042aa5cc95b5e772abcfbf844f6bb49840
SHA512 ee329188e560f2a7db1f7115c7150bf83b993d8a5c1e9f0d231856ef7677014568783af8cd4299065fc52db618177a6cbcf0dc3eb18c3d4cad9d8f9d268ba16c

memory/1936-22-0x0000000005570000-0x00000000055D6000-memory.dmp

memory/4520-23-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/1936-25-0x0000000005E30000-0x0000000006184000-memory.dmp

memory/4520-24-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/1936-20-0x0000000005500000-0x0000000005566000-memory.dmp

memory/1936-19-0x0000000005460000-0x0000000005482000-memory.dmp

memory/4520-26-0x0000000074FE0000-0x0000000075790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acsenjpk.wk5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4716-37-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1936-47-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/4456-48-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/4520-49-0x0000000006660000-0x000000000667E000-memory.dmp

memory/4520-50-0x0000000006C00000-0x0000000006C4C000-memory.dmp

memory/4520-51-0x0000000006BC0000-0x0000000006BF2000-memory.dmp

memory/1936-63-0x0000000075890000-0x00000000758DC000-memory.dmp

memory/4520-62-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

memory/4520-52-0x0000000075890000-0x00000000758DC000-memory.dmp

memory/1936-73-0x0000000007400000-0x00000000074A3000-memory.dmp

memory/4716-76-0x0000000006AC0000-0x0000000006B10000-memory.dmp

memory/4520-75-0x0000000007980000-0x000000000799A000-memory.dmp

memory/4520-74-0x0000000007FC0000-0x000000000863A000-memory.dmp

memory/4520-77-0x00000000079F0000-0x00000000079FA000-memory.dmp

memory/4520-78-0x0000000007C00000-0x0000000007C96000-memory.dmp

memory/4520-79-0x0000000007B80000-0x0000000007B91000-memory.dmp

memory/1936-80-0x0000000007980000-0x000000000798E000-memory.dmp

memory/4520-81-0x0000000007BC0000-0x0000000007BD4000-memory.dmp

memory/4520-82-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

memory/1936-83-0x0000000007A70000-0x0000000007A78000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c71bf18a4c464499a7095b22e206ae65
SHA1 80649c7f294359c5dbf4c54438f3fd0e480de698
SHA256 afacd75105f4631f538595c040cf70596b69c4860d0d1e222b0b8510ff884a5e
SHA512 5a16127a907df77e7d29048cebc540c23fbbdf7393f36efa16dd148b42806f437cb4536e88bbbe1d762ab1703ab7dca5acbec62b14cb090ccaaf59588678fbd2

memory/4520-88-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/1936-89-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/4716-90-0x0000000006E80000-0x0000000007042000-memory.dmp