Malware Analysis Report

2025-04-14 05:16

Sample ID 210216-ljalvrarxe
Target cec2799b_extracted
SHA256 3c281c72cc38c73345d2ad592d840abd5264816543659e4f69517da8c0a453d8
Tags
masslogger ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c281c72cc38c73345d2ad592d840abd5264816543659e4f69517da8c0a453d8

Threat Level: Known bad

The file cec2799b_extracted was found to be: Known bad.

Malicious Activity Summary

masslogger ransomware spyware stealer

MassLogger

MassLogger log file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-02-16 17:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-02-16 17:42

Reported

2021-02-16 17:55

Platform

win7v20201028

Max time kernel

38s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1552 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1552 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1552 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 832 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 832 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 832 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 832 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 832 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 832 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 832 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2BE1.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 50.19.252.36:80 api.ipify.org tcp

Files

memory/1340-2-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/1340-3-0x00000000012D0000-0x00000000012D1000-memory.dmp

memory/1340-5-0x0000000001260000-0x0000000001261000-memory.dmp

memory/1340-6-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1552-7-0x0000000000000000-mapping.dmp

memory/832-8-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2BE1.tmp.bat

MD5 2bbe31180cf6c52161fd0d848da85a66
SHA1 cfc9ea9225c1bbe20fc396d1a87c0d8fc82237ce
SHA256 92687cedb9c2b3d04c59563714394722b33bc11c567058a11e6b65f9b9458523
SHA512 c52cd554733cf87bcb9ab3d9c634fa0686dcf07860299a825e5693ba42e0d6fae244483e5c0cd11eb58f41e10d9a59522b07e2baff623efc9527736627898653

memory/1616-10-0x0000000000000000-mapping.dmp

memory/1044-11-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 52a0832b694f1c58d2ecadaf6d4afe90
SHA1 27cb1d4571f36fce5c936386edcdc10d72126867
SHA256 3c281c72cc38c73345d2ad592d840abd5264816543659e4f69517da8c0a453d8
SHA512 ac5a4a2218316f3117cf1752e24f602d1a19bc1c3003c7233a3549b0e6d027de93f1e518e386ca53fbac6eb57f7d1252e1b884ca1c33d3fedd686beb23fed7bc

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 52a0832b694f1c58d2ecadaf6d4afe90
SHA1 27cb1d4571f36fce5c936386edcdc10d72126867
SHA256 3c281c72cc38c73345d2ad592d840abd5264816543659e4f69517da8c0a453d8
SHA512 ac5a4a2218316f3117cf1752e24f602d1a19bc1c3003c7233a3549b0e6d027de93f1e518e386ca53fbac6eb57f7d1252e1b884ca1c33d3fedd686beb23fed7bc

memory/1916-14-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 52a0832b694f1c58d2ecadaf6d4afe90
SHA1 27cb1d4571f36fce5c936386edcdc10d72126867
SHA256 3c281c72cc38c73345d2ad592d840abd5264816543659e4f69517da8c0a453d8
SHA512 ac5a4a2218316f3117cf1752e24f602d1a19bc1c3003c7233a3549b0e6d027de93f1e518e386ca53fbac6eb57f7d1252e1b884ca1c33d3fedd686beb23fed7bc

memory/1916-16-0x0000000073760000-0x0000000073E4E000-memory.dmp

memory/1916-17-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/1916-19-0x0000000004B30000-0x0000000004B31000-memory.dmp

memory/1916-20-0x00000000004B0000-0x00000000004B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60F5850B53\Log.txt

MD5 8ccbba37480c2cd7ae85b9738a9caa88
SHA1 9369e6419a2dd2559069fde9924d1baa54a2ba77
SHA256 06a0f1d3d867db138266106837531afaf03872cfd60e7459c8559e2dc43b3a44
SHA512 cb9b870e3882697a14a15664fa0ba1d2fcb8e5974f34d000792803aad99b7682b2fd2465abc04db3912470681d9bb6352450c5229d390c095cdb3ec372658470

Analysis: behavioral2

Detonation Overview

Submitted

2021-02-16 17:42

Reported

2021-02-16 17:55

Platform

win10v20201028

Max time kernel

40s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3584 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2952 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2952 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2304 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2304 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2304 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 2304 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 2304 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\cec2799b_extracted.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFB0.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.129.141:80 api.ipify.org tcp

Files

memory/3584-2-0x0000000073900000-0x0000000073FEE000-memory.dmp

memory/3584-3-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/3584-5-0x0000000005660000-0x0000000005661000-memory.dmp

memory/3584-6-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/3584-7-0x0000000005570000-0x0000000005571000-memory.dmp

memory/3584-8-0x0000000005B70000-0x0000000005B71000-memory.dmp

memory/3584-9-0x0000000006420000-0x0000000006421000-memory.dmp

memory/2952-10-0x0000000000000000-mapping.dmp

memory/2304-11-0x0000000000000000-mapping.dmp

memory/2808-13-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFB0.tmp.bat

MD5 ef4e2ff032226390ca2691d33016ad21
SHA1 e24f76cb47d3308edb649877a3db9cdc5d54ec0e
SHA256 985289eae251261f4b65462d4cfefb0df32eb6c320474a3adef3c003cc693ed8
SHA512 0f23069a21c76bae641f18114e9bb8b8cb429ba4a0940833359ffe742c3fe686e49762ba1f30bd7276bd892ebca6eb521cf3af8705df230f0f9313c8ac631461

memory/1336-14-0x0000000000000000-mapping.dmp

memory/2072-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 52a0832b694f1c58d2ecadaf6d4afe90
SHA1 27cb1d4571f36fce5c936386edcdc10d72126867
SHA256 3c281c72cc38c73345d2ad592d840abd5264816543659e4f69517da8c0a453d8
SHA512 ac5a4a2218316f3117cf1752e24f602d1a19bc1c3003c7233a3549b0e6d027de93f1e518e386ca53fbac6eb57f7d1252e1b884ca1c33d3fedd686beb23fed7bc

memory/2072-18-0x00000000738F0000-0x0000000073FDE000-memory.dmp

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 52a0832b694f1c58d2ecadaf6d4afe90
SHA1 27cb1d4571f36fce5c936386edcdc10d72126867
SHA256 3c281c72cc38c73345d2ad592d840abd5264816543659e4f69517da8c0a453d8
SHA512 ac5a4a2218316f3117cf1752e24f602d1a19bc1c3003c7233a3549b0e6d027de93f1e518e386ca53fbac6eb57f7d1252e1b884ca1c33d3fedd686beb23fed7bc

memory/2072-21-0x0000000005410000-0x0000000005411000-memory.dmp

memory/2072-22-0x00000000051A0000-0x00000000051A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7C372DB998\Log.txt

MD5 c9200096d2fc537d2edaadeb2e121353
SHA1 e34866d6afda4b5c16689bce79a06ff138df0ef9
SHA256 b0dbea6b883e25b1cb5822f08223b8df133d78354d0739cee2e0373f48556286
SHA512 97201c1019d7b4781830ec5f243eed967fa5a9eb065f7d0a7104cb6725d9c69564618cd4f7231df903354561b9cfb889eb55530db265df29fb290b50ad1f94e8