Analysis

  • max time kernel
    4294183s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    26-03-2022 23:16

General

  • Target

    8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe

  • Size

    440KB

  • MD5

    a3b4d25af01edf5fe34fd6e13a1381e6

  • SHA1

    3a60499205fa92a581d3b6cb232fc8ed8d750088

  • SHA256

    8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f

  • SHA512

    d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe
    "C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:572
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1356
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:928
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1BCA.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1744
      • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
        "C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:564
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1BCA.tmp.bat

    Filesize

    160B

    MD5

    2b51e9fd34777129b4e903f33c074642

    SHA1

    58be10870041c192c43765ae8600e0aee7d11101

    SHA256

    eb76ffe3366d33ecb6a06f004138035782333d909d46c8158e6cbdf4816bc1d0

    SHA512

    ab76eacd54ac01f21946b86088869fdcf0bb6c6d732fc49dd80a59f49e3e2dea5226dd59f4edba098aabbbda11b57b36982c2c38371cd56267a9a471a8dfa224

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    89ac079495743cbbfda0d932adee7bc1

    SHA1

    c4aa6af3ee8a67cd3ed67d34faa9b8b34643f57b

    SHA256

    a4faf8189747309aa8668cce25b3b857ce5f9182c49d01f46fa5f910a303a867

    SHA512

    2458fd46bcf428cef4babc89c7c1451c5dccd23c282764e50a57f1046ba0f9bb00dc0fcdae4e129797bcfd90b31cf83d804c46c95c94b66a206082c142ae9b19

  • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

    Filesize

    440KB

    MD5

    a3b4d25af01edf5fe34fd6e13a1381e6

    SHA1

    3a60499205fa92a581d3b6cb232fc8ed8d750088

    SHA256

    8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f

    SHA512

    d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

  • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

    Filesize

    440KB

    MD5

    a3b4d25af01edf5fe34fd6e13a1381e6

    SHA1

    3a60499205fa92a581d3b6cb232fc8ed8d750088

    SHA256

    8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f

    SHA512

    d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

  • \Users\Admin\AppData\Roaming\zygolen\nslookup.exe

    Filesize

    440KB

    MD5

    a3b4d25af01edf5fe34fd6e13a1381e6

    SHA1

    3a60499205fa92a581d3b6cb232fc8ed8d750088

    SHA256

    8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f

    SHA512

    d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

  • memory/564-72-0x00000000013C0000-0x0000000001432000-memory.dmp

    Filesize

    456KB

  • memory/564-78-0x0000000000370000-0x00000000003B0000-memory.dmp

    Filesize

    256KB

  • memory/564-74-0x0000000004B20000-0x0000000004B86000-memory.dmp

    Filesize

    408KB

  • memory/564-73-0x0000000000D70000-0x0000000000DD2000-memory.dmp

    Filesize

    392KB

  • memory/572-65-0x00000000005C5000-0x00000000005D6000-memory.dmp

    Filesize

    68KB

  • memory/572-54-0x0000000000900000-0x0000000000972000-memory.dmp

    Filesize

    456KB

  • memory/572-55-0x0000000000840000-0x00000000008A2000-memory.dmp

    Filesize

    392KB

  • memory/572-56-0x00000000008A0000-0x0000000000906000-memory.dmp

    Filesize

    408KB

  • memory/572-57-0x0000000005B00000-0x0000000005B86000-memory.dmp

    Filesize

    536KB

  • memory/960-79-0x000000006E760000-0x000000006ED0B000-memory.dmp

    Filesize

    5.7MB

  • memory/1356-66-0x0000000073070000-0x000000007361B000-memory.dmp

    Filesize

    5.7MB

  • memory/1356-67-0x00000000001D0000-0x0000000000210000-memory.dmp

    Filesize

    256KB

  • memory/1356-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

    Filesize

    8KB