Analysis Overview
SHA256
f488e64598dcd3caaf8d4725bc2e432b9f539da94b668f4cc16db02c33eb6912
Threat Level: Known bad
The file 6d622468_extracted was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger log file
Checks computer location settings
Looks up external IP address via web service
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-02-16 17:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-02-16 17:41
Reported
2021-02-16 17:49
Platform
win7v20201028
Max time kernel
153s
Max time network
161s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.220.115:80 | api.ipify.org | tcp |
Files
memory/1848-2-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1848-3-0x00000000011A0000-0x00000000011A1000-memory.dmp
memory/1848-5-0x0000000000F80000-0x0000000000F81000-memory.dmp
memory/1848-6-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1848-7-0x0000000000630000-0x000000000066E000-memory.dmp
memory/1848-8-0x0000000000F85000-0x0000000000F96000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-02-16 17:41
Reported
2021-02-16 17:49
Platform
win10v20201028
Max time kernel
19s
Max time network
115s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 412 wrote to memory of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 412 wrote to memory of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 412 wrote to memory of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1324 wrote to memory of 2224 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1324 wrote to memory of 2224 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1324 wrote to memory of 2224 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\6d622468_extracted.exe'
Network
Files
memory/412-2-0x0000000073970000-0x000000007405E000-memory.dmp
memory/412-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
memory/412-6-0x0000000003370000-0x0000000003371000-memory.dmp
memory/412-5-0x0000000005940000-0x0000000005941000-memory.dmp
memory/412-7-0x0000000005E50000-0x0000000005E51000-memory.dmp
memory/412-8-0x0000000005950000-0x0000000005951000-memory.dmp
memory/412-9-0x00000000058E0000-0x000000000591E000-memory.dmp
memory/412-10-0x0000000005D60000-0x0000000005D61000-memory.dmp
memory/412-11-0x00000000063F0000-0x00000000063F1000-memory.dmp
memory/1324-12-0x0000000000000000-mapping.dmp
memory/2224-13-0x0000000000000000-mapping.dmp