Malware Analysis Report

2025-04-14 05:15

Sample ID 210216-qyypsypzpj
Target 6d622468_extracted
SHA256 f488e64598dcd3caaf8d4725bc2e432b9f539da94b668f4cc16db02c33eb6912
Tags
masslogger ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f488e64598dcd3caaf8d4725bc2e432b9f539da94b668f4cc16db02c33eb6912

Threat Level: Known bad

The file 6d622468_extracted was found to be: Known bad.

Malicious Activity Summary

masslogger ransomware spyware stealer

MassLogger

MassLogger log file

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-02-16 17:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-02-16 17:41

Reported

2021-02-16 17:49

Platform

win7v20201028

Max time kernel

153s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.220.115:80 api.ipify.org tcp

Files

memory/1848-2-0x00000000743D0000-0x0000000074ABE000-memory.dmp

memory/1848-3-0x00000000011A0000-0x00000000011A1000-memory.dmp

memory/1848-5-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/1848-6-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1848-7-0x0000000000630000-0x000000000066E000-memory.dmp

memory/1848-8-0x0000000000F85000-0x0000000000F96000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-02-16 17:41

Reported

2021-02-16 17:49

Platform

win10v20201028

Max time kernel

19s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe'

Network

N/A

Files

memory/412-2-0x0000000073970000-0x000000007405E000-memory.dmp

memory/412-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/412-6-0x0000000003370000-0x0000000003371000-memory.dmp

memory/412-5-0x0000000005940000-0x0000000005941000-memory.dmp

memory/412-7-0x0000000005E50000-0x0000000005E51000-memory.dmp

memory/412-8-0x0000000005950000-0x0000000005951000-memory.dmp

memory/412-9-0x00000000058E0000-0x000000000591E000-memory.dmp

memory/412-10-0x0000000005D60000-0x0000000005D61000-memory.dmp

memory/412-11-0x00000000063F0000-0x00000000063F1000-memory.dmp

memory/1324-12-0x0000000000000000-mapping.dmp

memory/2224-13-0x0000000000000000-mapping.dmp