Analysis Overview
SHA256
d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb
Threat Level: Known bad
The file d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Adds Run key to start application
outlook_office_path
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-29 20:25
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-29 20:25
Reported
2022-03-29 20:30
Platform
win10v2004-en-20220113
Max time kernel
135s
Max time network
140s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe
"C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.220.57.224:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
Files
memory/1360-130-0x0000000000560000-0x0000000000632000-memory.dmp
memory/1360-131-0x0000000005510000-0x0000000005AB4000-memory.dmp
memory/1360-132-0x0000000004F60000-0x0000000004FF2000-memory.dmp
memory/1360-133-0x0000000004EA0000-0x0000000004EAA000-memory.dmp
memory/1360-134-0x0000000008330000-0x0000000008396000-memory.dmp
memory/2512-135-0x0000000000000000-mapping.dmp
memory/1360-136-0x0000000008760000-0x00000000087B0000-memory.dmp
memory/1360-138-0x0000000008850000-0x00000000088EC000-memory.dmp
memory/2512-137-0x00000000044A0000-0x00000000044D6000-memory.dmp
memory/2512-139-0x0000000004B20000-0x0000000005148000-memory.dmp
memory/2512-140-0x0000000004AD0000-0x0000000004AF2000-memory.dmp
memory/2512-141-0x00000000052C0000-0x0000000005326000-memory.dmp
memory/1360-142-0x0000000004F60000-0x0000000005504000-memory.dmp
memory/1292-143-0x0000000000000000-mapping.dmp
memory/2512-144-0x00000000047C0000-0x00000000047DE000-memory.dmp
memory/2512-145-0x0000000006070000-0x00000000060A2000-memory.dmp
memory/1292-146-0x0000000007050000-0x00000000076CA000-memory.dmp
memory/1292-148-0x0000000005EB0000-0x0000000005ECA000-memory.dmp
memory/2512-150-0x00000000044E5000-0x00000000044E7000-memory.dmp
memory/2512-149-0x0000000006010000-0x000000000602E000-memory.dmp
memory/2512-147-0x0000000070480000-0x00000000704CC000-memory.dmp
memory/1292-151-0x0000000002175000-0x0000000002177000-memory.dmp
memory/2512-152-0x0000000006DF0000-0x0000000006DFA000-memory.dmp
memory/2512-153-0x0000000007000000-0x0000000007096000-memory.dmp
memory/1292-154-0x00000000069D0000-0x00000000069F2000-memory.dmp
memory/2512-155-0x0000000006FB0000-0x0000000006FBE000-memory.dmp
memory/2512-156-0x00000000070C0000-0x00000000070DA000-memory.dmp
memory/2512-157-0x00000000070A0000-0x00000000070A8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 61f1b0f7ed8078e34675efc74cb3c0a3 |
| SHA1 | d3fd14214eb6dce82d0cd2e367b901d6ba226ff1 |
| SHA256 | bd118c65d4a63f38d16ca1da4741d13f58366aa170bec674b7a6e07e98de5bb5 |
| SHA512 | 4fb82e467e1b47468c859cb9c0474302c237e6eeee6465409e5249aff223e61e0f1a31daaa3a382b0034eb9315ce93a3b561c35c63418d7b0f0c140f5cd9a515 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 25604a2821749d30ca35877a7669dff9 |
| SHA1 | 49c624275363c7b6768452db6868f8100aa967be |
| SHA256 | 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476 |
| SHA512 | 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-29 20:25
Reported
2022-03-29 20:29
Platform
win7-20220311-en
Max time kernel
4294182s
Max time network
124s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe
"C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.220.57.224:80 | api.ipify.org | tcp |
Files
memory/1992-54-0x00000000010B0000-0x0000000001182000-memory.dmp
memory/1992-55-0x0000000000FD0000-0x000000000103A000-memory.dmp
memory/1992-56-0x0000000004B40000-0x0000000004BCC000-memory.dmp
memory/544-57-0x0000000000000000-mapping.dmp
memory/544-58-0x0000000074C61000-0x0000000074C63000-memory.dmp
memory/1992-59-0x0000000004D25000-0x0000000004D36000-memory.dmp
memory/544-60-0x000000006EA50000-0x000000006EFFB000-memory.dmp
memory/544-61-0x00000000023F0000-0x000000000303A000-memory.dmp
memory/1924-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 0ed34c8e69f217b4923791f548202cdd |
| SHA1 | 73bdc18f8be9c39f71027bb7ddb8532c1a1de799 |
| SHA256 | 3a6800472e202fa800e3499950485872cdafce3b0420f45514a8f099f99d52af |
| SHA512 | 3280132dde143d9b27cae785a642988edc8bb6ddbdc80ec45a0d36d832ae49bad043a20d54dd48bf92addf29b9b6fbb046871e2ee5fba4ee7e47239da0668af3 |
memory/1924-65-0x000000006EA50000-0x000000006EFFB000-memory.dmp