Analysis

  • max time kernel
    4294180s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    26-03-2022 08:46

General

  • Target

    805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe

  • Size

    831KB

  • MD5

    4a12053ca1064f8b6e00112a0ba82847

  • SHA1

    5d376b0314575c2d30f38ce6d3e3cc05f584daa2

  • SHA256

    805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4

  • SHA512

    7db505c09c41578e5ced3129266608804fd13cdfb4c48f17d461be73d8a69fafc2c87daf82a3d3ba0832211793e76ac1d5be5237fb3b0e461514f64261e40ec1

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe
    "C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\73e9eb5fb3c345c4ac116502bcc76332.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\73e9eb5fb3c345c4ac116502bcc76332.xml"
        3⤵
        • Creates scheduled task(s)
        PID:524
    • C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe
      "C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:712

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\73e9eb5fb3c345c4ac116502bcc76332.xml

    Filesize

    1KB

    MD5

    de0568b191c83304806f799becda4ebb

    SHA1

    fa173d7dbcfbff032aed5c0c78f2e77758acfbac

    SHA256

    5a76e8ae2a68014deae6999886f074625e6397692d1578697c76e47a2ba2f442

    SHA512

    1190c6ec33d231d18f52cad4e5ed234f8670fad22acb05292c5cd9dc9a96d3f7cbc6d6dbdca8bf18f9852aff3b0c1a04721f82d7f43133ae66f8c8680f80eb5d

  • memory/712-57-0x0000000076AC1000-0x0000000076AC3000-memory.dmp

    Filesize

    8KB

  • memory/712-59-0x0000000000C60000-0x0000000000CEC000-memory.dmp

    Filesize

    560KB

  • memory/712-60-0x0000000004989000-0x000000000499A000-memory.dmp

    Filesize

    68KB