Analysis Overview
SHA256
640289c16945be9c80c83c59b2e09cf45b257bfff3f13088bcabdbf70c9726f7
Threat Level: Known bad
The file 5DwZRGIVuBTsW0Q.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-12-10 11:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-10 11:18
Reported
2020-12-10 11:20
Platform
win7v20201028
Max time kernel
61s
Max time network
15s
Command Line
Signatures
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe
"C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IIuCiRybtL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpECDE.tmp"
C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe
"{path}"
Network
Files
memory/776-2-0x0000000073F20000-0x000000007460E000-memory.dmp
memory/776-3-0x0000000000390000-0x0000000000391000-memory.dmp
memory/776-5-0x00000000049A0000-0x0000000004A5C000-memory.dmp
memory/776-11-0x0000000000330000-0x000000000033E000-memory.dmp
memory/776-12-0x0000000004D30000-0x0000000004DEA000-memory.dmp
memory/944-14-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpECDE.tmp
| MD5 | 8cfa3d202fc2a0371a269fcd44fc9272 |
| SHA1 | 8af32b85f272915af36dc02d5555967e36e293ab |
| SHA256 | bb5d7325bf1c799ad1696bfeb47820acdf1b1b388c684b442d6aea7701dc8bbd |
| SHA512 | ff8298cef2aa999c5d891983736acdbf8bad73ee73ef5f287014e77f1053198d88a51e2d1eb522e496a284e067b1eff3b36d7e96f845149e883b6ed57f600b80 |
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-10 11:18
Reported
2020-12-10 11:20
Platform
win10v20201028
Max time kernel
77s
Max time network
133s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 648 set thread context of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe
"C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IIuCiRybtL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B3C.tmp"
C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\5DwZRGIVuBTsW0Q.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 174.129.214.20:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | mail.accent.in | udp |
| N/A | 192.206.4.83:587 | mail.accent.in | tcp |
| N/A | 88.221.144.130:80 | ctldl.windowsupdate.com | tcp |
Files
memory/648-2-0x0000000073E00000-0x00000000744EE000-memory.dmp
memory/648-3-0x0000000000A60000-0x0000000000A61000-memory.dmp
memory/648-5-0x0000000005560000-0x000000000561C000-memory.dmp
memory/648-6-0x000000000B080000-0x000000000B081000-memory.dmp
memory/648-7-0x000000000AC20000-0x000000000AC21000-memory.dmp
memory/648-8-0x000000000AC10000-0x000000000AC11000-memory.dmp
memory/648-9-0x000000000E750000-0x000000000E751000-memory.dmp
memory/648-10-0x000000000B070000-0x000000000B07E000-memory.dmp
memory/648-11-0x0000000005630000-0x00000000056EA000-memory.dmp
memory/648-12-0x00000000057A0000-0x00000000057A1000-memory.dmp
memory/1116-15-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7B3C.tmp
| MD5 | 6d20b0dbd9c383972ace8ded63d7b5d8 |
| SHA1 | 02cdfc6c499227952646eeaff98d37c0c473e562 |
| SHA256 | 3bff328117d62b23d74ac3b4a4569328b09d0b07b5ed8156c544c47f7fd36702 |
| SHA512 | dee5f85653e9a04b88bb871283bdcf44324ba4aba6e4356cd25cb74a522de6393c2ddb033b33f594caafdc36f6ab8e13c3afe141baf2813ac75f557d6ad18af4 |
memory/2112-17-0x0000000000400000-0x0000000000486000-memory.dmp
memory/2112-18-0x000000000048146E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5DwZRGIVuBTsW0Q.exe.log
| MD5 | 1fbd2c472b1491162a67c7eb6f949667 |
| SHA1 | f8124922f73cc8dc1e2b2db036d07966098f0b5f |
| SHA256 | 3450d274645bd70bbd5181c8408e88e0303776b75229838f5587f506e5095d37 |
| SHA512 | 67dae4b4aa9fae1ff788fa680397dc54aa0deabcdd0297106db5eae97d2cf37197da92e036c5e90846ad49e188784094d7ded655037fcb98c1ab58eb044cb688 |
memory/2112-20-0x0000000073E00000-0x00000000744EE000-memory.dmp
memory/2112-25-0x0000000006410000-0x0000000006411000-memory.dmp
memory/2112-27-0x0000000006D30000-0x0000000006D31000-memory.dmp
memory/2112-29-0x0000000006CE0000-0x0000000006D19000-memory.dmp
memory/2112-30-0x0000000006FB0000-0x000000000703D000-memory.dmp