Malware Analysis Report

2025-04-14 05:15

Sample ID 201210-7yxvm3hymx
Target QCXw2WXDjOalhVZ.exe
SHA256 aeaa3fec34944cbad83383e98135ea619ede649f95f31edb2cbf1d8626761582
Tags
masslogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aeaa3fec34944cbad83383e98135ea619ede649f95f31edb2cbf1d8626761582

Threat Level: Known bad

The file QCXw2WXDjOalhVZ.exe was found to be: Known bad.

Malicious Activity Summary

masslogger spyware stealer

MassLogger

MassLogger Main Payload

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-12-10 11:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-12-10 11:14

Reported

2020-12-10 11:16

Platform

win7v20201028

Max time kernel

82s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 736 set thread context of 1704 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 736 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 736 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 736 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 736 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 736 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 736 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 736 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 736 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 736 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 736 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 1704 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe

"C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dAojOEJLIk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D00.tmp"

C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe

"{path}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe'

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.220.115:80 api.ipify.org tcp
N/A 8.8.8.8:53 smtp.gmail.com udp
N/A 173.194.79.109:587 smtp.gmail.com tcp

Files

memory/736-2-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/736-3-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/736-5-0x0000000004830000-0x00000000048DB000-memory.dmp

memory/736-6-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-8-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-10-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-12-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-14-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-16-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-18-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-20-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-22-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-24-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-26-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-28-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-30-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-32-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-34-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-36-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-38-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-40-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-42-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-44-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-46-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-48-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-50-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-52-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-54-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-56-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-58-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-60-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-62-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-64-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/736-66-0x0000000000430000-0x000000000043E000-memory.dmp

memory/736-67-0x0000000004C90000-0x0000000004D4B000-memory.dmp

memory/1028-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3D00.tmp

MD5 ae69faad9861111bc41fc41fb1d2b591
SHA1 9a20c7c9dda3fcb2848451c23ff91f5dda4947aa
SHA256 1d107b04b6ebcfa48be5c4158e0994866043c8781824b84cd9ff07036c397eb9
SHA512 0bfa4be0dfd51805e5a4a0cce425bdb389c9a5653127436fdc7ba0746b60276ed8e5e88605c4ecb72adb9f9d891edb9496dd3fa59834759da91c1538c4907823

memory/1704-71-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1704-72-0x0000000000481D7E-mapping.dmp

memory/1704-73-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1704-74-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1704-75-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/736-76-0x0000000000620000-0x0000000000650000-memory.dmp

memory/788-81-0x0000000000000000-mapping.dmp

memory/788-82-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/788-83-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/788-84-0x00000000048E0000-0x00000000048E1000-memory.dmp

memory/1704-85-0x0000000005E00000-0x0000000005E8D000-memory.dmp

memory/788-86-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/788-87-0x0000000005240000-0x0000000005241000-memory.dmp

memory/788-90-0x0000000006010000-0x0000000006011000-memory.dmp

memory/788-95-0x0000000006050000-0x0000000006051000-memory.dmp

memory/788-96-0x00000000061C0000-0x00000000061C1000-memory.dmp

memory/788-103-0x0000000006280000-0x0000000006281000-memory.dmp

memory/788-104-0x0000000006110000-0x0000000006111000-memory.dmp

memory/788-118-0x0000000006300000-0x0000000006301000-memory.dmp

memory/788-119-0x0000000006310000-0x0000000006311000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-12-10 11:14

Reported

2020-12-10 11:16

Platform

win10v20201028

Max time kernel

127s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 744 set thread context of 3360 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 744 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 744 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 744 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 744 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 744 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 744 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 744 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 744 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 744 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 744 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe
PID 3360 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe

"C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dAojOEJLIk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp106C.tmp"

C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe

"{path}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QCXw2WXDjOalhVZ.exe'

Network

Country Destination Domain Proto
N/A 52.109.12.18:443 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.220.115:80 api.ipify.org tcp
N/A 8.8.8.8:53 smtp.gmail.com udp
N/A 173.194.79.109:587 smtp.gmail.com tcp

Files

memory/744-2-0x0000000073A20000-0x000000007410E000-memory.dmp

memory/744-3-0x0000000000390000-0x0000000000391000-memory.dmp

memory/744-5-0x0000000004C10000-0x0000000004CBB000-memory.dmp

memory/744-6-0x000000000A990000-0x000000000A991000-memory.dmp

memory/744-7-0x000000000A570000-0x000000000A571000-memory.dmp

memory/744-8-0x000000000A520000-0x000000000A521000-memory.dmp

memory/744-9-0x000000000E060000-0x000000000E061000-memory.dmp

memory/744-10-0x000000000A970000-0x000000000A97E000-memory.dmp

memory/744-11-0x0000000004E10000-0x0000000004ECB000-memory.dmp

memory/744-12-0x0000000004F80000-0x0000000004F81000-memory.dmp

memory/1504-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp106C.tmp

MD5 4d2218817c1e0df6be9a9ce7fb324efc
SHA1 5812ba8e1514f2e9af5900a13d7086e9d08bfa34
SHA256 c69753716ac1eef2f7ccaba08b7e1737359c87a54060282cbe86f462cf05aac0
SHA512 71cf9b048bc0e36812bb645aa2474214fc5591bb0d6afac41ff7aab7d8ba098f37be81fd53a7b403aae50f2c3c52345bf0160e5c7be3b69583f57879c9c6de05

memory/3360-17-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3360-18-0x0000000000481D7E-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QCXw2WXDjOalhVZ.exe.log

MD5 1fbd2c472b1491162a67c7eb6f949667
SHA1 f8124922f73cc8dc1e2b2db036d07966098f0b5f
SHA256 3450d274645bd70bbd5181c8408e88e0303776b75229838f5587f506e5095d37
SHA512 67dae4b4aa9fae1ff788fa680397dc54aa0deabcdd0297106db5eae97d2cf37197da92e036c5e90846ad49e188784094d7ded655037fcb98c1ab58eb044cb688

memory/3360-20-0x0000000073A20000-0x000000007410E000-memory.dmp

memory/3360-25-0x0000000006A10000-0x0000000006A11000-memory.dmp

memory/3932-26-0x0000000000000000-mapping.dmp

memory/3360-28-0x0000000007360000-0x0000000007361000-memory.dmp

memory/3932-29-0x0000000073A20000-0x000000007410E000-memory.dmp

memory/3932-31-0x00000000045C0000-0x00000000045C1000-memory.dmp

memory/3932-32-0x0000000007120000-0x0000000007121000-memory.dmp

memory/3360-33-0x0000000008890000-0x000000000891D000-memory.dmp

memory/3932-34-0x0000000007010000-0x0000000007011000-memory.dmp

memory/3932-35-0x00000000078C0000-0x00000000078C1000-memory.dmp

memory/3932-37-0x00000000079F0000-0x00000000079F1000-memory.dmp

memory/3932-38-0x0000000007950000-0x0000000007951000-memory.dmp

memory/3932-39-0x0000000008220000-0x0000000008221000-memory.dmp

memory/3932-40-0x0000000008040000-0x0000000008041000-memory.dmp

memory/3932-42-0x0000000008E80000-0x0000000008EB3000-memory.dmp

memory/3932-49-0x0000000008E30000-0x0000000008E31000-memory.dmp

memory/3932-50-0x0000000009250000-0x0000000009251000-memory.dmp

memory/3932-51-0x00000000093D0000-0x00000000093D1000-memory.dmp

memory/3932-52-0x0000000009330000-0x0000000009331000-memory.dmp

memory/3932-54-0x0000000009310000-0x0000000009311000-memory.dmp