masslogger | 9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4

General

Target

60091743pdf.exe
Size

1.1MB
MD5

c9b3ce0f3c3350621b6df632369a58f8
SHA1

ac29d51d75264cad92760259a8b2a4c358516975
SHA256

9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
SHA512

96a329657409994e8485ded30d9dce953ee19489ab6242df62a2cade14ea107b328043c7ec7c024c3151370c41a16e12fa3ef3bc5371796d436c723b8a3da690

Score

10^/10

stealer spyware masslogger

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2088-13-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral2/memory/2088-14-0x0000000000481C2E-mapping.dmp	family_masslogger

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

3708 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

60091743pdf.exe

description pid process target process

PID 2920 set thread context of 2088 2920 60091743pdf.exe 60091743pdf.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1800 schtasks.exe

pid	process
3708	powershell.exe

description	pid	process	target process
PID 2920 set thread context of 2088	2920	60091743pdf.exe	60091743pdf.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

pid	process
1800	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 5c15a575927ed601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

60091743pdf.exe60091743pdf.exepowershell.exe

pid process

2920 60091743pdf.exe
2088 60091743pdf.exe
2088 60091743pdf.exe
3708 powershell.exe
3708 powershell.exe
3708 powershell.exe

pid	process
2920	60091743pdf.exe
2088	60091743pdf.exe
2088	60091743pdf.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

svchost.exe60091743pdf.exe60091743pdf.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3752	svchost.exe
Token: SeCreatePagefilePrivilege	3752	svchost.exe
Token: SeDebugPrivilege	2920	60091743pdf.exe
Token: SeDebugPrivilege	2088	60091743pdf.exe
Token: SeDebugPrivilege	3708	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

60091743pdf.exe60091743pdf.exe

description	pid	process	target process
PID 2920 wrote to memory of 1800	2920	60091743pdf.exe	schtasks.exe
PID 2920 wrote to memory of 1800	2920	60091743pdf.exe	schtasks.exe
PID 2920 wrote to memory of 1800	2920	60091743pdf.exe	schtasks.exe
PID 2920 wrote to memory of 2088	2920	60091743pdf.exe	60091743pdf.exe
PID 2920 wrote to memory of 2088	2920	60091743pdf.exe	60091743pdf.exe
PID 2920 wrote to memory of 2088	2920	60091743pdf.exe	60091743pdf.exe
PID 2920 wrote to memory of 2088	2920	60091743pdf.exe	60091743pdf.exe
PID 2920 wrote to memory of 2088	2920	60091743pdf.exe	60091743pdf.exe
PID 2920 wrote to memory of 2088	2920	60091743pdf.exe	60091743pdf.exe
PID 2920 wrote to memory of 2088	2920	60091743pdf.exe	60091743pdf.exe
PID 2920 wrote to memory of 2088	2920	60091743pdf.exe	60091743pdf.exe
PID 2088 wrote to memory of 3708	2088	60091743pdf.exe	powershell.exe
PID 2088 wrote to memory of 3708	2088	60091743pdf.exe	powershell.exe
PID 2088 wrote to memory of 3708	2088	60091743pdf.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe
"C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nwwFxKnJy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD586.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe'
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\60091743pdf.exe.log

MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD586.tmp

MD5
ffa111c889fa261de2b8190f29cb47a9

SHA1
1f3bafceee427d88f26f98e25e93af9891fcd7f2

SHA256
5994cad85552dae3a83d73d2fb7820164e3b65f6e0a20e6d672a1672bfe697d1

SHA512
1dbd698c1dd3c3444cd6d52b2b91b02c9f870380ac34ea5f365cd5e3fa99660ac1d85aee3e64ae5539b2dde769b0cb85ed59bac8f87d1ef2d1d759a4168aabf6

Download Submit
memory/1800-11-0x0000000000000000-mapping.dmp

Download
memory/2088-21-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/2088-16-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-14-0x0000000000481C2E-mapping.dmp

Download
memory/2088-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2920-8-0x0000000005A50000-0x0000000005A5B000-memory.dmp

Filesize
44KB

Download
memory/2920-9-0x0000000006A20000-0x0000000006ADE000-memory.dmp

Filesize
760KB

Download
memory/2920-10-0x0000000006B20000-0x0000000006BB2000-memory.dmp

Filesize
584KB

Download
memory/2920-0-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-7-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2920-6-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2920-5-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/2920-4-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/2920-3-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/2920-1-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/3708-23-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/3708-30-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/3708-24-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/3708-25-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/3708-26-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/3708-27-0x0000000007090000-0x0000000007091000-memory.dmp

Filesize
4KB

Download
memory/3708-29-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/3708-22-0x0000000000000000-mapping.dmp

Download
memory/3708-31-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/3708-32-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/3708-33-0x0000000009800000-0x0000000009801000-memory.dmp

Filesize
4KB

Download
memory/3708-34-0x0000000008D80000-0x0000000008D81000-memory.dmp

Filesize
4KB

Download
memory/3708-35-0x0000000009180000-0x0000000009181000-memory.dmp

Filesize
4KB

Download
memory/3708-36-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads