Analysis Overview
SHA256
1d5ef5eccb6e1598e4c3ccda198a61e58387ebba40398eb1d9262d1cab7dda06
Threat Level: Known bad
The file 201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-12-10 11:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-10 11:07
Reported
2020-12-10 11:09
Platform
win7v20201028
Max time kernel
122s
Max time network
121s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1680 set thread context of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe | C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe
"C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zGvupbQjgFAJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD614.tmp"
C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe
"{path}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe'
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.83.248:80 | api.ipify.org | tcp |
Files
memory/1680-2-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/1680-3-0x0000000000920000-0x0000000000921000-memory.dmp
memory/1680-5-0x0000000004990000-0x0000000004A46000-memory.dmp
memory/1680-14-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-25-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-39-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-41-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-43-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-45-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-57-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-66-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-70-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-88-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-92-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-94-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-98-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-104-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-108-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-132-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-140-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-154-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-156-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-158-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-170-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-182-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-186-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1680-194-0x0000000000420000-0x000000000042E000-memory.dmp
memory/1680-195-0x0000000004CA0000-0x0000000004D59000-memory.dmp
memory/1688-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD614.tmp
| MD5 | da3b8aea057c982d802a21941be47d91 |
| SHA1 | 1d5b62cf2282b5bce7212f55e8acf00debdbbe6c |
| SHA256 | f3fd43fcb27f6fa6f3243e834ba2ad38bb6bcd5fd2f65e7351fc926bc08dab67 |
| SHA512 | 59daabc049a859f8e02baf3c9d53036b584840e34693e88ca384514654ed4af6abd2056351b4f8267d122780c0d591508bad21356733c11abcb9908167e7508a |
memory/656-200-0x0000000000400000-0x0000000000486000-memory.dmp
memory/656-201-0x0000000000481D2E-mapping.dmp
memory/656-202-0x0000000000400000-0x0000000000486000-memory.dmp
memory/656-203-0x0000000000400000-0x0000000000486000-memory.dmp
memory/656-204-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/1788-207-0x0000000000000000-mapping.dmp
memory/1788-208-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/1788-209-0x00000000009D0000-0x00000000009D1000-memory.dmp
memory/1788-210-0x0000000004720000-0x0000000004721000-memory.dmp
memory/1788-211-0x0000000001140000-0x0000000001141000-memory.dmp
memory/1788-212-0x0000000005240000-0x0000000005241000-memory.dmp
memory/1788-215-0x0000000005650000-0x0000000005651000-memory.dmp
memory/1788-220-0x00000000060D0000-0x00000000060D1000-memory.dmp
memory/1788-221-0x0000000006180000-0x0000000006181000-memory.dmp
memory/1788-228-0x0000000006280000-0x0000000006281000-memory.dmp
memory/1788-229-0x0000000005610000-0x0000000005611000-memory.dmp
memory/1788-243-0x0000000006300000-0x0000000006301000-memory.dmp
memory/1788-244-0x0000000006310000-0x0000000006311000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-10 11:07
Reported
2020-12-10 11:09
Platform
win10v20201028
Max time kernel
122s
Max time network
122s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1812 set thread context of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe | C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe
"C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zGvupbQjgFAJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp517C.tmp"
C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe
"{path}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe'
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.83.248:80 | api.ipify.org | tcp |
Files
memory/1812-2-0x0000000073300000-0x00000000739EE000-memory.dmp
memory/1812-3-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/1812-5-0x0000000007BF0000-0x0000000007CA6000-memory.dmp
memory/1812-6-0x000000000B4B0000-0x000000000B4B1000-memory.dmp
memory/1812-7-0x000000000B050000-0x000000000B051000-memory.dmp
memory/1812-8-0x00000000033F0000-0x00000000033F1000-memory.dmp
memory/1812-9-0x000000000E9B0000-0x000000000E9B1000-memory.dmp
memory/1812-10-0x000000000E620000-0x000000000E62E000-memory.dmp
memory/1812-11-0x0000000005870000-0x0000000005929000-memory.dmp
memory/1812-12-0x00000000059E0000-0x00000000059E1000-memory.dmp
memory/3928-15-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp517C.tmp
| MD5 | 6f8127104ca09031cfd6ee8a78708c2f |
| SHA1 | b24caaa4d2d8ff64f9b1ee31dc5d927adb99c297 |
| SHA256 | 61571712051419ae620aac06b3eba46a1734a824e88b6371264161f6f0d9946b |
| SHA512 | d6eb837ba9878bcfdba33f2f8cc11d95c18e2a911cdaab4ed37e3fc5a5a43d73fe770ba43ee1e6a202c0481bfca1ef3daceb868b1da9638d2cba5091aa860be6 |
memory/2208-17-0x0000000000400000-0x0000000000486000-memory.dmp
memory/2208-18-0x0000000000481D2E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\201900000025-CONSIGNMENT-DOCUMENTS-FOR-SHIPPING-GOODS-2020-12-12..exe.log
| MD5 | 1fbd2c472b1491162a67c7eb6f949667 |
| SHA1 | f8124922f73cc8dc1e2b2db036d07966098f0b5f |
| SHA256 | 3450d274645bd70bbd5181c8408e88e0303776b75229838f5587f506e5095d37 |
| SHA512 | 67dae4b4aa9fae1ff788fa680397dc54aa0deabcdd0297106db5eae97d2cf37197da92e036c5e90846ad49e188784094d7ded655037fcb98c1ab58eb044cb688 |
memory/2208-20-0x0000000073300000-0x00000000739EE000-memory.dmp
memory/2208-25-0x0000000006800000-0x0000000006801000-memory.dmp
memory/3740-26-0x0000000000000000-mapping.dmp
memory/2208-29-0x0000000006EC0000-0x0000000006EC1000-memory.dmp
memory/3740-27-0x0000000073300000-0x00000000739EE000-memory.dmp
memory/3740-30-0x0000000004FD0000-0x0000000004FD1000-memory.dmp
memory/3740-32-0x0000000007B40000-0x0000000007B41000-memory.dmp
memory/3740-33-0x0000000007A40000-0x0000000007A41000-memory.dmp
memory/3740-34-0x0000000008170000-0x0000000008171000-memory.dmp
memory/3740-36-0x0000000008450000-0x0000000008451000-memory.dmp
memory/3740-37-0x0000000008200000-0x0000000008201000-memory.dmp
memory/3740-38-0x0000000008BA0000-0x0000000008BA1000-memory.dmp
memory/3740-39-0x0000000008B10000-0x0000000008B11000-memory.dmp
memory/3740-41-0x00000000098A0000-0x00000000098D3000-memory.dmp
memory/3740-48-0x0000000009880000-0x0000000009881000-memory.dmp
memory/3740-49-0x0000000009C00000-0x0000000009C01000-memory.dmp
memory/3740-50-0x0000000009E00000-0x0000000009E01000-memory.dmp
memory/3740-51-0x00000000076A0000-0x00000000076A1000-memory.dmp
memory/3740-53-0x0000000007690000-0x0000000007691000-memory.dmp