Analysis Overview
SHA256
e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7
Threat Level: Known bad
The file e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7 was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Suspicious use of SetThreadContext
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-03-30 10:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-30 10:01
Reported
2022-04-01 17:24
Platform
win7-20220331-en
Max time kernel
75s
Max time network
48s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1056 set thread context of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe | C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe
"C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe"
C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 620
Network
Files
memory/1056-54-0x00000000011F0000-0x00000000012AE000-memory.dmp
memory/1056-55-0x0000000000A10000-0x0000000000A2C000-memory.dmp
memory/1056-56-0x0000000008260000-0x0000000008316000-memory.dmp
memory/2044-57-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2044-58-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2044-60-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2044-61-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2044-63-0x0000000000486FDE-mapping.dmp
memory/2044-62-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2044-65-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2044-67-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2044-68-0x0000000075B01000-0x0000000075B03000-memory.dmp
memory/1916-69-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-30 10:01
Reported
2022-04-01 17:25
Platform
win10v2004-20220310-en
Max time kernel
140s
Max time network
131s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1768 set thread context of 4180 | N/A | C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe | C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe
"C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe"
C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4180 -ip 4180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 968
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| NL | 104.80.229.204:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
Files
memory/1768-134-0x0000000000730000-0x00000000007EE000-memory.dmp
memory/1768-135-0x0000000005660000-0x0000000005C04000-memory.dmp
memory/1768-136-0x0000000005190000-0x0000000005222000-memory.dmp
memory/1768-137-0x0000000005340000-0x000000000534A000-memory.dmp
memory/1768-138-0x0000000008D70000-0x000000000929C000-memory.dmp
memory/1768-139-0x00000000088F0000-0x000000000898C000-memory.dmp
memory/4164-140-0x0000000000000000-mapping.dmp
memory/4180-141-0x0000000000000000-mapping.dmp
memory/4180-142-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe.log
| MD5 | 6f8f3a9a57cb30e686d3355e656031e0 |
| SHA1 | acccd6befb1a2f40e662280bc5182e086a0d079b |
| SHA256 | 283586e83b25099a5698cb9caf9c594a37060d11e0f55c81bb9c6d4f728448ea |
| SHA512 | 8f11d645ff4f8d5b1c45b06eb52cd45319659255306d60e80e33abfd04b9e3b1164679f11a8a23bd493e4b3f6b9841d70e553a01835eeaf6035b4d05e4fd7b54 |