Analysis Overview
SHA256
282d4efd74164b844bf5a0dc437745738f2f48070575d278e83128a09c6929d5
Threat Level: Known bad
The file 5ba337af468de6f90b4c31ff4cef4c45.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-28 11:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-28 11:22
Reported
2020-11-28 11:24
Platform
win7v20201028
Max time kernel
16s
Max time network
115s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 844 set thread context of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe
"C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe"
C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe
"C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe"
C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe
"C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.42.25:80 | api.ipify.org | tcp |
Files
memory/844-2-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/844-3-0x0000000000020000-0x0000000000021000-memory.dmp
memory/844-5-0x0000000004B00000-0x0000000004B9E000-memory.dmp
memory/844-6-0x0000000001E30000-0x0000000001E46000-memory.dmp
memory/1352-7-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1352-10-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1352-9-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1352-8-0x0000000000481BFE-mapping.dmp
memory/1352-11-0x00000000749D0000-0x00000000750BE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-28 11:22
Reported
2020-11-28 11:24
Platform
win10v20201028
Max time kernel
61s
Max time network
122s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4068 set thread context of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe
"C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe"
C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe
"C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.12.18:443 | tcp | |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.66.103:80 | api.ipify.org | tcp |
Files
memory/4068-2-0x0000000073E00000-0x00000000744EE000-memory.dmp
memory/4068-3-0x0000000000610000-0x0000000000611000-memory.dmp
memory/4068-5-0x0000000005410000-0x0000000005411000-memory.dmp
memory/4068-6-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
memory/4068-7-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
memory/4068-8-0x0000000005110000-0x00000000051AE000-memory.dmp
memory/4068-9-0x0000000007330000-0x0000000007331000-memory.dmp
memory/4068-10-0x0000000007300000-0x0000000007301000-memory.dmp
memory/4068-11-0x00000000073F0000-0x0000000007406000-memory.dmp
memory/1324-12-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1324-13-0x0000000000481BFE-mapping.dmp
memory/1324-15-0x0000000073E00000-0x00000000744EE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5ba337af468de6f90b4c31ff4cef4c45.exe.log
| MD5 | 4a30a8132195c1aa1a62b78676b178d9 |
| SHA1 | 506e6d99a2ba08c9d3553af30daaaa0fc46ae4be |
| SHA256 | 71636c227625058652c089035480b7bb3e5795f3998bc9823c401029fc844a20 |
| SHA512 | 3272b5129525c2b8f7efb99f5a2115cf2572480ff6938ca80e63f02c52588216f861307b9ef962ba015787cae0d5a95e74ebb5fe4b35b34f1c4f3a7deac8ce09 |
memory/1324-20-0x00000000064A0000-0x00000000064A1000-memory.dmp
memory/1324-21-0x0000000006DA0000-0x0000000006DA1000-memory.dmp
memory/1324-23-0x0000000006E90000-0x0000000006E91000-memory.dmp