Analysis
-
max time kernel
4294179s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 05:47
Static task
static1
Behavioral task
behavioral1
Sample
9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
Resource
win10v2004-en-20220113
General
-
Target
9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
-
Size
1.2MB
-
MD5
f59e76fec35f01ad7f96b7f745eb1876
-
SHA1
7bf2cacf634758d1106d75719577064e6546d7b7
-
SHA256
9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3
-
SHA512
409fd7d9a5a6b87be9b14f38c391057d918fd8f79cfe2ed9ed0238d9cdc39c8fca2b6b3868835bc0c914c2e43692b79da13af3bdf27748dfbbc4c2132d7c4573
Malware Config
Extracted
Protocol: smtp- Host:
mail.turkaykalibrasyon.com - Port:
587 - Username:
[email protected] - Password:
Cc_8A46
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
resource yara_rule behavioral1/memory/592-61-0x0000000002210000-0x0000000002296000-memory.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 296 set thread context of 592 296 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 29 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1576 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 592 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 592 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 592 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 592 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 592 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 1488 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 296 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 592 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe Token: SeDebugPrivilege 1488 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 592 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 296 wrote to memory of 1076 296 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 27 PID 296 wrote to memory of 1076 296 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 27 PID 296 wrote to memory of 1076 296 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 27 PID 296 wrote to memory of 1076 296 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 27 PID 296 wrote to memory of 592 296 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 29 PID 296 wrote to memory of 592 296 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 29 PID 296 wrote to memory of 592 296 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 29 PID 296 wrote to memory of 592 296 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 29 PID 296 wrote to memory of 592 296 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 29 PID 1076 wrote to memory of 1576 1076 cmd.exe 30 PID 1076 wrote to memory of 1576 1076 cmd.exe 30 PID 1076 wrote to memory of 1576 1076 cmd.exe 30 PID 1076 wrote to memory of 1576 1076 cmd.exe 30 PID 592 wrote to memory of 1488 592 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 34 PID 592 wrote to memory of 1488 592 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 34 PID 592 wrote to memory of 1488 592 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 34 PID 592 wrote to memory of 1488 592 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"2⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"3⤵
- Creates scheduled task(s)
PID:1576
-
-
-
C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9ddb0e06b87cf5674f6f9a36de72f61487683d5bea023d9894b13a15ae14dcb3.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-