Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 22:09
Static task
static1
Behavioral task
behavioral1
Sample
bad1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bad1.exe
Resource
win10v2004-20241007-en
General
-
Target
bad1.exe
-
Size
40.2MB
-
MD5
3de1b681a7e0bd3ab0eab17397e71d67
-
SHA1
38af65d2a7153862c97f6549be6808263a41d37a
-
SHA256
c4f91a3c477d6c7ff7957ee33d1729d3df95c1903416cdc830c4178fd597c8b1
-
SHA512
68833e4c0c51c98ab5e7b1316653471ff69bdf5b208007b40f8d6b647f193fe84a0b0413e46018fba77b53a2ce327276289cbd21cc54dc28dcb4df31383d5407
-
SSDEEP
393216:q76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfwnVQx4urYsANulL7NO:q0LoCOn+2ws4urYDNulLBiua
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.daipro.com.mx - Port:
587 - Username:
[email protected] - Password:
DAIpro123** - Email To:
[email protected]
https://scratchdreams.tk
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/4356-24-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Executes dropped EXE 1 IoCs
pid Process 2072 POF9876789.exe -
Loads dropped DLL 6 IoCs
pid Process 2072 POF9876789.exe 2072 POF9876789.exe 2072 POF9876789.exe 2072 POF9876789.exe 2072 POF9876789.exe 2072 POF9876789.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 installutil.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 installutil.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 installutil.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POF9876789 = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\POF9876789.exe\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POF9876789 = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\POF9876789.exe\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POF9876789 = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\POF9876789.exe\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POF9876789 = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\POF9876789.exe\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POF9876789 = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\POF9876789.exe\"" reg.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 checkip.dyndns.org 22 reallyfreegeoip.org 23 reallyfreegeoip.org 25 reallyfreegeoip.org 26 reallyfreegeoip.org 31 reallyfreegeoip.org 35 reallyfreegeoip.org -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2072 set thread context of 4356 2072 POF9876789.exe 92 PID 2072 set thread context of 1236 2072 POF9876789.exe 97 PID 2072 set thread context of 3200 2072 POF9876789.exe 103 PID 2072 set thread context of 4244 2072 POF9876789.exe 108 PID 2072 set thread context of 5004 2072 POF9876789.exe 113 -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\libgcc_s_seh-1.dll POF9876789.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\libgcc_s_seh-1.dll POF9876789.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\libstdc++-6.dll POF9876789.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\libwinpthread-1.dll POF9876789.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Qt5Core.dll POF9876789.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\libstdc++-6.dll POF9876789.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\libwinpthread-1.dll POF9876789.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices POF9876789.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe POF9876789.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe POF9876789.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Qt5Core.dll POF9876789.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3200 installutil.exe 1236 AddInProcess32.exe 4356 regasm.exe 4244 AddInProcess32.exe 5004 AddInProcess32.exe 4244 AddInProcess32.exe 4356 regasm.exe 1236 AddInProcess32.exe 5004 AddInProcess32.exe 3200 installutil.