Analysis Overview
SHA256
53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5
Threat Level: Known bad
The file PAYMENT REMIT COPY 673578.pif.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-30 14:24
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-30 14:24
Reported
2020-11-30 14:27
Platform
win10v20201028
Max time kernel
119s
Max time network
142s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3584 set thread context of 204 | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"
C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.220.115:80 | api.ipify.org | tcp |
Files
memory/3584-2-0x0000000073900000-0x0000000073FEE000-memory.dmp
memory/3584-3-0x0000000000E90000-0x0000000000E91000-memory.dmp
memory/3584-5-0x0000000005C10000-0x0000000005C11000-memory.dmp
memory/3584-6-0x00000000057B0000-0x00000000057B1000-memory.dmp
memory/3584-7-0x0000000005760000-0x0000000005761000-memory.dmp
memory/3584-8-0x0000000007480000-0x0000000007518000-memory.dmp
memory/3584-9-0x0000000005B70000-0x0000000005B86000-memory.dmp
memory/204-11-0x000000000048209E-mapping.dmp
memory/204-10-0x0000000000400000-0x0000000000488000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT REMIT COPY 673578.pif.exe.log
| MD5 | 9e7845217df4a635ec4341c3d52ed685 |
| SHA1 | d65cb39d37392975b038ce503a585adadb805da5 |
| SHA256 | d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b |
| SHA512 | 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1 |
memory/204-13-0x0000000073900000-0x0000000073FEE000-memory.dmp
memory/204-18-0x0000000006830000-0x0000000006831000-memory.dmp
memory/204-20-0x0000000007170000-0x0000000007171000-memory.dmp
memory/204-21-0x0000000007410000-0x0000000007411000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-30 14:24
Reported
2020-11-30 14:27
Platform
win7v20201028
Max time kernel
48s
Max time network
147s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 476 set thread context of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"
C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 174.129.214.20:80 | api.ipify.org | tcp |
Files
memory/476-2-0x0000000073F20000-0x000000007460E000-memory.dmp
memory/476-3-0x0000000000E80000-0x0000000000E81000-memory.dmp
memory/476-5-0x0000000004850000-0x00000000048E8000-memory.dmp
memory/476-6-0x0000000000A00000-0x0000000000A16000-memory.dmp
memory/1592-8-0x000000000048209E-mapping.dmp
memory/1592-7-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1592-9-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1592-10-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1592-11-0x0000000073F20000-0x000000007460E000-memory.dmp