Analysis Overview
SHA256
a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18
Threat Level: Shows suspicious behavior
The file a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 01:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 01:10
Reported
2024-11-14 01:12
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\outlook.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
| File created | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
| File opened for modification | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
| File opened for modification | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
| File opened for modification | C:\Windows\outlook.cfg | C:\Windows\outlook.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\outlook.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe
"C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe"
C:\Windows\outlook.exe
C:\Windows\outlook.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:1434 | tcp | |
| N/A | 127.0.0.1:1433 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | smtp.google.com | udp |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| GB | 64.233.166.27:25 | smtp.google.com | tcp |
| DE | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| DE | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | thawte-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | thawte-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | thawte-com.mail.protection.outlook.com | udp |
| US | 52.101.9.14:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 52.101.9.17:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 52.101.194.0:25 | thawte-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| DE | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| DE | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| DE | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| DE | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | natalya.videolan.org | udp |
| FR | 213.36.253.119:25 | natalya.videolan.org | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | mx-in-vib.apple.com | udp |
| DK | 17.57.170.2:25 | mx-in-vib.apple.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | microsoft-com.mail.protection.outlook.com | udp |
| US | 52.101.11.0:25 | microsoft-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | adobe.mail.protection.outlook.com | udp |
| US | 52.101.194.19:25 | adobe.mail.protection.outlook.com | tcp |
Files
memory/2980-0-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.exe
| MD5 | 0e9379e357aba95f8b9883af9b67675e |
| SHA1 | 280a174a414e5b8588f42b6328af2c8c8ff4394f |
| SHA256 | 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28 |
| SHA512 | 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784 |
memory/2980-25-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2748-46-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2748-71-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2748-88-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2748-89-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2748-90-0x0000000000400000-0x000000000047E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 01:10
Reported
2024-11-14 01:12
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
136s
Command Line
Signatures
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\outlook.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
| File created | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
| File opened for modification | C:\Windows\outlook.exe | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
| File opened for modification | C:\Windows\sys32.exe | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
| File opened for modification | C:\Windows\outlook.cfg | C:\Windows\outlook.exe | N/A |
| File created | C:\Windows\crc32.cfg | C:\Windows\outlook.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\outlook.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\outlook.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4840 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | C:\Windows\outlook.exe |
| PID 4840 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | C:\Windows\outlook.exe |
| PID 4840 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe | C:\Windows\outlook.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe
"C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe"
C:\Windows\outlook.exe
C:\Windows\outlook.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1828 -ip 1828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 38980
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:1434 | tcp | |
| N/A | 127.0.0.1:1433 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| US | 8.8.8.8:53 | smtp.google.com | udp |
| US | 8.8.8.8:53 | inbound-reply.s7.exacttarget.com | udp |
| DE | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 136.147.189.244:25 | inbound-reply.s7.exacttarget.com | tcp |
| GB | 64.233.166.27:25 | smtp.google.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | microsoft-com.mail.protection.outlook.com | udp |
| DE | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 52.101.11.0:25 | microsoft-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | incoming-relays.illinois.edu | udp |
| US | 8.8.8.8:53 | nokia-com.mail.protection.outlook.com | udp |
| US | 148.163.135.28:25 | incoming-relays.illinois.edu | tcp |
| IE | 52.101.68.39:25 | nokia-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4840-0-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\outlook.exe
| MD5 | 0e9379e357aba95f8b9883af9b67675e |
| SHA1 | 280a174a414e5b8588f42b6328af2c8c8ff4394f |
| SHA256 | 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28 |
| SHA512 | 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784 |
C:\Windows\outlook.cfg
| MD5 | c19aad2e5b26747970fbe045bf6beba4 |
| SHA1 | 7bbec1f5c6536fa159238746e23b9d703f155217 |
| SHA256 | 3a232c9dfcaa3967bb58aeedfa7ac948b50f79457dc24ce5e26fe7d27accb4a5 |
| SHA512 | 8be1a2b34277db2a47a51b25e1a23d94ba48fab98cbcc554b11e7f928c0c6b2e4b3fc8706e3ecd094bdb3d7bc51a2760a65e839e25ee84fb97d1de052962d1cd |
memory/4840-25-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1828-106-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Windows\outlook.cfg
| MD5 | 7c48c983a5c7d86790d82122cbda5803 |
| SHA1 | 946483f6245f5f811b173c178daa32c98919cffe |
| SHA256 | f8fd20d1d47f3e189862451105beeda378ab03d84c44ef0251e965f11893c612 |
| SHA512 | a0b6082af2bfac351c4bd294e91f43b0fadc4858d347fd39eb105a8b2165c54b874640fcc3eb2c6b4c67cb0c82e441352c96e2e7801cab40fea51e66d0159219 |
memory/1828-132-0x0000000000400000-0x000000000047E000-memory.dmp