Malware Analysis Report

2025-01-18 04:57

Sample ID 220326-g421qahbh4
Target ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb
SHA256 ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb
Tags
masslogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb

Threat Level: Known bad

The file ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb was found to be: Known bad.

Malicious Activity Summary

masslogger spyware stealer

MassLogger

MassLogger Main Payload

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 06:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 06:22

Reported

2022-03-27 00:55

Platform

win7-20220311-en

Max time kernel

4294181s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Windows\SysWOW64\schtasks.exe
PID 1824 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Windows\SysWOW64\schtasks.exe
PID 1824 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Windows\SysWOW64\schtasks.exe
PID 1824 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Windows\SysWOW64\schtasks.exe
PID 1824 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 1824 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 2008 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Windows\SysWOW64\WerFault.exe
PID 2008 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Windows\SysWOW64\WerFault.exe
PID 2008 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Windows\SysWOW64\WerFault.exe
PID 2008 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe

"C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xCtDXgUtklECz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA9D.tmp"

C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe

"C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe"

C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe

"C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 624

Network

N/A

Files

memory/1824-54-0x0000000000DA0000-0x0000000000FF2000-memory.dmp

memory/1824-55-0x0000000000530000-0x000000000054C000-memory.dmp

memory/1824-56-0x00000000059E0000-0x0000000005B66000-memory.dmp

memory/1824-57-0x0000000000800000-0x000000000080A000-memory.dmp

memory/1824-58-0x0000000005CC0000-0x0000000005E0E000-memory.dmp

memory/1156-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEA9D.tmp

MD5 9532ddfb9326feda568ba290651b0af9
SHA1 10f034bbb4cf055a90a29ba90f5a6e4f9d70a93a
SHA256 154e891eac48dc4c1b496dcc7c893bbea6f839ebab8c2fc687ceeab5047081a3
SHA512 f36d5d8825794f1234bb378f7a8036752030b02ebe72761a0080b081648e182bf60c3a279194a5321bcc01c08f6d4a87c7cafb0eb0a54611496db891b1ca3981

memory/2008-61-0x0000000000400000-0x000000000054C000-memory.dmp

memory/2008-62-0x0000000000400000-0x000000000054C000-memory.dmp

memory/2008-64-0x0000000000400000-0x000000000054C000-memory.dmp

memory/2008-65-0x0000000000400000-0x000000000054C000-memory.dmp

memory/2008-66-0x0000000000400000-0x000000000054C000-memory.dmp

memory/2008-67-0x000000000054776E-mapping.dmp

memory/2008-69-0x0000000000400000-0x000000000054C000-memory.dmp

memory/2008-71-0x0000000000400000-0x000000000054C000-memory.dmp

memory/2008-72-0x00000000752C1000-0x00000000752C3000-memory.dmp

memory/1168-73-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 06:22

Reported

2022-03-27 00:55

Platform

win10v2004-en-20220113

Max time kernel

142s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Windows\SysWOW64\schtasks.exe
PID 3144 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Windows\SysWOW64\schtasks.exe
PID 3144 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Windows\SysWOW64\schtasks.exe
PID 3144 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 3144 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 3144 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 3144 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 3144 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 3144 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 3144 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe
PID 3144 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe

"C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xCtDXgUtklECz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF55A.tmp"

C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe

"C:\Users\Admin\AppData\Local\Temp\ac4838da38ffb7ca95d3c7a6d4472577f8a37f575f68151db6c5aee8175bf8cb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3252 -ip 3252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 968

Network

Country Destination Domain Proto
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp

Files

memory/3144-130-0x0000000000970000-0x0000000000BC2000-memory.dmp

memory/3144-131-0x0000000005560000-0x00000000055FC000-memory.dmp

memory/3144-132-0x0000000005BB0000-0x0000000006154000-memory.dmp

memory/3144-133-0x00000000056A0000-0x0000000005732000-memory.dmp

memory/3144-134-0x0000000005610000-0x000000000561A000-memory.dmp

memory/3144-135-0x0000000005830000-0x0000000005886000-memory.dmp

memory/4292-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF55A.tmp

MD5 a48645a38b4bc3c66b5be7aa2511a98d
SHA1 ea74fdeb8ffaa1d72062daaac1a2e6a2e3c2a917
SHA256 d0357fb2af6b00d40a2438b0f480464bc28a01498d5f5c2e344e0edf6bef7099
SHA512 aa8bf4d5d8845c18722b6c0f47a2e4bfe06372eff92fb3fa56236fb8bd8cd220363c2f79f049a060e64faedfd91a43fcd13cc84f8bdc070b6c7b36dc75e0da52

memory/3252-138-0x0000000000000000-mapping.dmp

memory/3252-139-0x0000000000400000-0x000000000054C000-memory.dmp