Malware Analysis Report

2025-01-18 04:57

Sample ID 220329-y7hjxsehhr
Target d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb
SHA256 d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb
Tags
collection persistence spyware stealer masslogger
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb

Threat Level: Known bad

The file d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb was found to be: Known bad.

Malicious Activity Summary

collection persistence spyware stealer masslogger

MassLogger

MassLogger Main Payload

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Adds Run key to start application

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-29 20:25

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-29 20:25

Reported

2022-03-29 20:30

Platform

win10v2004-en-20220113

Max time kernel

135s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe

"C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp

Files

memory/1360-130-0x0000000000560000-0x0000000000632000-memory.dmp

memory/1360-131-0x0000000005510000-0x0000000005AB4000-memory.dmp

memory/1360-132-0x0000000004F60000-0x0000000004FF2000-memory.dmp

memory/1360-133-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

memory/1360-134-0x0000000008330000-0x0000000008396000-memory.dmp

memory/2512-135-0x0000000000000000-mapping.dmp

memory/1360-136-0x0000000008760000-0x00000000087B0000-memory.dmp

memory/1360-138-0x0000000008850000-0x00000000088EC000-memory.dmp

memory/2512-137-0x00000000044A0000-0x00000000044D6000-memory.dmp

memory/2512-139-0x0000000004B20000-0x0000000005148000-memory.dmp

memory/2512-140-0x0000000004AD0000-0x0000000004AF2000-memory.dmp

memory/2512-141-0x00000000052C0000-0x0000000005326000-memory.dmp

memory/1360-142-0x0000000004F60000-0x0000000005504000-memory.dmp

memory/1292-143-0x0000000000000000-mapping.dmp

memory/2512-144-0x00000000047C0000-0x00000000047DE000-memory.dmp

memory/2512-145-0x0000000006070000-0x00000000060A2000-memory.dmp

memory/1292-146-0x0000000007050000-0x00000000076CA000-memory.dmp

memory/1292-148-0x0000000005EB0000-0x0000000005ECA000-memory.dmp

memory/2512-150-0x00000000044E5000-0x00000000044E7000-memory.dmp

memory/2512-149-0x0000000006010000-0x000000000602E000-memory.dmp

memory/2512-147-0x0000000070480000-0x00000000704CC000-memory.dmp

memory/1292-151-0x0000000002175000-0x0000000002177000-memory.dmp

memory/2512-152-0x0000000006DF0000-0x0000000006DFA000-memory.dmp

memory/2512-153-0x0000000007000000-0x0000000007096000-memory.dmp

memory/1292-154-0x00000000069D0000-0x00000000069F2000-memory.dmp

memory/2512-155-0x0000000006FB0000-0x0000000006FBE000-memory.dmp

memory/2512-156-0x00000000070C0000-0x00000000070DA000-memory.dmp

memory/2512-157-0x00000000070A0000-0x00000000070A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 61f1b0f7ed8078e34675efc74cb3c0a3
SHA1 d3fd14214eb6dce82d0cd2e367b901d6ba226ff1
SHA256 bd118c65d4a63f38d16ca1da4741d13f58366aa170bec674b7a6e07e98de5bb5
SHA512 4fb82e467e1b47468c859cb9c0474302c237e6eeee6465409e5249aff223e61e0f1a31daaa3a382b0034eb9315ce93a3b561c35c63418d7b0f0c140f5cd9a515

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-29 20:25

Reported

2022-03-29 20:29

Platform

win7-20220311-en

Max time kernel

4294182s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe

"C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\d90e61034a0d2a070caa0f70c4cf5b42dfe9ba973ec1294d3bed0b8507e99cfb.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp

Files

memory/1992-54-0x00000000010B0000-0x0000000001182000-memory.dmp

memory/1992-55-0x0000000000FD0000-0x000000000103A000-memory.dmp

memory/1992-56-0x0000000004B40000-0x0000000004BCC000-memory.dmp

memory/544-57-0x0000000000000000-mapping.dmp

memory/544-58-0x0000000074C61000-0x0000000074C63000-memory.dmp

memory/1992-59-0x0000000004D25000-0x0000000004D36000-memory.dmp

memory/544-60-0x000000006EA50000-0x000000006EFFB000-memory.dmp

memory/544-61-0x00000000023F0000-0x000000000303A000-memory.dmp

memory/1924-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 0ed34c8e69f217b4923791f548202cdd
SHA1 73bdc18f8be9c39f71027bb7ddb8532c1a1de799
SHA256 3a6800472e202fa800e3499950485872cdafce3b0420f45514a8f099f99d52af
SHA512 3280132dde143d9b27cae785a642988edc8bb6ddbdc80ec45a0d36d832ae49bad043a20d54dd48bf92addf29b9b6fbb046871e2ee5fba4ee7e47239da0668af3

memory/1924-65-0x000000006EA50000-0x000000006EFFB000-memory.dmp