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2072 POF9876789.exe Token: SeDebugPrivilege 4244 AddInProcess32.exe Token: SeDebugPrivilege 3200 installutil.exe Token: SeDebugPrivilege 4356 regasm.exe Token: SeDebugPrivilege 1236 AddInProcess32.exe Token: SeDebugPrivilege 5004 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1476 wrote to memory of 2072 1476 bad1.exe 84 PID 1476 wrote to memory of 2072 1476 bad1.exe 84 PID 2072 wrote to memory of 3460 2072 POF9876789.exe 85 PID 2072 wrote to memory of 3460 2072 POF9876789.exe 85 PID 3460 wrote to memory of 1104 3460 cmd.exe 87 PID 3460 wrote to memory of 1104 3460 cmd.exe 87 PID 1104 wrote to memory of 3860 1104 cmd.exe 88 PID 1104 wrote to memory of 3860 1104 cmd.exe 88 PID 2072 wrote to memory of 3972 2072 POF9876789.exe 89 PID 2072 wrote to memory of 3972 2072 POF9876789.exe 89 PID 2072 wrote to memory of 3972 2072 POF9876789.exe 89 PID 2072 wrote to memory of 1668 2072 POF9876789.exe 90 PID 2072 wrote to memory of 1668 2072 POF9876789.exe 90 PID 2072 wrote to memory of 1668 2072 POF9876789.exe 90 PID 2072 wrote to memory of 3596 2072 POF9876789.exe 91 PID 2072 wrote to memory of 3596 2072 POF9876789.exe 91 PID 2072 wrote to memory of 3596 2072 POF9876789.exe 91 PID 2072 wrote to memory of 4356 2072 POF9876789.exe 92 PID 2072 wrote to memory of 4356 2072 POF9876789.exe 92 PID 2072 wrote to memory of 4356 2072 POF9876789.exe 92 PID 2072 wrote to memory of 4356 2072 POF9876789.exe 92 PID 2072 wrote to memory of 4356 2072 POF9876789.exe 92 PID 2072 wrote to memory of 4356 2072 POF9876789.exe 92 PID 2072 wrote to memory of 4356 2072 POF9876789.exe 92 PID 2072 wrote to memory of 4356 2072 POF9876789.exe 92 PID 2072 wrote to memory of 3856 2072 POF9876789.exe 93 PID 2072 wrote to memory of 3856 2072 POF9876789.exe 93 PID 3856 wrote to memory of 1780 3856 cmd.exe 95 PID 3856 wrote to memory of 1780 3856 cmd.exe 95 PID 1780 wrote to memory of 4044 1780 cmd.exe 96 PID 1780 wrote to memory of 4044 1780 cmd.exe 96 PID 2072 wrote to memory of 1236 2072 POF9876789.exe 97 PID 2072 wrote to memory of 1236 2072 POF9876789.exe 97 PID 2072 wrote to memory of 1236 2072 POF9876789.exe 97 PID 2072 wrote to memory of 1236 2072 POF9876789.exe 97 PID 2072 wrote to memory of 1236 2072 POF9876789.exe 97 PID 2072 wrote to memory of 1236 2072 POF9876789.exe 97 PID 2072 wrote to memory of 1236 2072 POF9876789.exe 97 PID 2072 wrote to memory of 1236 2072 POF9876789.exe 97 PID 2072 wrote to memory of 4252 2072 POF9876789.exe 98 PID 2072 wrote to memory of 4252 2072 POF9876789.exe 98 PID 4252 wrote to memory of 1848 4252 cmd.exe 100 PID 4252 wrote to memory of 1848 4252 cmd.exe 100 PID 1848 wrote to memory of 4824 1848 cmd.exe 101 PID 1848 wrote to memory of 4824 1848 cmd.exe 101 PID 2072 wrote to memory of 4884 2072 POF9876789.exe 102 PID 2072 wrote to memory of 4884 2072 POF9876789.exe 102 PID 2072 wrote to memory of 4884 2072 POF9876789.exe 102 PID 2072 wrote to memory of 3200 2072 POF9876789.exe 103 PID 2072 wrote to memory of 3200 2072 POF9876789.exe 103 PID 2072 wrote to memory of 3200 2072 POF9876789.exe 103 PID 2072 wrote to memory of 3200 2072 POF9876789.exe 103 PID 2072 wrote to memory of 3200 2072 POF9876789.exe 103 PID 2072 wrote to memory of 3200 2072 POF9876789.exe 103 PID 2072 wrote to memory of 3200 2072 POF9876789.exe 103 PID 2072 wrote to memory of 3200 2072 POF9876789.exe 103 PID 2072 wrote to memory of 1316 2072 POF9876789.exe 104 PID 2072 wrote to memory of 1316 2072 POF9876789.exe 104 PID 1316 wrote to memory of 4204 1316 cmd.exe 106 PID 1316 wrote to memory of 4204 1316 cmd.exe 106 PID 4204 wrote to memory of 2020 4204 cmd.exe 107 PID 4204 wrote to memory of 2020 4204 cmd.exe 107 PID 2072 wrote to memory of 4244 2072 POF9876789.exe 108 PID 2072 wrote to memory of 4244 2072 POF9876789.exe 108 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 installutil.