Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-d7112shaa2
Target e5c28e3ac87bbb2024004844926484647f017dc5c506405873539b59ad0a64a4
SHA256 e5c28e3ac87bbb2024004844926484647f017dc5c506405873539b59ad0a64a4
Tags
masslogger collection evasion ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5c28e3ac87bbb2024004844926484647f017dc5c506405873539b59ad0a64a4

Threat Level: Known bad

The file e5c28e3ac87bbb2024004844926484647f017dc5c506405873539b59ad0a64a4 was found to be: Known bad.

Malicious Activity Summary

masslogger collection evasion ransomware spyware stealer

MassLogger log file

MassLogger

MassLogger Main Payload

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Maps connected drives based on registry

Suspicious use of SetThreadContext

Enumerates physical storage devices

outlook_win_path

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 03:39

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 03:39

Reported

2022-05-21 05:25

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2784 set thread context of 648 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 2784 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 2784 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 2784 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 2784 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 2784 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 2784 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 2784 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LNougonJUR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp366D.tmp"

C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe"

Network

Country Destination Domain Proto
BE 67.27.154.126:80 tcp
US 20.42.65.89:443 tcp
BE 67.27.154.126:80 tcp
BE 67.27.154.126:80 tcp
BE 67.27.154.126:80 tcp
US 8.238.20.254:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp

Files

memory/2784-130-0x0000000000D20000-0x0000000000DE0000-memory.dmp

memory/2784-131-0x0000000005840000-0x00000000058D2000-memory.dmp

memory/2784-132-0x0000000005E90000-0x0000000005F2C000-memory.dmp

memory/2784-133-0x00000000065F0000-0x0000000006B94000-memory.dmp

memory/2784-134-0x00000000014F0000-0x0000000001556000-memory.dmp

memory/220-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp366D.tmp

MD5 93abeb5763df7a4d0ed3bd1e76b6b5be
SHA1 aef39734eb47a392e3258bba3a0a10d42da2fc72
SHA256 1f6f5eacf05c0ac4cafada02735721c5e77a110b5c274ad6925f47784bbc0e80
SHA512 bfb27e8eb119ab23c53991979509dd62bab17d823b075ba401edb56335047142b0d7a10f4fed43b469e660b80e94ca96ae967f95649a9749b7818046390f93e8

memory/648-137-0x0000000000000000-mapping.dmp

memory/648-138-0x0000000000400000-0x000000000049A000-memory.dmp

memory/648-139-0x0000000007050000-0x000000000705A000-memory.dmp

memory/648-140-0x00000000083A0000-0x00000000083F0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 03:39

Reported

2022-05-21 05:25

Platform

win7-20220414-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1752 set thread context of 908 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1752 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1752 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1752 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1752 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 1752 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 1752 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 1752 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 1752 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 1752 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 1752 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 1752 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe
PID 1752 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LNougonJUR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp957D.tmp"

C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PI List-pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp

Files

memory/1752-54-0x0000000000FF0000-0x00000000010B0000-memory.dmp

memory/1752-55-0x0000000000240000-0x0000000000252000-memory.dmp

memory/1752-56-0x00000000054F0000-0x0000000005592000-memory.dmp

memory/1752-57-0x00000000750C1000-0x00000000750C3000-memory.dmp

memory/656-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp957D.tmp

MD5 c07ed207b3fcb79371d34352b14c21eb
SHA1 3598967a79705b86d052330f8a18cd223f80187d
SHA256 4baaa97121348b9813e2cac5d6a1b1e3b731a6d0cf9aa08fe561c3a15dfbc2a2
SHA512 06231bdb9661664b9e0996389e9ddfce5a2203c670ae3593de1db2dca421cce5df25f6ddf8d51ca3c57cc6fadc0bed6fd7e8b43f2866d732dc0ee79142db5294

memory/908-60-0x0000000000400000-0x000000000049A000-memory.dmp

memory/908-61-0x0000000000400000-0x000000000049A000-memory.dmp

memory/908-63-0x0000000000400000-0x000000000049A000-memory.dmp

memory/908-64-0x0000000000400000-0x000000000049A000-memory.dmp

memory/908-65-0x0000000000400000-0x000000000049A000-memory.dmp

memory/908-66-0x00000000004944DE-mapping.dmp

memory/908-68-0x0000000000400000-0x000000000049A000-memory.dmp

memory/908-70-0x0000000000400000-0x000000000049A000-memory.dmp

memory/908-71-0x00000000006E0000-0x0000000000724000-memory.dmp

memory/908-73-0x00000000004C5000-0x00000000004D6000-memory.dmp

memory/908-74-0x0000000000A20000-0x0000000000A34000-memory.dmp