Analysis Overview
SHA256
c164654ca1dfb82339fc77a71dd10b14f0ae3ee59b3fc0778453da33594b7768
Threat Level: Known bad
The file c164654ca1dfb82339fc77a71dd10b14f0ae3ee59b3fc0778453da33594b7768 was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
MassLogger log file
ReZer0 packer
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 11:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 11:51
Reported
2022-05-21 12:43
Platform
win7-20220414-en
Max time kernel
97s
Max time network
47s
Command Line
Signatures
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
"C:\Users\Admin\AppData\Local\Temp\PO 0856.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\swGthhEL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4970.tmp"
C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
"{path}"
Network
Files
memory/908-54-0x00000000003E0000-0x00000000004B4000-memory.dmp
memory/908-55-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/908-56-0x0000000006780000-0x0000000006830000-memory.dmp
memory/320-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4970.tmp
| MD5 | 71656eacd4e12e01ea4918af799dc1f8 |
| SHA1 | 5d9e4e574f2286404702a4570b8ec37a478bb579 |
| SHA256 | 4805168eb6b0ae26c05cb05e52eca4890436c8dd9dc69f04ff80abeb39991db4 |
| SHA512 | 123bf3e07f5635d2fe00b804364b13c6b304aceff6241e1acd56681a53e2a5ef8c636f745019e3a116aebf0d850f00e6fa6e8e0541dbe1b7d8cfcbf604964e40 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 11:51
Reported
2022-05-21 12:43
Platform
win10v2004-20220414-en
Max time kernel
183s
Max time network
192s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1140 set thread context of 3788 | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PO 0856.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
"C:\Users\Admin\AppData\Local\Temp\PO 0856.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\swGthhEL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF879.tmp"
C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\PO 0856.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| GB | 92.123.143.240:80 | tcp | |
| GB | 92.123.143.240:80 | tcp | |
| GB | 92.123.143.240:80 | tcp | |
| US | 20.189.173.10:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
Files
memory/1140-130-0x0000000000B20000-0x0000000000BF4000-memory.dmp
memory/1140-131-0x0000000005540000-0x00000000055DC000-memory.dmp
memory/1140-132-0x0000000005710000-0x00000000057A2000-memory.dmp
memory/1140-133-0x0000000007690000-0x0000000007C34000-memory.dmp
memory/2560-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF879.tmp
| MD5 | 8dc2c47c54c361276076319091a42f90 |
| SHA1 | b4f3697bb6ff23cfd705237af18d396386c94aa1 |
| SHA256 | e68a1a41f49f52d45605f22fcffd0c5a8cca84d071d1df073eb2f747f5c0337b |
| SHA512 | 810532aec29fd9b606d68aa47fb62bc7061c57bcabb8319dab6628975337de0677b568183cb71fe650106593b177bba55e103bed3f237cae637e5882220e1a6b |
memory/3104-136-0x0000000000000000-mapping.dmp
memory/3788-137-0x0000000000000000-mapping.dmp
memory/3788-138-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3788-139-0x00000000055B0000-0x0000000005616000-memory.dmp
memory/3788-140-0x0000000006EE0000-0x0000000006EEA000-memory.dmp
memory/3788-141-0x0000000007000000-0x0000000007050000-memory.dmp