f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe
Size

1.1MB
MD5

51b591af51c719fe45c77aefd310b748
SHA1

8ba7fef83fbd129616b8e94e0c489c412bd70ae3
SHA256

f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682
SHA512

da1ed6e4cc287eb264abc43793c1a44df3abc56a94db81f9182f952468304993e97a8a50f46d37e253d1f44b8bfa073c931902161c5d4532c87b9a2300f8e080
SSDEEP

24576:WfmMv6Ckr7Mny5Qti452VFcjvzjr0A0/1D6d:W3v+7/5Qtl52PEL/0A0/1D6d

Score

7^/10

collection discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs	subpredicate.exe

Executes dropped EXE 3 IoCs

pid	Process
2704	subpredicate.exe
2564	subpredicate.exe
2500	subpredicate.exe

Loads dropped DLL 1 IoCs

pid	Process
2364	f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00070000000192f0-4.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2500 set thread context of 2864	2500	subpredicate.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subpredicate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subpredicate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subpredicate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2864	RegSvcs.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2704	subpredicate.exe
2564	subpredicate.exe
2500	subpredicate.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	RegSvcs.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2364	f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe
2364	f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe
2704	subpredicate.exe
2704	subpredicate.exe
2564	subpredicate.exe
2564	subpredicate.exe
2500	subpredicate.exe
2500	subpredicate.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2364	f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe
2364	f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe
2704	subpredicate.exe
2704	subpredicate.exe
2564	subpredicate.exe
2564	subpredicate.exe
2500	subpredicate.exe
2500	subpredicate.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2704	2364	f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe	30
PID 2364 wrote to memory of 2704	2364	f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe	30
PID 2364 wrote to memory of 2704	2364	f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe	30
PID 2364 wrote to memory of 2704	2364	f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe	30
PID 2704 wrote to memory of 2160	2704	subpredicate.exe	31
PID 2704 wrote to memory of 2160	2704	subpredicate.exe	31
PID 2704 wrote to memory of 2160	2704	subpredicate.exe	31
PID 2704 wrote to memory of 2160	2704	subpredicate.exe	31
PID 2704 wrote to memory of 2160	2704	subpredicate.exe	31
PID 2704 wrote to memory of 2160	2704	subpredicate.exe	31
PID 2704 wrote to memory of 2160	2704	subpredicate.exe	31
PID 2704 wrote to memory of 2564	2704	subpredicate.exe	32
PID 2704 wrote to memory of 2564	2704	subpredicate.exe	32
PID 2704 wrote to memory of 2564	2704	subpredicate.exe	32
PID 2704 wrote to memory of 2564	2704	subpredicate.exe	32
PID 2564 wrote to memory of 2316	2564	subpredicate.exe	33
PID 2564 wrote to memory of 2316	2564	subpredicate.exe	33
PID 2564 wrote to memory of 2316	2564	subpredicate.exe	33
PID 2564 wrote to memory of 2316	2564	subpredicate.exe	33
PID 2564 wrote to memory of 2316	2564	subpredicate.exe	33
PID 2564 wrote to memory of 2316	2564	subpredicate.exe	33
PID 2564 wrote to memory of 2316	2564	subpredicate.exe	33
PID 2564 wrote to memory of 2500	2564	subpredicate.exe	34
PID 2564 wrote to memory of 2500	2564	subpredicate.exe	34
PID 2564 wrote to memory of 2500	2564	subpredicate.exe	34
PID 2564 wrote to memory of 2500	2564	subpredicate.exe	34
PID 2500 wrote to memory of 2864	2500	subpredicate.exe	35
PID 2500 wrote to memory of 2864	2500	subpredicate.exe	35
PID 2500 wrote to memory of 2864	2500	subpredicate.exe	35
PID 2500 wrote to memory of 2864	2500	subpredicate.exe	35
PID 2500 wrote to memory of 2864	2500	subpredicate.exe	35
PID 2500 wrote to memory of 2864	2500	subpredicate.exe	35
PID 2500 wrote to memory of 2864	2500	subpredicate.exe	35
PID 2500 wrote to memory of 2864	2500	subpredicate.exe	35

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe
"C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\meshuggenah\subpredicate.exe
  "C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe"
    3⤵
    PID:2160
- - C:\Users\Admin\AppData\Local\meshuggenah\subpredicate.exe
    "C:\Users\Admin\AppData\Local\meshuggenah\subpredicate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\meshuggenah\subpredicate.exe"
      4⤵
      PID:2316
  - - C:\Users\Admin\AppData\Local\meshuggenah\subpredicate.exe
      "C:\Users\Admin\AppData\Local\meshuggenah\subpredicate.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\meshuggenah\subpredicate.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\meshuggenah\subpredicate.exe

Filesize
1.1MB

MD5
51b591af51c719fe45c77aefd310b748

SHA1
8ba7fef83fbd129616b8e94e0c489c412bd70ae3

SHA256
f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682

SHA512
da1ed6e4cc287eb264abc43793c1a44df3abc56a94db81f9182f952468304993e97a8a50f46d37e253d1f44b8bfa073c931902161c5d4532c87b9a2300f8e080

Download Submit
memory/2364-2-0x00000000038D0000-0x0000000003CD0000-memory.dmp

Filesize
4.0MB

Download
memory/2564-18-0x0000000003AC0000-0x0000000003EC0000-memory.dmp

Filesize
4.0MB

Download
memory/2704-12-0x0000000003D70000-0x0000000004170000-memory.dmp

Filesize
4.0MB

Download
memory/2864-82-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-78-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-25-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/2864-26-0x00000000004F0000-0x000000000051E000-memory.dmp

Filesize
184KB

Download
memory/2864-27-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-28-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-30-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-32-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-34-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-51-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-56-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-72-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-88-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-86-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-84-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2864-80-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2864-76-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-74-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-70-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-68-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-66-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-64-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-62-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-60-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-58-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-54-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-53-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-48-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-46-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-44-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-42-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-40-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-38-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2864-36-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download