Analysis Overview
SHA256
cecdd448e827e1b016d186e420c1d53c35541fff488ea1211cc2e8b76dc9e38f
Threat Level: Known bad
The file 43d334c1_extracted was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger log file
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-02-16 17:41
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-02-16 17:41
Reported
2021-02-16 17:54
Platform
win10v20201028
Max time kernel
46s
Max time network
125s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.114.133.61:443 | tcp | |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.129.141:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | microtelculiacan.com.mx | udp |
| N/A | 162.214.94.194:587 | microtelculiacan.com.mx | tcp |
Files
memory/492-2-0x0000000073310000-0x00000000739FE000-memory.dmp
memory/492-3-0x0000000000B50000-0x0000000000B51000-memory.dmp
\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll
| MD5 | e81aeac387c5db32b7f9b07d15e788e0 |
| SHA1 | 829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3 |
| SHA256 | 44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06 |
| SHA512 | cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e |
memory/492-6-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
memory/492-7-0x00000000055D0000-0x00000000055D1000-memory.dmp
memory/492-8-0x0000000005400000-0x0000000005401000-memory.dmp
memory/492-9-0x0000000005680000-0x0000000005681000-memory.dmp
memory/492-10-0x00000000066D0000-0x00000000066D1000-memory.dmp
memory/492-11-0x0000000006EA0000-0x0000000006EA1000-memory.dmp
memory/492-12-0x0000000007AA0000-0x0000000007ADE000-memory.dmp
memory/492-13-0x0000000007B40000-0x0000000007B41000-memory.dmp
memory/492-14-0x0000000007B90000-0x0000000007B91000-memory.dmp
memory/492-15-0x0000000007EE0000-0x0000000007F6D000-memory.dmp
memory/492-16-0x0000000007F70000-0x0000000007FC9000-memory.dmp
memory/492-17-0x0000000007FE0000-0x0000000007FE1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-02-16 17:41
Reported
2021-02-16 17:54
Platform
win7v20201028
Max time kernel
48s
Max time network
123s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.129.141:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | microtelculiacan.com.mx | udp |
| N/A | 162.214.94.194:587 | microtelculiacan.com.mx | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
Files
memory/1852-2-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/1852-3-0x00000000002B0000-0x00000000002B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll
| MD5 | e81aeac387c5db32b7f9b07d15e788e0 |
| SHA1 | 829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3 |
| SHA256 | 44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06 |
| SHA512 | cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e |
memory/1852-6-0x00000000021B0000-0x00000000021B1000-memory.dmp
memory/1852-7-0x0000000000450000-0x0000000000451000-memory.dmp
memory/1852-8-0x00000000022B0000-0x00000000022EE000-memory.dmp
memory/1852-9-0x00000000054D0000-0x000000000555D000-memory.dmp
memory/1852-10-0x0000000005B70000-0x0000000005BC9000-memory.dmp