Analysis Overview
SHA256
cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf
Threat Level: Known bad
The file cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-26 22:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-26 22:20
Reported
2022-04-01 23:24
Platform
win7-20220331-en
Max time kernel
98s
Max time network
47s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 900 set thread context of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe | C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
"C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\erSqxhZb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8363.tmp"
C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
"C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 624
Network
Files
memory/900-54-0x0000000000870000-0x0000000000994000-memory.dmp
memory/900-55-0x0000000000390000-0x00000000003AA000-memory.dmp
memory/900-56-0x0000000005510000-0x00000000055D4000-memory.dmp
memory/900-57-0x00000000055D0000-0x000000000565C000-memory.dmp
memory/2020-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8363.tmp
| MD5 | de1959ac1a25a82dfac0a34aaf179905 |
| SHA1 | 3c7ec6567ef854e7a41337221de39f2d074067b6 |
| SHA256 | 7dafdee29e1323f6907b04e160ebccbe0749566c0eaee85480fe78c2f95e4e4d |
| SHA512 | 9cec3691101719be04fc77b4fe618705e0fb00afe9ba2f62f084db1e7fbf7e56a409851792feb24e5740dc0f14896b2dfe39e5872c2b9083925fd80b8c799f4c |
memory/1988-60-0x0000000000400000-0x000000000048C000-memory.dmp
memory/1988-61-0x0000000000400000-0x000000000048C000-memory.dmp
memory/1988-63-0x0000000000400000-0x000000000048C000-memory.dmp
memory/1988-70-0x0000000000400000-0x000000000048C000-memory.dmp
memory/1988-68-0x0000000000400000-0x000000000048C000-memory.dmp
memory/1988-66-0x000000000048703E-mapping.dmp
memory/1988-65-0x0000000000400000-0x000000000048C000-memory.dmp
memory/1988-71-0x00000000754A1000-0x00000000754A3000-memory.dmp
memory/1988-64-0x0000000000400000-0x000000000048C000-memory.dmp
memory/1324-72-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-26 22:20
Reported
2022-04-01 23:24
Platform
win10v2004-20220331-en
Max time kernel
140s
Max time network
184s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1804 set thread context of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe | C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
"C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\erSqxhZb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAEE8.tmp"
C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe
"C:\Users\Admin\AppData\Local\Temp\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1972 -ip 1972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 904
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 20.189.173.2:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 131.253.33.203:80 | tcp |
Files
memory/1804-124-0x0000000000620000-0x0000000000744000-memory.dmp
memory/1804-125-0x00000000050E0000-0x000000000517C000-memory.dmp
memory/1804-126-0x0000000005730000-0x0000000005CD4000-memory.dmp
memory/1804-127-0x0000000005220000-0x00000000052B2000-memory.dmp
memory/1804-128-0x0000000005190000-0x000000000519A000-memory.dmp
memory/1804-129-0x0000000005450000-0x00000000054A6000-memory.dmp
memory/4788-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAEE8.tmp
| MD5 | a4a57e62b28bbededa99ef140b692f85 |
| SHA1 | 22dd301f4dd30d61cdaa8b7760d10e0dd09276a0 |
| SHA256 | dba473aa6d96bc5911697574b262f50cecf573e132391b759327819c94f49415 |
| SHA512 | e19e6a989b7f526c286b8dc16e0625c40823ea21e1430097963459eb61c1fdc1abbd85320d3a34d89b777f838cc3ea1d9f9de12a3535136762c94b24e5f8f034 |
memory/1972-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cc30fad97d4048736e9df62d28161ff7a9303827819593b28f0f8498987d6edf.exe.log
| MD5 | 17573558c4e714f606f997e5157afaac |
| SHA1 | 13e16e9415ceef429aaf124139671ebeca09ed23 |
| SHA256 | c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553 |
| SHA512 | f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc |
memory/1972-133-0x0000000000400000-0x000000000048C000-memory.dmp