Malware Analysis Report

2025-01-18 04:57

Sample ID 220418-mzx4vscccn
Target 905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892
SHA256 905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892

Threat Level: Known bad

The file 905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892 was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger

MassLogger Main Payload

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious behavior: AddClipboardFormatListener

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-18 10:54

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-18 10:54

Reported

2022-04-18 15:56

Platform

win10v2004-20220414-en

Max time kernel

162s

Max time network

182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1008 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1008 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1008 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1008 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1008 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1008 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1008 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1008 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1008 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1008 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1008 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe

"C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe"

C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe

"C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe"

C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe

"C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe"

Network

Country Destination Domain Proto
NL 87.248.202.1:80 tcp
US 52.109.8.19:443 tcp
US 67.26.205.254:80 tcp
US 67.26.205.254:80 tcp
US 20.42.65.88:443 tcp
US 67.26.205.254:80 tcp
US 67.26.205.254:80 tcp
US 67.26.205.254:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/1008-130-0x0000000000D50000-0x0000000000E2C000-memory.dmp

memory/1008-131-0x0000000005760000-0x00000000057FC000-memory.dmp

memory/1008-132-0x0000000005E70000-0x0000000006414000-memory.dmp

memory/1008-133-0x00000000058C0000-0x0000000005952000-memory.dmp

memory/1008-134-0x0000000005890000-0x000000000589A000-memory.dmp

memory/1008-135-0x0000000005AB0000-0x0000000005B06000-memory.dmp

memory/1468-136-0x0000000000000000-mapping.dmp

memory/1320-137-0x0000000000000000-mapping.dmp

memory/1320-138-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1320-139-0x00000000068F0000-0x0000000006956000-memory.dmp

memory/1320-140-0x0000000007100000-0x0000000007150000-memory.dmp

memory/1320-141-0x0000000004FD3000-0x0000000004FD5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-18 10:54

Reported

2022-04-18 15:56

Platform

win7-20220414-en

Max time kernel

119s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe

"C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe"

C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe

"C:\Users\Admin\AppData\Local\Temp\905d0d2750f4ed0a0a8b33012391b142cb09f890e44f0b6c86dea18876911892.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp

Files

memory/1476-54-0x0000000000A80000-0x0000000000B5C000-memory.dmp

memory/1476-55-0x0000000000390000-0x00000000003A0000-memory.dmp

memory/1476-56-0x0000000005680000-0x000000000573C000-memory.dmp

memory/1476-57-0x0000000004960000-0x00000000049E8000-memory.dmp

memory/1692-58-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1692-59-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1692-61-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1692-62-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1692-63-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1692-64-0x000000000048154E-mapping.dmp

memory/1692-66-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1692-68-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1692-69-0x0000000004EB5000-0x0000000004EC6000-memory.dmp