Analysis Overview
SHA256
578c13d534658db7cce4d141ad565d677564490ad6c48df24c1a853dcf6ce02c
Threat Level: Known bad
The file e265215c_extracted was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Masslogger family
MassLogger log file
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-02-16 17:42
Signatures
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Masslogger family
Analysis: behavioral1
Detonation Overview
Submitted
2021-02-16 17:42
Reported
2021-02-16 17:57
Platform
win7v20201028
Max time kernel
54s
Max time network
56s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.243.164.148:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | us2.smtp.mailhostbox.com | udp |
| N/A | 208.91.198.143:587 | us2.smtp.mailhostbox.com | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
Files
memory/792-2-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/792-3-0x0000000000380000-0x0000000000381000-memory.dmp
memory/792-5-0x00000000045F0000-0x00000000045F1000-memory.dmp
memory/792-6-0x0000000000430000-0x0000000000431000-memory.dmp
memory/792-7-0x0000000004ED0000-0x0000000004F0E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-02-16 17:42
Reported
2021-02-16 17:57
Platform
win10v20201028
Max time kernel
61s
Max time network
127s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.8.19:443 | tcp | |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.142.93:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | us2.smtp.mailhostbox.com | udp |
| N/A | 208.91.199.225:587 | us2.smtp.mailhostbox.com | tcp |
Files
memory/1908-2-0x0000000073920000-0x000000007400E000-memory.dmp
memory/1908-3-0x00000000006E0000-0x00000000006E1000-memory.dmp
memory/1908-5-0x00000000055B0000-0x00000000055B1000-memory.dmp
memory/1908-7-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
memory/1908-6-0x00000000050A0000-0x00000000050A1000-memory.dmp
memory/1908-8-0x0000000005350000-0x0000000005351000-memory.dmp
memory/1908-9-0x0000000006160000-0x0000000006161000-memory.dmp
memory/1908-10-0x0000000006720000-0x0000000006721000-memory.dmp
memory/1908-11-0x0000000006970000-0x00000000069AE000-memory.dmp
memory/1908-12-0x0000000006A00000-0x0000000006A01000-memory.dmp
memory/1908-13-0x0000000006AF0000-0x0000000006AF1000-memory.dmp