Analysis Overview
SHA256
ef0ad2f70a1fcffe2cd3e3c28adb13d7dfd0b7745405883524f27a13d46d4f24
Threat Level: Known bad
The file ef0ad2f70a1fcffe2cd3e3c28adb13d7dfd0b7745405883524f27a13d46d4f24 was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
MassLogger log file
ReZer0 packer
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 01:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 01:54
Reported
2022-05-21 02:54
Platform
win7-20220414-en
Max time kernel
143s
Max time network
162s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1840 set thread context of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmZtCG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A0C.tmp"
C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | mail.mytravelexplorer.com | udp |
| GB | 89.187.85.6:587 | mail.mytravelexplorer.com | tcp |
Files
memory/1840-54-0x0000000001360000-0x0000000001438000-memory.dmp
memory/1840-55-0x0000000000380000-0x0000000000390000-memory.dmp
memory/1840-56-0x0000000006750000-0x00000000067FE000-memory.dmp
memory/104-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4A0C.tmp
| MD5 | b51b7fd96d23527dce1d02c6648eda45 |
| SHA1 | d6fe76e5c35c740d14566558df78edd42c3e69a8 |
| SHA256 | daf685c9ce1acd6563a9c7d8390ffdc2d9509da01df74b34ecb2a6418d7292d7 |
| SHA512 | b428f6fd5c71e7dfa99c839ead71182e9d76bc8fb1a09b83a117c44c45b595ad4f32e3fb38a5c05483ebd910076d4066caaf53118949ac0fbef3f4ba6e91638b |
memory/1956-59-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1956-60-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1956-62-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1956-63-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1956-65-0x00000000004A2C8E-mapping.dmp
memory/1956-64-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1956-67-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1956-69-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1956-70-0x00000000006C0000-0x0000000000704000-memory.dmp
memory/1956-71-0x00000000751C1000-0x00000000751C3000-memory.dmp
memory/1956-72-0x0000000004DC5000-0x0000000004DD6000-memory.dmp
memory/1956-73-0x0000000001340000-0x0000000001354000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 01:54
Reported
2022-05-21 02:54
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
168s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2736 set thread context of 2236 | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmZtCG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB3EE.tmp"
C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\Documents.pdf.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.238.111.254:80 | tcp | |
| GB | 51.105.71.136:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
Files
memory/2736-131-0x0000000000F50000-0x0000000001028000-memory.dmp
memory/2736-132-0x0000000005890000-0x000000000592C000-memory.dmp
memory/2736-133-0x0000000005A40000-0x0000000005AD2000-memory.dmp
memory/2736-134-0x0000000007970000-0x0000000007F14000-memory.dmp
memory/5072-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB3EE.tmp
| MD5 | 75c0c559a9135119b544089492ec308f |
| SHA1 | 71de193e0eff7444f110b6f689ae5265ca6b6f2c |
| SHA256 | 5a6ca3b3748109f1ee3656a821c82775b50c8fa35f7dbfe0ee48fbcff9489080 |
| SHA512 | a43559bd61242433da2a6360909b0b10bcac058ca2f79a4df110f32a3bdde8c284ad3b89caf5aef2ebe0c94e19c86d4f3eec28849439b1d57da729a62cfa00b0 |
memory/2304-137-0x0000000000000000-mapping.dmp
memory/2236-138-0x0000000000000000-mapping.dmp
memory/2236-139-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2236-140-0x0000000005940000-0x00000000059A6000-memory.dmp
memory/2236-141-0x0000000007250000-0x000000000725A000-memory.dmp