Analysis Overview
SHA256
02d1bdc78c4558d0b4c573056b3828e82bc4b008832b29a43c66817459fe4bcc
Threat Level: Known bad
The file 02d1bdc78c4558d0b4c573056b3828e82bc4b008832b29a43c66817459fe4bcc was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
MassLogger log file
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
outlook_win_path
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 12:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 12:12
Reported
2022-05-21 12:26
Platform
win7-20220414-en
Max time kernel
84s
Max time network
141s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1684 set thread context of 896 | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 54.91.59.199:80 | api.ipify.org | tcp |
Files
memory/1684-54-0x0000000000880000-0x00000000009AC000-memory.dmp
memory/1684-55-0x0000000074F91000-0x0000000074F93000-memory.dmp
memory/1684-56-0x0000000000260000-0x0000000000270000-memory.dmp
memory/1684-57-0x0000000005600000-0x00000000056F8000-memory.dmp
memory/1684-58-0x0000000005760000-0x0000000005828000-memory.dmp
memory/896-59-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/896-60-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/896-62-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/896-63-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/896-64-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/896-65-0x00000000004B34AE-mapping.dmp
memory/896-67-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/896-69-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/896-70-0x0000000004780000-0x00000000047F8000-memory.dmp
memory/896-72-0x0000000000A15000-0x0000000000A26000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 12:12
Reported
2022-05-21 12:27
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
154s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4768 set thread context of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe'
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| GB | 51.104.15.252:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
memory/4768-130-0x00000000009A0000-0x0000000000ACC000-memory.dmp
memory/4768-131-0x0000000005420000-0x00000000054BC000-memory.dmp
memory/4768-132-0x0000000005A70000-0x0000000006014000-memory.dmp
memory/4768-133-0x0000000005560000-0x00000000055F2000-memory.dmp
memory/4768-134-0x00000000054F0000-0x00000000054FA000-memory.dmp
memory/4768-135-0x00000000056F0000-0x0000000005746000-memory.dmp
memory/4188-136-0x0000000000000000-mapping.dmp
memory/4188-137-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/4188-138-0x00000000058F0000-0x0000000005956000-memory.dmp
memory/220-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Inquiry List.exe.log
| MD5 | 17573558c4e714f606f997e5157afaac |
| SHA1 | 13e16e9415ceef429aaf124139671ebeca09ed23 |
| SHA256 | c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553 |
| SHA512 | f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc |
memory/4572-141-0x0000000000000000-mapping.dmp
memory/4572-142-0x0000000002AA0000-0x0000000002AD6000-memory.dmp
memory/4572-143-0x00000000054A0000-0x0000000005AC8000-memory.dmp
memory/4572-144-0x0000000005AD0000-0x0000000005AF2000-memory.dmp
memory/4572-145-0x0000000005BB0000-0x0000000005C16000-memory.dmp
memory/4572-146-0x00000000063D0000-0x00000000063EE000-memory.dmp
memory/4572-147-0x0000000007C40000-0x00000000082BA000-memory.dmp
memory/4572-148-0x00000000068D0000-0x00000000068EA000-memory.dmp
memory/4572-149-0x0000000007660000-0x00000000076F6000-memory.dmp
memory/4572-150-0x0000000006990000-0x00000000069B2000-memory.dmp