Malware Analysis Report

2025-01-18 04:57

Sample ID 220326-19cskaeddl
Target cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf
SHA256 cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf
Tags
masslogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf

Threat Level: Known bad

The file cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf was found to be: Known bad.

Malicious Activity Summary

masslogger spyware stealer

MassLogger

MassLogger Main Payload

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 22:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 22:20

Reported

2022-04-01 23:24

Platform

win7-20220331-en

Max time kernel

98s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 900 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Windows\SysWOW64\schtasks.exe
PID 900 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Windows\SysWOW64\schtasks.exe
PID 900 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Windows\SysWOW64\schtasks.exe
PID 900 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Windows\SysWOW64\schtasks.exe
PID 900 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 900 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 900 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 900 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 900 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 900 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 900 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 900 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 900 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 1988 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1988 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1988 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1988 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe

"C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\erSqxhZb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8363.tmp"

C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe

"C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 624

Network

N/A

Files

memory/900-54-0x0000000000870000-0x0000000000994000-memory.dmp

memory/900-55-0x0000000000390000-0x00000000003AA000-memory.dmp

memory/900-56-0x0000000005510000-0x00000000055D4000-memory.dmp

memory/900-57-0x00000000055D0000-0x000000000565C000-memory.dmp

memory/2020-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8363.tmp

MD5 de1959ac1a25a82dfac0a34aaf179905
SHA1 3c7ec6567ef854e7a41337221de39f2d074067b6
SHA256 7dafdee29e1323f6907b04e160ebccbe0749566c0eaee85480fe78c2f95e4e4d
SHA512 9cec3691101719be04fc77b4fe618705e0fb00afe9ba2f62f084db1e7fbf7e56a409851792feb24e5740dc0f14896b2dfe39e5872c2b9083925fd80b8c799f4c

memory/1988-60-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1988-61-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1988-63-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1988-70-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1988-68-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1988-66-0x000000000048703E-mapping.dmp

memory/1988-65-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1988-71-0x00000000754A1000-0x00000000754A3000-memory.dmp

memory/1988-64-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1324-72-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 22:20

Reported

2022-04-01 23:24

Platform

win10v2004-20220331-en

Max time kernel

140s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1804 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1804 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1804 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 1804 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 1804 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 1804 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 1804 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 1804 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 1804 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
PID 1804 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe

"C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\erSqxhZb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAEE8.tmp"

C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe

"C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1972 -ip 1972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 904

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 20.189.173.2:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 131.253.33.203:80 tcp

Files

memory/1804-124-0x0000000000620000-0x0000000000744000-memory.dmp

memory/1804-125-0x00000000050E0000-0x000000000517C000-memory.dmp

memory/1804-126-0x0000000005730000-0x0000000005CD4000-memory.dmp

memory/1804-127-0x0000000005220000-0x00000000052B2000-memory.dmp

memory/1804-128-0x0000000005190000-0x000000000519A000-memory.dmp

memory/1804-129-0x0000000005450000-0x00000000054A6000-memory.dmp

memory/4788-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAEE8.tmp

MD5 a4a57e62b28bbededa99ef140b692f85
SHA1 22dd301f4dd30d61cdaa8b7760d10e0dd09276a0
SHA256 dba473aa6d96bc5911697574b262f50cecf573e132391b759327819c94f49415
SHA512 e19e6a989b7f526c286b8dc16e0625c40823ea21e1430097963459eb61c1fdc1abbd85320d3a34d89b777f838cc3ea1d9f9de12a3535136762c94b24e5f8f034

memory/1972-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/1972-133-0x0000000000400000-0x000000000048C000-memory.dmp