Analysis Overview
SHA256
563c39350c4156354c98d94606e264583ab03712afa53f579859a6b5c45c7230
Threat Level: Known bad
The file 563c39350c4156354c98d94606e264583ab03712afa53f579859a6b5c45c7230 was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Suspicious use of SetThreadContext
Drops file in Windows directory
Checks processor information in registry
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 11:15
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 11:15
Reported
2022-05-21 11:38
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
110s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4788 set thread context of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\Order 3278526429.exe | C:\Users\Admin\AppData\Local\Temp\Order 3278526429.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Order 3278526429.exe
"C:\Users\Admin\AppData\Local\Temp\Order 3278526429.exe"
C:\Users\Admin\AppData\Local\Temp\Order 3278526429.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 752
Network
| Country | Destination | Domain | Proto |
| US | 104.208.16.89:443 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| NL | 8.238.21.254:80 | tcp |
Files
memory/4788-130-0x0000000074A40000-0x0000000074FF1000-memory.dmp
memory/1712-131-0x0000000000000000-mapping.dmp
memory/1712-132-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2368-133-0x0000000000000000-mapping.dmp
memory/1712-134-0x0000000074A40000-0x0000000074FF1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 11:15
Reported
2022-05-21 11:38
Platform
win7-20220414-en
Max time kernel
42s
Max time network
47s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1008 set thread context of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\Order 3278526429.exe | C:\Users\Admin\AppData\Local\Temp\Order 3278526429.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Order 3278526429.exe
"C:\Users\Admin\AppData\Local\Temp\Order 3278526429.exe"
C:\Users\Admin\AppData\Local\Temp\Order 3278526429.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 376
Network
Files
memory/1008-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp
memory/1008-55-0x0000000074580000-0x0000000074B2B000-memory.dmp
memory/1960-56-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1960-57-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1960-59-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1960-60-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1960-62-0x00000000004A304E-mapping.dmp
memory/1960-61-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1960-64-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1960-66-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1692-68-0x0000000000000000-mapping.dmp
memory/1960-70-0x0000000074510000-0x0000000074ABB000-memory.dmp