Analysis Overview
SHA256
6b35792d37ac6bb94a74d471840852812de8b2b67f09f3cb32e2a0e6d4d699e3
Threat Level: Known bad
The file DHL_Dec 2021 at 8.N_91B7290_PDF.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Reads user/profile data of web browsers
Checks computer location settings
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-01-11 12:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-01-11 12:08
Reported
2021-01-11 12:10
Platform
win7v20201028
Max time kernel
16s
Max time network
114s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1824 set thread context of 1332 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe"
C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.142.93:80 | api.ipify.org | tcp |
Files
memory/1824-2-0x0000000073980000-0x000000007406E000-memory.dmp
memory/1824-3-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/1824-5-0x0000000004D10000-0x0000000004DBE000-memory.dmp
memory/1824-6-0x0000000000420000-0x000000000042F000-memory.dmp
memory/1332-7-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1332-8-0x0000000000481E9E-mapping.dmp
memory/1332-9-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1332-10-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1332-11-0x0000000073980000-0x000000007406E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-01-11 12:08
Reported
2021-01-11 12:10
Platform
win10v20201028
Max time kernel
16s
Max time network
112s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 644 set thread context of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe"
C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.142.93:80 | api.ipify.org | tcp |
Files
memory/644-2-0x0000000073F80000-0x000000007466E000-memory.dmp
memory/644-3-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/644-5-0x0000000005980000-0x0000000005981000-memory.dmp
memory/644-6-0x0000000005480000-0x0000000005481000-memory.dmp
memory/644-7-0x00000000053E0000-0x00000000053E1000-memory.dmp
memory/644-8-0x0000000008990000-0x0000000008A3E000-memory.dmp
memory/644-9-0x0000000008A40000-0x0000000008A41000-memory.dmp
memory/644-10-0x0000000008E30000-0x0000000008E31000-memory.dmp
memory/644-11-0x0000000005970000-0x000000000597F000-memory.dmp
memory/2924-12-0x0000000000400000-0x0000000000486000-memory.dmp
memory/2924-13-0x0000000000481E9E-mapping.dmp
memory/2924-14-0x0000000073F80000-0x000000007466E000-memory.dmp
memory/2924-19-0x0000000005FE0000-0x0000000005FE1000-memory.dmp
memory/2924-20-0x00000000068E0000-0x00000000068E1000-memory.dmp