Analysis Overview
SHA256
945de800ae672cc44cca74776ec9b3658aaa8dd14d6fef5643f6641a618a92e4
Threat Level: Known bad
The file 945de800ae672cc44cca74776ec9b3658aaa8dd14d6fef5643f6641a618a92e4 was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
MassLogger log file
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 12:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 12:20
Reported
2022-05-21 12:33
Platform
win7-20220414-en
Max time kernel
60s
Max time network
117s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1884 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe"
C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe"
C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
Files
memory/1884-54-0x0000000000940000-0x0000000000A26000-memory.dmp
memory/1884-55-0x0000000004CD0000-0x0000000004DAE000-memory.dmp
memory/1884-56-0x0000000075191000-0x0000000075193000-memory.dmp
memory/1884-57-0x0000000000260000-0x0000000000270000-memory.dmp
memory/1884-58-0x0000000000430000-0x0000000000442000-memory.dmp
memory/1360-59-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1360-60-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1360-62-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1360-63-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1360-64-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1360-65-0x00000000004B360E-mapping.dmp
memory/1360-67-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1360-69-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1360-70-0x00000000007A0000-0x0000000000818000-memory.dmp
memory/1360-72-0x0000000004DB5000-0x0000000004DC6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 12:20
Reported
2022-05-21 12:33
Platform
win10v2004-20220414-en
Max time kernel
90s
Max time network
155s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3920 set thread context of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe"
C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe"
C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe'
Network
| Country | Destination | Domain | Proto |
| GB | 51.104.15.253:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.140:80 | tcp |
Files
memory/3920-130-0x0000000000110000-0x00000000001F6000-memory.dmp
memory/3920-131-0x00000000051E0000-0x0000000005784000-memory.dmp
memory/3920-132-0x0000000004C30000-0x0000000004CC2000-memory.dmp
memory/3920-133-0x0000000004E50000-0x0000000004EEC000-memory.dmp
memory/2996-134-0x0000000000000000-mapping.dmp
memory/2400-135-0x0000000000000000-mapping.dmp
memory/2400-136-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/2400-137-0x0000000004FB0000-0x0000000005016000-memory.dmp
memory/5052-138-0x0000000000000000-mapping.dmp
memory/1916-139-0x0000000000000000-mapping.dmp
memory/1916-140-0x0000000005180000-0x00000000051B6000-memory.dmp
memory/1916-141-0x0000000005830000-0x0000000005E58000-memory.dmp
memory/1916-142-0x0000000005FD0000-0x0000000005FF2000-memory.dmp
memory/1916-143-0x0000000006070000-0x00000000060D6000-memory.dmp
memory/1916-144-0x00000000067E0000-0x00000000067FE000-memory.dmp
memory/1916-145-0x0000000007E40000-0x00000000084BA000-memory.dmp
memory/1916-146-0x0000000006CD0000-0x0000000006CEA000-memory.dmp
memory/1916-147-0x0000000007A60000-0x0000000007AF6000-memory.dmp
memory/1916-148-0x0000000006DA0000-0x0000000006DC2000-memory.dmp