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 installutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bad1.exe"C:\Users\Admin\AppData\Local\Temp\bad1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\82e41998ea7cc85f2b42c3b1a7a08420\POF9876789.exeC:\Users\Admin\AppData\Local\Temp\82e41998ea7cc85f2b42c3b1a7a08420\POF9876789.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f3⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\system32\cmd.execmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f5⤵
- Adds Run key to start application
PID:3860
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵PID:3972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵PID:1668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵PID:3596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f3⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\cmd.execmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f5⤵
- Adds Run key to start application
PID:4044
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\system32\cmd.execmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f5⤵
- Adds Run key to start application
PID:4824
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵PID:4884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3200
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\system32\cmd.execmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f4⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f5⤵
- Adds Run key to start application
PID:2020
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f3⤵PID:4628
-
C:\Windows\system32\cmd.execmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f4⤵PID:4164
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "POF9876789" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\POF9876789.exe\"" /f5⤵
- Adds Run key to start application
PID:4112
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD557296766561adde4b9adacb0f84b883e
SHA1a7383bf36ea3fd927d7f0e9edc2e8873331457d8
SHA256d095e391f258ed240552f8e8c10896f93ca0aec46026cca019026fd5616ead7f
SHA512da97a72c780111276f7cd80bb48605b4fa5d89daf15dc654c2cbba2c08b53eb011718811f55f16f78ecdefadc0a75b169e8a587e70044edaf57c16bb63ed0efc
-
Filesize
3.7MB
MD58387e3b95622dc8a33b075e469ad05c6
SHA12072a252a08129956493529842a68da552ceb7a9
SHA2563c13f14d7174ce0546f2ef72782b933a7101e599732e16dbe11def0659e16f01
SHA5121f9f0d878a643b8ba7965f52dbdbbcfdbaa423e3af2b644945c2d03f65c3bc056b2c165dd9610583a6562d49ae3174fda94145c062ae2898709afed285e386cb
-
Filesize
74KB
MD5534b365361004828059600f05b34006d
SHA1d8ff411b0939a021f47c845c6a90f1240bab5268
SHA256438ae82ffd621a2413199155574cc85681f8986f05420b1485aa4be936c3bc0b
SHA5121ccb3732a82f2fedca85c27afdd48e65dde70d5b1620e436d457624a2cb796887c5e7dc2983a0794ebbbcade3e5b9f9fc9320b390894471993c7b1e85268592d
-
Filesize
1.4MB
MD558f1c3e85a3714b9f5441c9b513e08bb
SHA14e30e2bd5917754cf2d4f8bd30b28f7ef9505a23
SHA25672ce15df7c50e8d0ca57701b0b37394942e5348654505fcb993873b515dfd1d0
SHA5127b52fcd6b0b76ef192c107a7a2e0a2144eda045988b46939c5a7eff87477b4cdc5c38557a0f467b6e27fc9fb55b2b679bd00c4fc36dfa015cf471cc7f0232836
-
Filesize
51KB
MD5db18b7ec5f93127e6099744ea9568c1b
SHA1e9143c76e308a816837e2f1a19dd0c5e2306ed08
SHA2565bbef249a0d00e2d32c699d0bbe89f714ebeb872b3990a5cbeccb1d89f63e5e8
SHA512ee1e645bed0bc3ad9e959d6342153e608ad21a7f5aef60b4cd8cc96fde7aeec4bbbb7474b59cab8ced8f28dc9f66cab32f4825333c891524901dcc40e70a1580