Malware Analysis Report

2025-01-18 04:59

Sample ID 220329-2ef26scbe3
Target be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa
SHA256 be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa

Threat Level: Known bad

The file be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger

MassLogger Main Payload

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of WriteProcessMemory

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-29 22:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-29 22:29

Reported

2022-04-01 00:52

Platform

win7-20220331-en

Max time kernel

132s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 620 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 620 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 620 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 620 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 620 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 620 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 620 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 620 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 1680 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe

"C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe"

C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe

"C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 sunlightgrace.eu udp

Files

memory/620-54-0x0000000001010000-0x0000000001128000-memory.dmp

memory/620-55-0x00000000005C0000-0x00000000005DC000-memory.dmp

memory/620-56-0x0000000005520000-0x00000000055E0000-memory.dmp

memory/620-57-0x00000000005E0000-0x00000000005EA000-memory.dmp

memory/620-58-0x0000000004EC0000-0x0000000004F48000-memory.dmp

memory/1680-59-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1680-60-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1680-62-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1680-63-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1680-64-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1680-65-0x0000000000481B4E-mapping.dmp

memory/1680-67-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1680-69-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1656-70-0x0000000000000000-mapping.dmp

memory/1680-71-0x0000000004DB5000-0x0000000004DC6000-memory.dmp

memory/1656-72-0x00000000769C1000-0x00000000769C3000-memory.dmp

memory/1680-73-0x0000000000CB0000-0x0000000000CEE000-memory.dmp

memory/1680-74-0x0000000005E70000-0x0000000005F00000-memory.dmp

memory/1656-75-0x000000006F0D0000-0x000000006F67B000-memory.dmp

memory/1656-76-0x0000000002492000-0x0000000002494000-memory.dmp

memory/1812-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 190057ef9d4350aa491a3f2dee41d9c0
SHA1 73975d1448cc234cd99d4e7bf59ca2f3e81af0c8
SHA256 1862356921774cac1212d14f7228ecdbefc0872b8c2730c945bac7f3afe6b9e8
SHA512 2983118a72434e980b878bbe43ad1ea7a3ed4be6bcb12c2ed653c0a45fcf6e7c0a46fa574e0dbb7b1523b22947bbd02f34793b9697d9d96ca2eb9c035665b31b

memory/1812-80-0x000000006DFE0000-0x000000006E58B000-memory.dmp

memory/1812-81-0x0000000002320000-0x0000000002F6A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-29 22:29

Reported

2022-04-01 00:52

Platform

win10v2004-20220331-en

Max time kernel

124s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 876 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 876 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 876 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 876 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 876 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 876 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 876 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 876 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe
PID 4772 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe

"C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe"

C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe

"C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe'

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 20.189.173.13:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 204.79.197.203:80 tcp

Files

memory/876-124-0x0000000000860000-0x0000000000978000-memory.dmp

memory/876-125-0x0000000005360000-0x00000000053FC000-memory.dmp

memory/876-126-0x00000000059B0000-0x0000000005F54000-memory.dmp

memory/876-127-0x0000000005400000-0x0000000005492000-memory.dmp

memory/876-128-0x00000000057E0000-0x00000000057EA000-memory.dmp

memory/876-129-0x0000000005880000-0x00000000058D6000-memory.dmp

memory/4772-130-0x0000000000000000-mapping.dmp

memory/4772-131-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\be3d01b35638bd7753f8148e4ec76efd8518a0d8b31c5e2f1e63489e59701aaa.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/4772-133-0x00000000059B0000-0x0000000005A16000-memory.dmp

memory/4908-134-0x0000000000000000-mapping.dmp

memory/4908-135-0x0000000000DC0000-0x0000000000DF6000-memory.dmp

memory/4908-136-0x0000000004DF0000-0x0000000005418000-memory.dmp

memory/4908-137-0x0000000004B50000-0x0000000004B72000-memory.dmp

memory/4908-138-0x0000000004BF0000-0x0000000004C56000-memory.dmp

memory/4908-139-0x0000000005B20000-0x0000000005B3E000-memory.dmp

memory/4908-140-0x00000000047B5000-0x00000000047B7000-memory.dmp

memory/4908-141-0x0000000007360000-0x00000000079DA000-memory.dmp

memory/4908-142-0x0000000006020000-0x000000000603A000-memory.dmp

memory/4908-143-0x0000000006D80000-0x0000000006E16000-memory.dmp

memory/4908-144-0x00000000060E0000-0x0000000006102000-memory.dmp