Malware Analysis Report

2025-01-18 05:00

Sample ID 220415-kvklvsedek
Target 4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be
SHA256 4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be
Tags
masslogger collection persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be

Threat Level: Known bad

The file 4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be was found to be: Known bad.

Malicious Activity Summary

masslogger collection persistence ransomware spyware stealer

MassLogger Main Payload

MassLogger

MassLogger log file

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-15 08:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 08:55

Reported

2022-04-15 11:21

Platform

win7-20220414-en

Max time kernel

77s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 1984 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe

"C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe"

C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe

"C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp

Files

memory/1984-54-0x0000000001100000-0x000000000141E000-memory.dmp

memory/1984-55-0x0000000004C60000-0x0000000004CFC000-memory.dmp

memory/1984-56-0x00000000004D0000-0x00000000004EC000-memory.dmp

memory/1988-57-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1988-58-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1988-60-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1988-61-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1988-63-0x00000000004948CE-mapping.dmp

memory/1988-62-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1988-65-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1988-67-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1988-68-0x00000000003C0000-0x0000000000404000-memory.dmp

memory/1988-69-0x0000000001045000-0x0000000001056000-memory.dmp

memory/1988-70-0x0000000000D30000-0x0000000000D44000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 08:55

Reported

2022-04-15 11:19

Platform

win10v2004-20220414-en

Max time kernel

86s

Max time network

73s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 2296 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 2296 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 2296 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 2296 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 2296 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 2296 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe
PID 2296 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe

"C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe"

C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe

"C:\Users\Admin\AppData\Local\Temp\4693ca052170a0e71dc3abc09936d498c3e3547a15d8266e4907a0343ad146be.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp

Files

memory/2296-130-0x00000000002B0000-0x00000000005CE000-memory.dmp

memory/1460-131-0x0000000000000000-mapping.dmp

memory/1460-132-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1460-133-0x0000000005870000-0x0000000005E14000-memory.dmp

memory/1460-134-0x0000000005200000-0x000000000529C000-memory.dmp

memory/1460-135-0x0000000005370000-0x00000000053D6000-memory.dmp

memory/1460-136-0x0000000005E20000-0x0000000005EB2000-memory.dmp

memory/1460-137-0x0000000006CB0000-0x0000000006CBA000-memory.dmp

memory/1460-138-0x00000000052B3000-0x00000000052B5000-memory.dmp

memory/1460-139-0x0000000006450000-0x00000000064A0000-memory.dmp