D22zyhdi6zFGT56.exe

General
Target

D22zyhdi6zFGT56.exe

Filesize

859KB

Completed

16-06-2020 20:59

Score
10 /10
MD5

279827a2093074fab8e309b66c6865cd

SHA1

f0c512393409f227309f56a023b57495892f8941

SHA256

4cea65512dbdf77377eb95df694165cfdfd47a190efc64c7ebf3947415a8c08b

Malware Config

Extracted

Path C:\Users\Admin\AppData\Local\Temp\C8A579F880\Log.txt
Family masslogger
Ransom Note
################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 6/16/2020 10:54:30 PM MassLogger Started: 6/16/2020 10:54:23 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\D22zyhdi6zFGT56.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:
Signatures 11

Filter: none

Collection
Credential Access
Persistence
  • Suspicious use of SetWindowsHookEx
    D22zyhdi6zFGT56.exe

    Reported IOCs

    pidprocess
    652D22zyhdi6zFGT56.exe
  • Suspicious behavior: AddClipboardFormatListener
    D22zyhdi6zFGT56.exe

    Reported IOCs

    pidprocess
    652D22zyhdi6zFGT56.exe
  • MassLogger

    Description

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1844schtasks.exe
  • Suspicious use of SetThreadContext
    D22zyhdi6zFGT56.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1492 set thread context of 6521492D22zyhdi6zFGT56.exeD22zyhdi6zFGT56.exe
  • Suspicious use of AdjustPrivilegeToken
    D22zyhdi6zFGT56.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege652D22zyhdi6zFGT56.exe
  • MassLogger log file

    Description

    Detects a log file produced by MassLogger.

    Reported IOCs

    yara_rule
    masslogger_log_file
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    5api.ipify.org
  • Suspicious use of WriteProcessMemory
    D22zyhdi6zFGT56.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1492 wrote to memory of 18441492D22zyhdi6zFGT56.exeschtasks.exe
    PID 1492 wrote to memory of 18441492D22zyhdi6zFGT56.exeschtasks.exe
    PID 1492 wrote to memory of 18441492D22zyhdi6zFGT56.exeschtasks.exe
    PID 1492 wrote to memory of 18441492D22zyhdi6zFGT56.exeschtasks.exe
    PID 1492 wrote to memory of 6521492D22zyhdi6zFGT56.exeD22zyhdi6zFGT56.exe
    PID 1492 wrote to memory of 6521492D22zyhdi6zFGT56.exeD22zyhdi6zFGT56.exe
    PID 1492 wrote to memory of 6521492D22zyhdi6zFGT56.exeD22zyhdi6zFGT56.exe
    PID 1492 wrote to memory of 6521492D22zyhdi6zFGT56.exeD22zyhdi6zFGT56.exe
    PID 1492 wrote to memory of 6521492D22zyhdi6zFGT56.exeD22zyhdi6zFGT56.exe
    PID 1492 wrote to memory of 6521492D22zyhdi6zFGT56.exeD22zyhdi6zFGT56.exe
    PID 1492 wrote to memory of 6521492D22zyhdi6zFGT56.exeD22zyhdi6zFGT56.exe
    PID 1492 wrote to memory of 6521492D22zyhdi6zFGT56.exeD22zyhdi6zFGT56.exe
    PID 1492 wrote to memory of 6521492D22zyhdi6zFGT56.exeD22zyhdi6zFGT56.exe
  • Suspicious behavior: EnumeratesProcesses
    D22zyhdi6zFGT56.exe

    Reported IOCs

    pidprocess
    652D22zyhdi6zFGT56.exe
    652D22zyhdi6zFGT56.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\D22zyhdi6zFGT56.exe
    "C:\Users\Admin\AppData\Local\Temp\D22zyhdi6zFGT56.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njrdvsnEGh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF324.tmp"
      Creates scheduled task(s)
      PID:1844
    • C:\Users\Admin\AppData\Local\Temp\D22zyhdi6zFGT56.exe
      "{path}"
      Suspicious use of SetWindowsHookEx
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious behavior: EnumeratesProcesses
      PID:652
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\tmpF324.tmp

                    • memory/652-3-0x0000000000400000-0x00000000004A8000-memory.dmp

                    • memory/652-4-0x0000000000400000-0x00000000004A8000-memory.dmp

                    • memory/652-5-0x0000000000400000-0x00000000004A8000-memory.dmp

                    • memory/1492-1-0x0000000000000000-0x0000000000000000-disk.dmp