Analysis Overview
SHA256
fba68e2814abacdbe354eb421f5fd731a64cf8410b9ded4e914373a7863c2e99
Threat Level: Known bad
The file 26-11-20_Dhl_Signed_document-pdf.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-27 14:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-27 14:10
Reported
2020-11-27 14:12
Platform
win7v20201028
Max time kernel
13s
Max time network
18s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe"
Network
Files
memory/1760-2-0x0000000074DD0000-0x00000000754BE000-memory.dmp
memory/1760-3-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/1760-5-0x0000000004BC0000-0x0000000004C23000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-27 14:10
Reported
2020-11-27 14:12
Platform
win10v20201028
Max time kernel
19s
Max time network
120s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc245 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc245.exe\"" | C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.8.21:443 | tcp | |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.243.164.148:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ecogasoline.com.pk | udp |
| N/A | 148.66.139.57:443 | ecogasoline.com.pk | tcp |
Files
memory/756-2-0x00000000739A0000-0x000000007408E000-memory.dmp
memory/756-3-0x0000000000D40000-0x0000000000D41000-memory.dmp
memory/756-5-0x0000000005C40000-0x0000000005C41000-memory.dmp
memory/756-6-0x00000000057E0000-0x00000000057E1000-memory.dmp
memory/756-7-0x0000000005740000-0x0000000005741000-memory.dmp
memory/756-8-0x0000000007370000-0x00000000073D3000-memory.dmp
memory/756-805-0x000000001F010000-0x000000001F011000-memory.dmp
memory/756-806-0x000000001EFE0000-0x000000001EFE1000-memory.dmp
memory/756-807-0x000000001F330000-0x000000001F3B6000-memory.dmp
memory/756-808-0x0000000020110000-0x0000000020111000-memory.dmp
memory/756-809-0x00000000207E0000-0x00000000207E1000-memory.dmp
memory/756-810-0x00000000210D0000-0x00000000210D1000-memory.dmp
memory/756-811-0x0000000021030000-0x0000000021069000-memory.dmp
memory/756-812-0x0000000021170000-0x00000000211FD000-memory.dmp
memory/756-813-0x00000000210A0000-0x00000000210A1000-memory.dmp
memory/756-814-0x0000000021200000-0x0000000021201000-memory.dmp