Analysis Overview
SHA256
b20dd5b68b8766bed0a393621498e7cda44d44d58b5774042950a3376f094890
Threat Level: Known bad
The file b20dd5b68b8766bed0a393621498e7cda44d44d58b5774042950a3376f094890 was found to be: Known bad.
Malicious Activity Summary
MassLogger log file
MassLogger
MassLogger Main Payload
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-15 01:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-15 01:04
Reported
2022-04-15 01:34
Platform
win7-20220414-en
Max time kernel
70s
Max time network
120s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 304 set thread context of 612 | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe
"C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe"
C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
Files
memory/304-54-0x0000000000D70000-0x0000000000E48000-memory.dmp
memory/304-55-0x0000000000580000-0x0000000000588000-memory.dmp
memory/304-56-0x00000000048F0000-0x00000000049A0000-memory.dmp
memory/612-57-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/612-58-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/612-60-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/612-61-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/612-62-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/612-63-0x00000000004A304E-mapping.dmp
memory/612-65-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/612-67-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/612-68-0x0000000000630000-0x0000000000674000-memory.dmp
memory/612-69-0x00000000042D5000-0x00000000042E6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-15 01:04
Reported
2022-04-15 01:34
Platform
win10v2004-20220414-en
Max time kernel
79s
Max time network
101s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2976 set thread context of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe
"C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe"
C:\Users\Admin\AppData\Local\Temp\ROLLY 3Y23RY4R2.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 13.89.178.27:443 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| NL | 88.221.144.179:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/2976-130-0x0000000000DC0000-0x0000000000E98000-memory.dmp
memory/2976-131-0x0000000005E50000-0x00000000063F4000-memory.dmp
memory/2976-132-0x00000000058A0000-0x0000000005932000-memory.dmp
memory/2976-133-0x0000000006770000-0x000000000680C000-memory.dmp
memory/3424-134-0x0000000000000000-mapping.dmp
memory/3424-135-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ROLLY 3Y23RY4R2.exe.log
| MD5 | 76ffb2f33cb32ade8fc862a67599e9d8 |
| SHA1 | 920cc4ab75b36d2f9f6e979b74db568973c49130 |
| SHA256 | f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310 |
| SHA512 | f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e |
memory/3424-137-0x00000000051B0000-0x0000000005216000-memory.dmp
memory/3424-138-0x0000000006B80000-0x0000000006B8A000-memory.dmp
memory/3424-139-0x00000000025A3000-0x00000000025A5000-memory.dmp
memory/3424-140-0x0000000008000000-0x0000000008050000-memory.dmp