Analysis
-
max time kernel
4294180s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 02:47
Static task
static1
Behavioral task
behavioral1
Sample
827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
Resource
win10v2004-en-20220113
General
-
Target
827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
-
Size
821KB
-
MD5
9b5980d4c58ba4d01a977e2b971f132d
-
SHA1
35b68f76bfcd55b845092448e5e02d246e8f1376
-
SHA256
827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba
-
SHA512
6dc5a02865a563035a07bfb178db224a0c60aeb144da6f3c230f097114c91b67b3ba5ac5f4a9ba7a5672f5ef59c37f3c5c737160c5c058310e68feb2cf8d93a2
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
resource yara_rule behavioral1/memory/1992-60-0x0000000004880000-0x000000000490C000-memory.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe -
Deletes itself 1 IoCs
pid Process 912 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 284 set thread context of 1992 284 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 29 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1988 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 1480 powershell.exe 912 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 284 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 912 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 284 wrote to memory of 2008 284 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 28 PID 284 wrote to memory of 2008 284 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 28 PID 284 wrote to memory of 2008 284 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 28 PID 284 wrote to memory of 2008 284 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 28 PID 284 wrote to memory of 1992 284 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 29 PID 284 wrote to memory of 1992 284 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 29 PID 284 wrote to memory of 1992 284 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 29 PID 284 wrote to memory of 1992 284 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 29 PID 284 wrote to memory of 1992 284 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 29 PID 2008 wrote to memory of 1988 2008 cmd.exe 30 PID 2008 wrote to memory of 1988 2008 cmd.exe 30 PID 2008 wrote to memory of 1988 2008 cmd.exe 30 PID 2008 wrote to memory of 1988 2008 cmd.exe 30 PID 1992 wrote to memory of 1480 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 32 PID 1992 wrote to memory of 1480 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 32 PID 1992 wrote to memory of 1480 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 32 PID 1992 wrote to memory of 1480 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 32 PID 1992 wrote to memory of 912 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 34 PID 1992 wrote to memory of 912 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 34 PID 1992 wrote to memory of 912 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 34 PID 1992 wrote to memory of 912 1992 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml"2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml"3⤵
- Creates scheduled task(s)
PID:1988
-
-
-
C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\827e8e185e6dbd858403ee9230186e8c9ac081508e1eaa6a3e0b4c87b1c925ba.exe'3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-