Analysis Overview
SHA256
828a9fae03e6a20158c58a659f27371fbe9a836199a3327fe5ef457115cf0206
Threat Level: Known bad
The file PO 202108 FOR JANUARY 2021.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
MassLogger log file
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-12-31 07:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-31 07:51
Reported
2020-12-31 07:53
Platform
win7v20201028
Max time kernel
123s
Max time network
129s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 792 set thread context of 1472 | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe
"C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NGgqNkUr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7A1.tmp"
C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe
"C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.220.115:80 | api.ipify.org | tcp |
Files
memory/792-2-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/792-3-0x0000000000830000-0x0000000000831000-memory.dmp
memory/792-5-0x0000000000340000-0x0000000000346000-memory.dmp
memory/792-6-0x00000000056C0000-0x00000000057CB000-memory.dmp
memory/792-7-0x00000000057D0000-0x00000000058BA000-memory.dmp
memory/280-8-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE7A1.tmp
| MD5 | 3b5135f322ed389de1d6926d9a97cb4a |
| SHA1 | 912d8fa4f3f8d1fe2c3248a143444e255286f114 |
| SHA256 | f7a8cb25f1b56a46889475de75a7fa1dac38210cc5d3ff920efc618fa8e28c7f |
| SHA512 | 9c04fc7e6da45a069c3fde775945fa7cfe56352364c1e1f602a01a91992960ef1521120351779d58f88e7545f68191a595f94ba904d37f2e0a212c4b2f033a77 |
memory/1472-10-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1472-11-0x00000000004B32CE-mapping.dmp
memory/1472-12-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1472-13-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1472-14-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/1472-17-0x00000000009C0000-0x0000000000A31000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-31 07:51
Reported
2020-12-31 07:53
Platform
win10v20201028
Max time kernel
71s
Max time network
113s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4048 set thread context of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe
"C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NGgqNkUr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF93A.tmp"
C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe
"C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe"
C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe
"C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe'
Network
Files
memory/4048-2-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/4048-3-0x0000000000640000-0x0000000000641000-memory.dmp
memory/4048-5-0x0000000005570000-0x0000000005571000-memory.dmp
memory/4048-6-0x0000000005070000-0x0000000005071000-memory.dmp
memory/4048-7-0x0000000005110000-0x0000000005111000-memory.dmp
memory/4048-8-0x00000000051F0000-0x00000000051F1000-memory.dmp
memory/4048-9-0x0000000005270000-0x0000000005276000-memory.dmp
memory/4048-10-0x0000000005E90000-0x0000000005F9B000-memory.dmp
memory/4048-11-0x00000000061B0000-0x000000000629A000-memory.dmp
memory/3692-12-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF93A.tmp
| MD5 | 5ccfcef2e39a3206f0e22a059354f368 |
| SHA1 | 7f9aefaee8a5a3aef18e5c0f18a589a8f5347097 |
| SHA256 | 02b39689ab4e3d4c5febd7f808265a95054d0c8152da91fa988bbecc83fe5725 |
| SHA512 | 9c46ee8ffc5a33332acb9d28eb51cd85f6b06303aa04ff964d22ac17b5a57a8fc51b9805602277dea59f470c7bef94ca1a3640cda6aa6a649c89218ff607a523 |
memory/2124-14-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/2124-15-0x00000000004B32CE-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 202108 FOR JANUARY 2021.exe.log
| MD5 | c3cc52ccca9ff2b6fa8d267fc350ca6b |
| SHA1 | a68d4028333296d222e4afd75dea36fdc98d05f3 |
| SHA256 | 3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e |
| SHA512 | b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7 |
memory/2124-17-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/2124-22-0x0000000005030000-0x00000000050A1000-memory.dmp
memory/2124-23-0x0000000005120000-0x0000000005121000-memory.dmp
memory/2348-25-0x0000000000000000-mapping.dmp
memory/2832-26-0x0000000000000000-mapping.dmp
memory/2832-27-0x0000000000000000-mapping.dmp