Malware Analysis Report

2025-01-18 05:00

Sample ID 220415-a8s52sach8
Target 1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00
SHA256 1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00

Threat Level: Known bad

The file 1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00 was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger

MassLogger Main Payload

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Creates scheduled task(s)

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-15 00:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 00:53

Reported

2022-04-15 01:13

Platform

win7-20220414-en

Max time kernel

75s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 376 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 1876 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe

"C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfmHEjlztsos" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE5AE.tmp"

C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe

"C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe"

C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe

"C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe'

Network

Country Destination Domain Proto
US 104.20.68.143:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 mail.princemthembudebtsolutions.co.za udp
ZA 197.242.145.216:587 mail.princemthembudebtsolutions.co.za tcp
NL 104.110.191.14:80 tcp

Files

memory/376-54-0x0000000000F50000-0x0000000001046000-memory.dmp

memory/376-55-0x0000000000450000-0x0000000000460000-memory.dmp

memory/376-56-0x0000000005620000-0x00000000056E0000-memory.dmp

memory/376-57-0x0000000005070000-0x00000000050F8000-memory.dmp

memory/2036-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE5AE.tmp

MD5 e720da9e376091d9b3c0ad5ed19a7370
SHA1 7c39aa4713ac21035c9e6fa3bc7197b04fc2d72d
SHA256 40adaaebd7fa46b1e251136ed1abc82d3e77f9c38a81c80a6cc59356b88c6d2a
SHA512 0a86ad3b6975f05270aa99c2bb2238789ccc0021443a81dc136ac61ad7afb525f2f76de6ed1ae6f51a6504e370a58fc5cade29cdf140cfeb46b9af364c934518

memory/1876-60-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1876-61-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1876-64-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1876-63-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1876-65-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1876-70-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1876-68-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1876-66-0x000000000048191E-mapping.dmp

memory/1368-71-0x0000000000000000-mapping.dmp

memory/1368-72-0x00000000764C1000-0x00000000764C3000-memory.dmp

memory/1876-73-0x0000000000C20000-0x0000000000C5E000-memory.dmp

memory/1876-74-0x0000000006140000-0x00000000061D0000-memory.dmp

memory/1876-75-0x0000000000F15000-0x0000000000F26000-memory.dmp

memory/1368-76-0x000000006EE20000-0x000000006F3CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 00:53

Reported

2022-04-15 01:14

Platform

win10v2004-20220414-en

Max time kernel

90s

Max time network

73s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\schtasks.exe
PID 1772 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\schtasks.exe
PID 1772 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\schtasks.exe
PID 1772 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 1772 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 1772 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 1772 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 1772 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 1772 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 1772 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 1772 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe
PID 4976 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe

"C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EfmHEjlztsos" /XML "C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp"

C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe

"C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe'

Network

Country Destination Domain Proto
US 52.109.8.19:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 13.89.178.26:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
GB 92.123.140.25:80 tcp

Files

memory/1772-130-0x00000000000C0000-0x00000000001B6000-memory.dmp

memory/1772-131-0x0000000004BF0000-0x0000000004C8C000-memory.dmp

memory/1772-132-0x0000000005240000-0x00000000057E4000-memory.dmp

memory/1772-133-0x0000000004C90000-0x0000000004D22000-memory.dmp

memory/1772-134-0x0000000004B60000-0x0000000004B6A000-memory.dmp

memory/1772-135-0x0000000004E20000-0x0000000004E76000-memory.dmp

memory/3136-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp

MD5 82409c6c27546b3867552f19c7839935
SHA1 77f16aead14a83743395769a1503a3cd7ebf7045
SHA256 2a43fc4903a703b0a255bdb841e7864234636160f2fe7e73f2f201690dcd66b9
SHA512 41a5457bc9e89d80ebe04ed646936129ee33c6088bc361e53a049c12e9ce42d2351c3ebec0e9c685e9003b1ad63ddb75392af3df69b56044a83e6f9726e67998

memory/4976-138-0x0000000000000000-mapping.dmp

memory/4976-139-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1a59f7713b3a268e3363e5e56e598e5f43e53aef9b383615f7ae32b74ba6ed00.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/4976-141-0x0000000005380000-0x00000000053E6000-memory.dmp

memory/4988-142-0x0000000000000000-mapping.dmp

memory/4988-143-0x0000000004F60000-0x0000000004F96000-memory.dmp

memory/4988-144-0x00000000055D0000-0x0000000005BF8000-memory.dmp

memory/4988-145-0x0000000005440000-0x0000000005462000-memory.dmp

memory/4988-146-0x00000000054E0000-0x0000000005546000-memory.dmp

memory/4988-147-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/4988-148-0x0000000004F55000-0x0000000004F57000-memory.dmp

memory/4988-149-0x0000000007ED0000-0x000000000854A000-memory.dmp

memory/4988-150-0x0000000006A80000-0x0000000006A9A000-memory.dmp

memory/4988-151-0x0000000007850000-0x00000000078E6000-memory.dmp

memory/4988-152-0x0000000006BB0000-0x0000000006BD2000-memory.dmp