Analysis Overview
SHA256
d3fd794e64ae0f414de9949be22024ba7edf5341805901af486ff2aa934a6ea4
Threat Level: Known bad
The file ddxWKELkDxNZ6z6.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
Reads user/profile data of web browsers
Checks computer location settings
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-12-13 08:33
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-13 08:33
Reported
2020-12-13 08:35
Platform
win10v20201028
Max time kernel
66s
Max time network
121s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4760 set thread context of 888 | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe
"C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PIqcvnnXKVfCp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp42C6.tmp"
C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.126.66:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | mail.accent.in | udp |
| N/A | 192.206.4.83:587 | mail.accent.in | tcp |
| N/A | 95.101.78.82:80 | ctldl.windowsupdate.com | tcp |
Files
memory/4760-2-0x0000000073150000-0x000000007383E000-memory.dmp
memory/4760-3-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/4760-5-0x0000000007310000-0x00000000073ED000-memory.dmp
memory/4760-6-0x000000000ABF0000-0x000000000ABF1000-memory.dmp
memory/4760-7-0x000000000A7D0000-0x000000000A7D1000-memory.dmp
memory/4760-8-0x000000000A7B0000-0x000000000A7B1000-memory.dmp
memory/4760-9-0x000000000AA10000-0x000000000AA11000-memory.dmp
memory/4760-10-0x000000000B620000-0x000000000B621000-memory.dmp
memory/4760-11-0x000000000ABE0000-0x000000000ABEE000-memory.dmp
memory/4760-12-0x0000000004F90000-0x000000000504C000-memory.dmp
memory/832-13-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp42C6.tmp
| MD5 | 4a10a6b6394c40e2182ec2e15649f26f |
| SHA1 | 5bffe3e122684e93ced3e582ec4cb64a28ce8c46 |
| SHA256 | 153cd211509462604bf8d291003d1d1c031a5e88468fd0f2bce30b74b89ddfcf |
| SHA512 | 16b18d66f827b2d585d9465d83baea1d918c7e6c2c1b5892bfcd63cbbb7c4d9b67df4d3cd42f94c32dc985a669d1564df44c4d836f9ae0977265c92a8fa92eab |
memory/888-15-0x0000000000400000-0x0000000000486000-memory.dmp
memory/888-16-0x000000000048146E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ddxWKELkDxNZ6z6.exe.log
| MD5 | 5673cf2af5615403885e4175a3fd0f0f |
| SHA1 | 89ea32eab4fcc61b8738859fc2175f18d2bb2c4e |
| SHA256 | ab86113916e6b256585f9eecd39a3d4bcd118bed7a635afd2ad3190676fd08f2 |
| SHA512 | 60388b060afc61940109875b7d3a0bc96a2ef98543d54df603f267d8abd99c7b1a5a8bf9a2f7475a4e5af094e6a8c7d54e2242d25b28f771e515bb219a4b2d6b |
memory/888-18-0x0000000073150000-0x000000007383E000-memory.dmp
memory/888-23-0x0000000006B30000-0x0000000006B31000-memory.dmp
memory/888-24-0x0000000007450000-0x0000000007451000-memory.dmp
memory/888-27-0x00000000074E0000-0x0000000007519000-memory.dmp
memory/888-28-0x00000000080E0000-0x000000000816D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-13 08:33
Reported
2020-12-13 08:35
Platform
win7v20201028
Max time kernel
70s
Max time network
127s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1916 set thread context of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe
"C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PIqcvnnXKVfCp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE550.tmp"
C:\Users\Admin\AppData\Local\Temp\ddxWKELkDxNZ6z6.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.189.250:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | mail.accent.in | udp |
| N/A | 192.206.4.83:587 | mail.accent.in | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
Files
memory/1916-2-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/1916-3-0x0000000001310000-0x0000000001311000-memory.dmp
memory/1916-5-0x0000000006ED0000-0x0000000006FAD000-memory.dmp
memory/1916-6-0x0000000000410000-0x0000000000421000-memory.dmp
memory/1916-8-0x00000000002A0000-0x00000000002AE000-memory.dmp
memory/1916-9-0x0000000004B50000-0x0000000004C0C000-memory.dmp
memory/412-11-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE550.tmp
| MD5 | f3b5b92387e30660b965f4e4579d3654 |
| SHA1 | 65cde49ec3150de1536377268f0c7ca7213fd954 |
| SHA256 | a03faf826ecf2f1cc49c047dbca98907e5c3c712fdacbb50324a25d4ef8147b7 |
| SHA512 | 6cd46dc2af0b6c6b17018b0ef9a678109833e70ae960752fbd5404608d3447a98627989d1483368d5e8210c43bca763c73192c83c0e7418bd12b512137b6259d |
memory/1320-13-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1320-14-0x000000000048146E-mapping.dmp
memory/1320-15-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1320-16-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1320-17-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/1916-18-0x0000000000480000-0x00000000004B0000-memory.dmp
memory/1320-23-0x00000000010B0000-0x00000000010E9000-memory.dmp
memory/1320-24-0x0000000006130000-0x00000000061BD000-memory.dmp