masslogger | 72ceeee6538d869e032d33c4cac0b1e51f34b9e32bf1e17f475b5609ddfe0bf8

General

Target

order9321t.exe
Size

940KB
MD5

397c5bbcc75db8567548322417aa05fd
SHA1

d65b345c5863550cb7c454eedf2de0e16fbd391e
SHA256

72ceeee6538d869e032d33c4cac0b1e51f34b9e32bf1e17f475b5609ddfe0bf8
SHA512

85d71264d951cc6d921b3ae29e716d3e21566daca5bd315d46a9778313573677e5e1feb6339e92c41c2b3256544ec6dc66e49ec7f0ecf9f245500599b74b233b

Score

10^/10

evasion spyware stealer masslogger

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4024-15-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral2/memory/4024-16-0x000000000048195E-mapping.dmp	family_masslogger

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

order9321t.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	order9321t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	order9321t.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

order9321t.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\International\Geo\Nation	order9321t.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.ipify.org

flow	ioc
13	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

order9321t.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	order9321t.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	order9321t.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

order9321t.exe

description pid process target process

PID 3488 set thread context of 4024 3488 order9321t.exe order9321t.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3712 schtasks.exe

description	pid	process	target process
PID 3488 set thread context of 4024	3488	order9321t.exe	order9321t.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

pid	process
3712	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = bbbb7725127dd601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

order9321t.exe

pid process

4024 order9321t.exe

pid	process
4024	order9321t.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

order9321t.exeorder9321t.exe

pid	process
3488	order9321t.exe
3488	order9321t.exe
3488	order9321t.exe
3488	order9321t.exe
3488	order9321t.exe
4024	order9321t.exe
4024	order9321t.exe
4024	order9321t.exe
4024	order9321t.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

svchost.exeorder9321t.exeorder9321t.exe

description	pid	process
Token: SeShutdownPrivilege	636	svchost.exe
Token: SeCreatePagefilePrivilege	636	svchost.exe
Token: SeDebugPrivilege	3488	order9321t.exe
Token: SeDebugPrivilege	4024	order9321t.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

order9321t.exe

pid process

4024 order9321t.exe

pid	process
4024	order9321t.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

order9321t.exe

description	pid	process	target process
PID 3488 wrote to memory of 3712	3488	order9321t.exe	schtasks.exe
PID 3488 wrote to memory of 3712	3488	order9321t.exe	schtasks.exe
PID 3488 wrote to memory of 3712	3488	order9321t.exe	schtasks.exe
PID 3488 wrote to memory of 3932	3488	order9321t.exe	order9321t.exe
PID 3488 wrote to memory of 3932	3488	order9321t.exe	order9321t.exe
PID 3488 wrote to memory of 3932	3488	order9321t.exe	order9321t.exe
PID 3488 wrote to memory of 4024	3488	order9321t.exe	order9321t.exe
PID 3488 wrote to memory of 4024	3488	order9321t.exe	order9321t.exe
PID 3488 wrote to memory of 4024	3488	order9321t.exe	order9321t.exe
PID 3488 wrote to memory of 4024	3488	order9321t.exe	order9321t.exe
PID 3488 wrote to memory of 4024	3488	order9321t.exe	order9321t.exe
PID 3488 wrote to memory of 4024	3488	order9321t.exe	order9321t.exe
PID 3488 wrote to memory of 4024	3488	order9321t.exe	order9321t.exe
PID 3488 wrote to memory of 4024	3488	order9321t.exe	order9321t.exe

C:\Users\Admin\AppData\Local\Temp\order9321t.exe
"C:\Users\Admin\AppData\Local\Temp\order9321t.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YdvIruZxoLuL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7DCC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3712
- C:\Users\Admin\AppData\Local\Temp\order9321t.exe
  "{path}"
  2⤵
  PID:3932
- C:\Users\Admin\AppData\Local\Temp\order9321t.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order9321t.exe.log

MD5
e0719db30447c6fd83480145a75715ea

SHA1
39e88d1fe0dfc853dc12da16c1de24bc74b83d2d

SHA256
077586cb4e41fb7eb88320be1b34179205d7b75d800793eb184850aa43677ec3

SHA512
b28679ad19b322d83a0fa9cdddcb0c147b8c55fbce3195dab1ecf30285e48e7155b5d199c517f152cb2edf041d0ad19b0972456e9281b4d17eda25d5c009fe7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7DCC.tmp

MD5
b67857bdc071ecbf71084b7ddf79950a

SHA1
3382c71f95723ab348c922142ee82d6d39d4b755

SHA256
b6bb33989716bc4625224930d30e28d72ce1149f49241ca892c84fdb762fec31

SHA512
b27629954e45d10da549a8a035195d7984f7235fdb4905795826f56dafa5839560ba133214ce96f47979e7ec5a71db38d0f626fc87804172dd22089995ebd644

Download Submit
memory/3488-9-0x00000000073A0000-0x000000000745F000-memory.dmp

Filesize
764KB

Download
memory/3488-12-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/3488-5-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3488-6-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3488-7-0x0000000004DB0000-0x0000000004DB3000-memory.dmp

Filesize
12KB

Download
memory/3488-8-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/3488-0-0x00000000738A0000-0x0000000073F8E000-memory.dmp

Filesize
6.9MB

Download
memory/3488-10-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/3488-11-0x0000000009B10000-0x0000000009BBF000-memory.dmp

Filesize
700KB

Download
memory/3488-4-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3488-1-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3488-3-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3712-13-0x0000000000000000-mapping.dmp

Download
memory/4024-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4024-16-0x000000000048195E-mapping.dmp

Download
memory/4024-18-0x00000000738A0000-0x0000000073F8E000-memory.dmp

Filesize
6.9MB

Download
memory/4024-24-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads