Analysis Overview
SHA256
53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5
Threat Level: Known bad
The file PAYMENT REMIT COPY 673578.pif.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-30 14:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-30 14:25
Reported
2020-11-30 14:27
Platform
win7v20201028
Max time kernel
47s
Max time network
145s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1756 set thread context of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"
C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.66.103:80 | api.ipify.org | tcp |
Files
memory/1756-2-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/1756-3-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1756-5-0x0000000004C40000-0x0000000004CD8000-memory.dmp
memory/1756-6-0x0000000000860000-0x0000000000876000-memory.dmp
memory/1464-7-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1464-8-0x000000000048209E-mapping.dmp
memory/1464-9-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1464-10-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1464-11-0x00000000749D0000-0x00000000750BE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-30 14:25
Reported
2020-11-30 14:27
Platform
win10v20201028
Max time kernel
75s
Max time network
145s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 640 set thread context of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"
C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 174.129.214.20:80 | api.ipify.org | tcp |
Files
memory/640-2-0x0000000073E00000-0x00000000744EE000-memory.dmp
memory/640-3-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/640-5-0x0000000005300000-0x0000000005301000-memory.dmp
memory/640-6-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
memory/640-7-0x0000000004E70000-0x0000000004E71000-memory.dmp
memory/640-8-0x0000000006B70000-0x0000000006C08000-memory.dmp
memory/640-9-0x00000000052C0000-0x00000000052D6000-memory.dmp
memory/3008-10-0x0000000000400000-0x0000000000488000-memory.dmp
memory/3008-11-0x000000000048209E-mapping.dmp
memory/3008-13-0x0000000073E00000-0x00000000744EE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT REMIT COPY 673578.pif.exe.log
| MD5 | 9e7845217df4a635ec4341c3d52ed685 |
| SHA1 | d65cb39d37392975b038ce503a585adadb805da5 |
| SHA256 | d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b |
| SHA512 | 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1 |
memory/3008-18-0x00000000063D0000-0x00000000063D1000-memory.dmp
memory/3008-20-0x0000000006CC0000-0x0000000006CC1000-memory.dmp
memory/3008-21-0x0000000006EB0000-0x0000000006EB1000-memory.dmp