Analysis Overview
SHA256
41e5f5f33f0bd2be4a1a518796838feae0a966320522f07dc04460c6a386dedc
Threat Level: Known bad
The file kVqQhg9evpzeNYL.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: AddClipboardFormatListener
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-12-05 15:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-05 15:26
Reported
2020-12-05 15:28
Platform
win7v20201028
Max time kernel
59s
Max time network
12s
Command Line
Signatures
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe
"C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ByrCjQQzzsX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF48C.tmp"
C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe
"{path}"
Network
Files
memory/1944-2-0x0000000074320000-0x0000000074A0E000-memory.dmp
memory/1944-3-0x0000000000150000-0x0000000000151000-memory.dmp
memory/1944-5-0x0000000000450000-0x000000000045E000-memory.dmp
memory/1944-6-0x00000000056E0000-0x000000000578B000-memory.dmp
memory/1828-7-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF48C.tmp
| MD5 | 2953007615a3522f84e4d441c1ac890d |
| SHA1 | 93e00840923204a08fb56c58d02e50d8a305bab4 |
| SHA256 | 9656bf5616e90aa12fc25864bafebf68f7f5f686e7a8bc269240beea714c230b |
| SHA512 | 8db934ed415e4b20504031e9da3af3c4bddbf9f9964c944b87e54612f2fbe6719449adc22b66a4be38245c488055168fd06638b8b7fb70ac9a64482278999221 |
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-05 15:26
Reported
2020-12-05 15:28
Platform
win10v20201028
Max time kernel
77s
Max time network
136s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 640 set thread context of 1336 | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe
"C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ByrCjQQzzsX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4007.tmp"
C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\kVqQhg9evpzeNYL.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.142.93:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | mail.accent.in | udp |
| N/A | 192.206.4.83:587 | mail.accent.in | tcp |
| N/A | 95.101.78.106:80 | ctldl.windowsupdate.com | tcp |
Files
memory/640-2-0x0000000073190000-0x000000007387E000-memory.dmp
memory/640-3-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/640-5-0x0000000005280000-0x0000000005281000-memory.dmp
memory/640-6-0x0000000004D80000-0x0000000004D81000-memory.dmp
memory/640-7-0x0000000004D20000-0x0000000004D21000-memory.dmp
memory/640-8-0x0000000007540000-0x0000000007541000-memory.dmp
memory/640-9-0x0000000007160000-0x000000000716E000-memory.dmp
memory/640-10-0x0000000007400000-0x00000000074AB000-memory.dmp
memory/640-11-0x0000000007B10000-0x0000000007B11000-memory.dmp
memory/2660-12-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4007.tmp
| MD5 | 59a5a73d33da1be60c909bc7fbded3c7 |
| SHA1 | 31d5d57a743ac5a32ceb310de6b4a11b276b7509 |
| SHA256 | c8e72d6be93e16bea8bc3583ee63a3f40c9551ced4b13aaf3e65140208c6cdfb |
| SHA512 | e7cb9fa592e87d2e63e19b2b6153f50a13b919f07c7095c62da52b98aefe1388c65ea49b2b41f93a3385201710c52483325395d4e4f3a63240f36d901800c1b6 |
memory/1336-14-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1336-15-0x000000000048146E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kVqQhg9evpzeNYL.exe.log
| MD5 | 3fed8d1dd11972a6e2603bb2d73a3ee5 |
| SHA1 | 7ecb7f64ade7b91c5815da647e84167c3d95afb4 |
| SHA256 | eecf6c0575dc995a485d46a5daaa66f58229e552f16782d873834d218ab17551 |
| SHA512 | ca6059eb67f800cc666d5146d24070abf5ee08209f8f9d1668a0ca2201eb3f6fa013c2d807b09925e12b82c37686980fcc26a6a5e4a5ba129c4b2a585961d3bb |
memory/1336-17-0x0000000073190000-0x000000007387E000-memory.dmp
memory/1336-22-0x00000000065A0000-0x00000000065A1000-memory.dmp
memory/1336-24-0x0000000006F00000-0x0000000006F01000-memory.dmp
memory/1336-26-0x0000000007190000-0x00000000071C9000-memory.dmp
memory/1336-27-0x0000000007BC0000-0x0000000007C4D000-memory.dmp