Analysis Overview
SHA256
2d30797c2998eb1b5bdf78d44c3f3bc16d0a990a0e93a5c54656ac1bc4b63d9d
Threat Level: Known bad
The file e45e5e69_extracted was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger log file
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Looks up external IP address via web service
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-02-16 17:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-02-16 17:42
Reported
2021-02-16 17:57
Platform
win7v20201028
Max time kernel
19s
Max time network
17s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.76.253:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | smtp.dachanq.cc | udp |
| N/A | 208.91.199.223:587 | smtp.dachanq.cc | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
Files
memory/1888-2-0x0000000074320000-0x0000000074A0E000-memory.dmp
memory/1888-3-0x0000000000C00000-0x0000000000C01000-memory.dmp
\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll
| MD5 | e81aeac387c5db32b7f9b07d15e788e0 |
| SHA1 | 829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3 |
| SHA256 | 44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06 |
| SHA512 | cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e |
memory/1888-6-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/1888-7-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/1888-8-0x0000000000A90000-0x0000000000ACE000-memory.dmp
memory/1888-9-0x0000000000380000-0x000000000040D000-memory.dmp
memory/1888-10-0x0000000004D90000-0x0000000004DE9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-02-16 17:42
Reported
2021-02-16 17:57
Platform
win10v20201028
Max time kernel
17s
Max time network
116s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.8.21:443 | tcp | |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.142.93:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | smtp.dachanq.cc | udp |
| N/A | 208.91.199.223:587 | smtp.dachanq.cc | tcp |
Files
memory/3108-2-0x00000000739A0000-0x000000007408E000-memory.dmp
memory/3108-3-0x0000000000310000-0x0000000000311000-memory.dmp
\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll
| MD5 | e81aeac387c5db32b7f9b07d15e788e0 |
| SHA1 | 829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3 |
| SHA256 | 44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06 |
| SHA512 | cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e |
memory/3108-6-0x0000000004D00000-0x0000000004D01000-memory.dmp
memory/3108-7-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
memory/3108-8-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
memory/3108-9-0x00000000056F0000-0x00000000056F1000-memory.dmp
memory/3108-10-0x0000000005D60000-0x0000000005D61000-memory.dmp
memory/3108-11-0x00000000064C0000-0x00000000064C1000-memory.dmp
memory/3108-12-0x00000000072E0000-0x000000000731E000-memory.dmp
memory/3108-13-0x0000000008320000-0x0000000008321000-memory.dmp
memory/3108-14-0x000000000B0B0000-0x000000000B0B1000-memory.dmp
memory/3108-15-0x0000000007320000-0x00000000073AD000-memory.dmp
memory/3108-16-0x00000000073B0000-0x0000000007409000-memory.dmp
memory/3108-17-0x0000000007410000-0x0000000007411000-memory.dmp