Analysis

  • max time kernel
    4294180s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    26-03-2022 11:32

General

  • Target

    575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe

  • Size

    830KB

  • MD5

    939f26c3678098a40fcea9a4302a70d9

  • SHA1

    e2a8bebb901dbda91d672302d177510e813645de

  • SHA256

    575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2

  • SHA512

    995365a65c753ec603e47950a040fa41baefc0dd1aafe3b34bb0dfcb01687d6d66ad2aa3b1958d6fa65063ba2e7cd868cea4869351297ac8532629e8d0c5eee1

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
    "C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"
        3⤵
        • Creates scheduled task(s)
        PID:1948
    • C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
      "C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1340
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1724
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe'
        3⤵
        • Deletes itself
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:864

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml

    Filesize

    1KB

    MD5

    de0568b191c83304806f799becda4ebb

    SHA1

    fa173d7dbcfbff032aed5c0c78f2e77758acfbac

    SHA256

    5a76e8ae2a68014deae6999886f074625e6397692d1578697c76e47a2ba2f442

    SHA512

    1190c6ec33d231d18f52cad4e5ed234f8670fad22acb05292c5cd9dc9a96d3f7cbc6d6dbdca8bf18f9852aff3b0c1a04721f82d7f43133ae66f8c8680f80eb5d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    3bb07001b62f6ad492cbc71abac3736c

    SHA1

    9790625d2fad12c074bb23e3dd63040fbafe6f0d

    SHA256

    c72a068c8551b235f0fe4cd51955c2a3c1c4d6c3e8d99a29b44a28ce88130ecc

    SHA512

    5a079dfe37d7accc9f3d460ee54d3d1adaa57fc76137db8ff6b798ea740eee47d2b147dce1b0f6445204be1b022fd2e7e2c8136e421c2500980cbe4172788a40

  • memory/864-71-0x000000006F610000-0x000000006FBBB000-memory.dmp

    Filesize

    5.7MB

  • memory/1180-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

    Filesize

    8KB

  • memory/1340-60-0x0000000000710000-0x000000000079C000-memory.dmp

    Filesize

    560KB

  • memory/1340-63-0x0000000005010000-0x000000000504E000-memory.dmp

    Filesize

    248KB

  • memory/1340-64-0x0000000006490000-0x0000000006520000-memory.dmp

    Filesize

    576KB

  • memory/1340-65-0x0000000000FD9000-0x0000000000FEA000-memory.dmp

    Filesize

    68KB

  • memory/1724-67-0x00000000023E0000-0x000000000302A000-memory.dmp

    Filesize

    12.3MB

  • memory/1724-66-0x000000006F610000-0x000000006FBBB000-memory.dmp

    Filesize

    5.7MB