Analysis Overview
SHA256
0e90bd89cf193f319915fcd00b77547acfd56537a820aee951ece4b3018d685f
Threat Level: Known bad
The file 0e90bd89cf193f319915fcd00b77547acfd56537a820aee951ece4b3018d685f was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger log file
Executes dropped EXE
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 03:30
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 03:30
Reported
2022-05-21 05:14
Platform
win10v2004-20220414-en
Max time kernel
119s
Max time network
184s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4444 set thread context of 3088 | N/A | C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe
"C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe"
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3088 -ip 3088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1812
Network
| Country | Destination | Domain | Proto |
| US | 8.238.111.254:80 | tcp | |
| GB | 51.105.71.136:443 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
Files
memory/4444-130-0x0000000000E30000-0x0000000001054000-memory.dmp
memory/4444-131-0x0000000006000000-0x00000000065A4000-memory.dmp
memory/4444-132-0x0000000005B30000-0x0000000005BC2000-memory.dmp
memory/4444-133-0x0000000005F80000-0x0000000005FC4000-memory.dmp
memory/4444-134-0x00000000076C0000-0x00000000076E2000-memory.dmp
memory/3088-135-0x0000000000000000-mapping.dmp
memory/3088-136-0x0000000000400000-0x0000000000546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
| MD5 | 5d4073b2eb6d217c19f2b22f21bf8d57 |
| SHA1 | f0209900fbf08d004b886a0b3ba33ea2b0bf9da8 |
| SHA256 | ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3 |
| SHA512 | 9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159 |
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
| MD5 | 5d4073b2eb6d217c19f2b22f21bf8d57 |
| SHA1 | f0209900fbf08d004b886a0b3ba33ea2b0bf9da8 |
| SHA256 | ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3 |
| SHA512 | 9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159 |
memory/3088-142-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-140-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-144-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-146-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-148-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-150-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-152-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-154-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-156-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-158-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-160-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-162-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-164-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-166-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-168-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-170-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-172-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-174-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-176-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-178-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-180-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-182-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-184-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-186-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-188-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-190-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-194-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-192-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-196-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-198-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-200-0x0000000000400000-0x0000000000546000-memory.dmp
memory/3088-643-0x00000000057E0000-0x0000000005846000-memory.dmp
memory/3088-644-0x00000000068A0000-0x00000000068AA000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 03:30
Reported
2022-05-21 05:13
Platform
win7-20220414-en
Max time kernel
106s
Max time network
111s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 812 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe
"C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe"
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.220.57.224:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| NL | 104.110.191.15:80 | repository.certum.pl | tcp |
Files
memory/812-54-0x0000000001100000-0x0000000001324000-memory.dmp
memory/812-55-0x0000000000280000-0x0000000000294000-memory.dmp
memory/812-56-0x00000000002C0000-0x00000000002C8000-memory.dmp
memory/812-57-0x0000000000470000-0x0000000000478000-memory.dmp
memory/812-58-0x0000000000480000-0x0000000000488000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
| MD5 | 91c9ae9c9a17a9db5e08b120e668c74c |
| SHA1 | 50770954c1ceb0bb6f1d5d3f2de2a0a065773723 |
| SHA256 | e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f |
| SHA512 | ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e |
memory/1360-60-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-61-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-63-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-65-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-66-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-67-0x00000000004A12AE-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
| MD5 | 91c9ae9c9a17a9db5e08b120e668c74c |
| SHA1 | 50770954c1ceb0bb6f1d5d3f2de2a0a065773723 |
| SHA256 | e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f |
| SHA512 | ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e |
memory/1360-70-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-72-0x0000000000400000-0x0000000000546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
| MD5 | 91c9ae9c9a17a9db5e08b120e668c74c |
| SHA1 | 50770954c1ceb0bb6f1d5d3f2de2a0a065773723 |
| SHA256 | e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f |
| SHA512 | ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e |
memory/1360-75-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-77-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-79-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-81-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-83-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-85-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-87-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-89-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-93-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-95-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-91-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-97-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-99-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-101-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-103-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-105-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-107-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-109-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-111-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-113-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-115-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-117-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-119-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-121-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-123-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-125-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1360-579-0x0000000000960000-0x00000000009A4000-memory.dmp