Analysis Overview
SHA256
9eb4a882832362dbb1d183cd5d4f916f3e8d8cef86fd99bddb0cc14b19bc2b57
Threat Level: Known bad
The file 7379d1bbf5b0a85cade31143413cf9e6.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
Reads user/profile data of web browsers
Checks computer location settings
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-12-16 08:21
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-16 08:21
Reported
2020-12-16 08:23
Platform
win10v20201028
Max time kernel
13s
Max time network
117s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3008 set thread context of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe
"C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe"
C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe
"C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe"
C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe
"C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe"
C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe
"C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1104
Network
| Country | Destination | Domain | Proto |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.189.250:80 | api.ipify.org | tcp |
Files
memory/3008-2-0x00000000733A0000-0x0000000073A8E000-memory.dmp
memory/3008-3-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/3008-5-0x00000000120B0000-0x00000000120B1000-memory.dmp
memory/3008-6-0x0000000011CB0000-0x0000000011CB1000-memory.dmp
memory/3008-7-0x0000000005C50000-0x0000000005C51000-memory.dmp
memory/3008-8-0x0000000005BF0000-0x0000000005BF1000-memory.dmp
memory/3008-9-0x0000000005CF0000-0x0000000005D7F000-memory.dmp
memory/2576-10-0x0000000000400000-0x0000000000486000-memory.dmp
memory/2576-11-0x000000000048162E-mapping.dmp
memory/2576-12-0x00000000733A0000-0x0000000073A8E000-memory.dmp
memory/1004-15-0x0000000004F20000-0x0000000004F21000-memory.dmp
memory/1004-18-0x00000000056E0000-0x00000000056E1000-memory.dmp
memory/2576-21-0x0000000006600000-0x0000000006601000-memory.dmp
memory/2576-22-0x0000000006F00000-0x0000000006F01000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-16 08:21
Reported
2020-12-16 08:23
Platform
win7v20201028
Max time kernel
125s
Max time network
126s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1360 set thread context of 1116 | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe
"C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe"
C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe
"C:\Users\Admin\AppData\Local\Temp\7379d1bbf5b0a85cade31143413cf9e6.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 632
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.189.250:80 | api.ipify.org | tcp |
Files
memory/1360-2-0x0000000074520000-0x0000000074C0E000-memory.dmp
memory/1360-3-0x0000000000EA0000-0x0000000000EA1000-memory.dmp
memory/1360-5-0x0000000000D70000-0x0000000000DFF000-memory.dmp
memory/1116-6-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1116-7-0x000000000048162E-mapping.dmp
memory/1116-8-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1116-9-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1116-10-0x0000000074520000-0x0000000074C0E000-memory.dmp
memory/1916-13-0x0000000000000000-mapping.dmp
memory/1916-14-0x0000000001D90000-0x0000000001DA1000-memory.dmp
memory/1916-17-0x0000000002570000-0x0000000002581000-memory.dmp