Analysis Overview
SHA256
1ea26893b98115c9c36c6c1ecb7b4fa28b71ea8dc91f7219c7e54d9f95d4bf8e
Threat Level: Known bad
The file 1ea26893b98115c9c36c6c1ecb7b4fa28b71ea8dc91f7219c7e54d9f95d4bf8e was found to be: Known bad.
Malicious Activity Summary
AgentTesla Payload
MassLogger Main Payload
AgentTesla
Masslogger family
MassLogger log file
Agenttesla family
MassLogger
AgentTesla Payload
Executes dropped EXE
Reads user/profile data of web browsers
Obfuscated with Agile.Net obfuscator
Checks computer location settings
Reads user/profile data of local email clients
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
outlook_office_path
outlook_win_path
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 03:22
Signatures
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Masslogger family
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 03:22
Reported
2022-05-21 05:04
Platform
win7-20220414-en
Max time kernel
130s
Max time network
183s
Command Line
Signatures
AgentTesla
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WEqfDb = "C:\\Users\\Admin\\AppData\\Roaming\\WEqfDb\\WEqfDb.exe" | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1648 set thread context of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe |
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe"
C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.220.57.224:80 | api.ipify.org | tcp |
Files
memory/1648-54-0x0000000001190000-0x00000000013A4000-memory.dmp
memory/1648-55-0x0000000075F61000-0x0000000075F63000-memory.dmp
memory/1648-56-0x0000000000320000-0x0000000000342000-memory.dmp
\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
| MD5 | 8bc40219a7641c3bcf72228173552977 |
| SHA1 | ccd09865e9c7adc458a85b7638b7cd3e6a843d83 |
| SHA256 | 9e4cce1b23e7fdec9ab35c03326a7d3990aef52b7a5bce0d47d28bf8e56cfd6e |
| SHA512 | d6273cd78443faac11ddfe3dbfe3731d0243cd2454227153c71593ad826df4c62d3488da29dc7a527ec5977c54e02d091eec43803f20832de518b9f3069c396e |
memory/968-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
| MD5 | 8bc40219a7641c3bcf72228173552977 |
| SHA1 | ccd09865e9c7adc458a85b7638b7cd3e6a843d83 |
| SHA256 | 9e4cce1b23e7fdec9ab35c03326a7d3990aef52b7a5bce0d47d28bf8e56cfd6e |
| SHA512 | d6273cd78443faac11ddfe3dbfe3731d0243cd2454227153c71593ad826df4c62d3488da29dc7a527ec5977c54e02d091eec43803f20832de518b9f3069c396e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
| MD5 | 8bc40219a7641c3bcf72228173552977 |
| SHA1 | ccd09865e9c7adc458a85b7638b7cd3e6a843d83 |
| SHA256 | 9e4cce1b23e7fdec9ab35c03326a7d3990aef52b7a5bce0d47d28bf8e56cfd6e |
| SHA512 | d6273cd78443faac11ddfe3dbfe3731d0243cd2454227153c71593ad826df4c62d3488da29dc7a527ec5977c54e02d091eec43803f20832de518b9f3069c396e |
memory/968-63-0x0000000001390000-0x0000000001448000-memory.dmp
memory/968-64-0x0000000000C50000-0x0000000000CC8000-memory.dmp
memory/1648-66-0x0000000000D20000-0x0000000000D2A000-memory.dmp
memory/1044-67-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1044-68-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1044-70-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1044-71-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1044-72-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1044-73-0x000000000045445E-mapping.dmp
memory/1044-77-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1044-75-0x0000000000400000-0x000000000045A000-memory.dmp
memory/968-79-0x0000000004CD5000-0x0000000004CE6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 03:22
Reported
2022-05-21 05:03
Platform
win10v2004-20220414-en
Max time kernel
121s
Max time network
158s
Command Line
Signatures
AgentTesla
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WEqfDb = "C:\\Users\\Admin\\AppData\\Roaming\\WEqfDb\\WEqfDb.exe" | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4776 set thread context of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe"
C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe'
Network
| Country | Destination | Domain | Proto |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| AU | 104.46.162.226:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | mail.specialmetal.ir | udp |
| IR | 5.144.130.34:587 | mail.specialmetal.ir | tcp |
| IR | 5.144.130.34:587 | mail.specialmetal.ir | tcp |
Files
memory/4776-130-0x0000000000BB0000-0x0000000000DC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
memory/4776-132-0x0000000073D40000-0x0000000073DC9000-memory.dmp
memory/4776-133-0x0000000006660000-0x0000000006C04000-memory.dmp
memory/4776-134-0x0000000006190000-0x0000000006222000-memory.dmp
memory/772-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
| MD5 | 8bc40219a7641c3bcf72228173552977 |
| SHA1 | ccd09865e9c7adc458a85b7638b7cd3e6a843d83 |
| SHA256 | 9e4cce1b23e7fdec9ab35c03326a7d3990aef52b7a5bce0d47d28bf8e56cfd6e |
| SHA512 | d6273cd78443faac11ddfe3dbfe3731d0243cd2454227153c71593ad826df4c62d3488da29dc7a527ec5977c54e02d091eec43803f20832de518b9f3069c396e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
| MD5 | 8bc40219a7641c3bcf72228173552977 |
| SHA1 | ccd09865e9c7adc458a85b7638b7cd3e6a843d83 |
| SHA256 | 9e4cce1b23e7fdec9ab35c03326a7d3990aef52b7a5bce0d47d28bf8e56cfd6e |
| SHA512 | d6273cd78443faac11ddfe3dbfe3731d0243cd2454227153c71593ad826df4c62d3488da29dc7a527ec5977c54e02d091eec43803f20832de518b9f3069c396e |
memory/772-138-0x0000000000480000-0x0000000000538000-memory.dmp
memory/772-139-0x0000000004E00000-0x0000000004E9C000-memory.dmp
memory/772-140-0x0000000004FB0000-0x0000000005016000-memory.dmp
memory/1904-141-0x0000000000000000-mapping.dmp
memory/1904-142-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4496-143-0x0000000000000000-mapping.dmp
memory/1876-144-0x0000000000000000-mapping.dmp
memory/1876-145-0x0000000002B80000-0x0000000002BB6000-memory.dmp
memory/1876-146-0x0000000005680000-0x0000000005CA8000-memory.dmp
memory/1876-147-0x00000000053C0000-0x00000000053E2000-memory.dmp
memory/1876-148-0x0000000005560000-0x00000000055C6000-memory.dmp
memory/1876-149-0x00000000064A0000-0x00000000064BE000-memory.dmp
memory/1876-150-0x0000000007D90000-0x000000000840A000-memory.dmp
memory/1876-151-0x00000000069C0000-0x00000000069DA000-memory.dmp
memory/1876-152-0x00000000077B0000-0x0000000007846000-memory.dmp
memory/1876-153-0x0000000006B10000-0x0000000006B32000-memory.dmp
memory/1904-154-0x0000000006900000-0x0000000006950000-memory.dmp
memory/1904-155-0x0000000006BD0000-0x0000000006BDA000-memory.dmp