Malware Analysis Report

2025-04-14 05:14

Sample ID 201202-al4p7fwmb6
Target Payment Advice.exe
SHA256 e39ed8bfee05ab6d964885748f4800bf955b47b59002213e34e5b9d331882b98
Tags
masslogger persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e39ed8bfee05ab6d964885748f4800bf955b47b59002213e34e5b9d331882b98

Threat Level: Known bad

The file Payment Advice.exe was found to be: Known bad.

Malicious Activity Summary

masslogger persistence spyware stealer

MassLogger

Modifies WinLogon for persistence

MassLogger Main Payload

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-12-02 09:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-12-02 09:20

Reported

2020-12-02 09:22

Platform

win7v20201028

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment Advice.exe\"" C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment Advice.exe" C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment Advice.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment Advice.exe" C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 548 set thread context of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1392 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1392 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1392 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 548 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
PID 548 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
PID 548 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
PID 548 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
PID 548 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
PID 548 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
PID 548 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
PID 548 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
PID 548 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
PID 1268 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1268 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1268 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1268 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1268 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1268 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1268 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1268 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 4.891

C:\Windows\SysWOW64\timeout.exe

timeout 4.891

C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe'

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 hastebin.com udp
N/A 172.67.143.180:443 hastebin.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 174.129.214.20:80 api.ipify.org tcp
N/A 8.8.8.8:53 mail.porathacorp.com udp
N/A 103.6.196.138:587 mail.porathacorp.com tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp

Files

memory/548-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/548-3-0x0000000000F40000-0x0000000000F41000-memory.dmp

memory/1392-5-0x0000000000000000-mapping.dmp

memory/2016-6-0x0000000000000000-mapping.dmp

memory/548-7-0x000000000B200000-0x000000000B353000-memory.dmp

memory/1268-8-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1268-9-0x000000000048184E-mapping.dmp

memory/1268-10-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1268-11-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1268-12-0x0000000074D40000-0x000000007542E000-memory.dmp

memory/600-15-0x0000000000000000-mapping.dmp

memory/600-16-0x0000000074D40000-0x000000007542E000-memory.dmp

memory/1268-17-0x0000000000B30000-0x0000000000B69000-memory.dmp

memory/1268-18-0x0000000005D40000-0x0000000005DCD000-memory.dmp

memory/600-19-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/600-20-0x0000000004920000-0x0000000004921000-memory.dmp

memory/600-21-0x0000000004610000-0x0000000004611000-memory.dmp

memory/600-22-0x0000000005240000-0x0000000005241000-memory.dmp

memory/600-25-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

memory/600-30-0x0000000006040000-0x0000000006041000-memory.dmp

memory/600-31-0x0000000006130000-0x0000000006131000-memory.dmp

memory/600-38-0x0000000006280000-0x0000000006281000-memory.dmp

memory/600-39-0x0000000006220000-0x0000000006221000-memory.dmp

memory/600-53-0x0000000006300000-0x0000000006301000-memory.dmp

memory/600-54-0x0000000006310000-0x0000000006311000-memory.dmp

memory/1636-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 bb41a7cded98b1c9b9bf0791b5936ca4
SHA1 a7a1bcef430f476126625f596f73d03313d5e41b
SHA256 807947fe447b74188e9317ca91e39ba6729244e695e7fba6d70aa9ebde65b008
SHA512 f9a8f686c4efd5277b771c1461b092aeb3930f19a878b2e76177d1830437313eca9c8db901f71940941d61bd1140824db93534ad9f863f7df2da69a3e392321c

memory/1636-57-0x00000000748B0000-0x0000000074F9E000-memory.dmp

memory/1636-58-0x0000000002430000-0x0000000002431000-memory.dmp

memory/1636-59-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/1636-60-0x0000000002650000-0x0000000002651000-memory.dmp

memory/1636-61-0x0000000004910000-0x0000000004911000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 1752c56c4e123f079b3b037d97a4780f
SHA1 78647e6e4b9dcc319c05e9e1e8923bd6c5526833
SHA256 6f00c7a4ea0a341236000e716379ba56830acd70a34c0cd07b8c675a56f55700
SHA512 37eb9356aa81d8a69eeac9f8d8a8110ca52ffc191c9d9dda8efc36e638bc8f10a0f93f75a4203c3bb2e188d623c1708f98e68eebc0b084475c662040426777b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1

MD5 b6d38f250ccc9003dd70efd3b778117f
SHA1 d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA256 4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA512 67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404

MD5 75a8da7754349b38d64c87c938545b1b
SHA1 5c28c257d51f1c1587e29164cc03ea880c21b417
SHA256 bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512 798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47

MD5 02ff38ac870de39782aeee04d7b48231
SHA1 0390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256 fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA512 24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d

MD5 df44874327d79bd75e4264cb8dc01811
SHA1 1396b06debed65ea93c24998d244edebd3c0209d
SHA256 55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA512 95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9

MD5 5e3c7184a75d42dda1a83606a45001d8
SHA1 94ca15637721d88f30eb4b6220b805c5be0360ed
SHA256 8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512 fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c

MD5 be4d72095faf84233ac17b94744f7084
SHA1 cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256 b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA512 43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97

MD5 a725bb9fafcf91f3c6b7861a2bde6db2
SHA1 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA256 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA512 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_03bfaf74-c48a-406b-812c-2684df821d22

MD5 597009ea0430a463753e0f5b1d1a249e
SHA1 4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA256 3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA512 5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

memory/1636-71-0x00000000057B0000-0x00000000057B1000-memory.dmp

memory/1636-72-0x0000000006270000-0x0000000006271000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-12-02 09:20

Reported

2020-12-02 09:22

Platform

win10v20201028

Max time kernel

24s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"

Signatures

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 4.891

C:\Windows\SysWOW64\timeout.exe

timeout 4.891

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1724

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 hastebin.com udp
N/A 13.107.4.52:80 www.msftconnecttest.com tcp

Files

memory/2432-2-0x0000000073970000-0x000000007405E000-memory.dmp

memory/2432-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/2432-5-0x0000000005790000-0x0000000005791000-memory.dmp

memory/2128-6-0x0000000000000000-mapping.dmp

memory/3708-7-0x0000000000000000-mapping.dmp

memory/3132-8-0x0000000004560000-0x0000000004561000-memory.dmp

memory/3132-9-0x0000000004DA0000-0x0000000004DA1000-memory.dmp