Analysis
-
max time kernel
4294180s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 11:32
Static task
static1
Behavioral task
behavioral1
Sample
575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
Resource
win10v2004-en-20220113
General
-
Target
575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
-
Size
830KB
-
MD5
939f26c3678098a40fcea9a4302a70d9
-
SHA1
e2a8bebb901dbda91d672302d177510e813645de
-
SHA256
575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2
-
SHA512
995365a65c753ec603e47950a040fa41baefc0dd1aafe3b34bb0dfcb01687d6d66ad2aa3b1958d6fa65063ba2e7cd868cea4869351297ac8532629e8d0c5eee1
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
resource yara_rule behavioral1/memory/1340-60-0x0000000000710000-0x000000000079C000-memory.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe -
Deletes itself 1 IoCs
pid Process 864 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1180 set thread context of 1340 1180 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 29 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1948 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 1724 powershell.exe 864 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1180 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 864 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1180 wrote to memory of 784 1180 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 28 PID 1180 wrote to memory of 784 1180 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 28 PID 1180 wrote to memory of 784 1180 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 28 PID 1180 wrote to memory of 784 1180 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 28 PID 1180 wrote to memory of 1340 1180 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 29 PID 1180 wrote to memory of 1340 1180 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 29 PID 1180 wrote to memory of 1340 1180 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 29 PID 1180 wrote to memory of 1340 1180 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 29 PID 1180 wrote to memory of 1340 1180 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 29 PID 784 wrote to memory of 1948 784 cmd.exe 30 PID 784 wrote to memory of 1948 784 cmd.exe 30 PID 784 wrote to memory of 1948 784 cmd.exe 30 PID 784 wrote to memory of 1948 784 cmd.exe 30 PID 1340 wrote to memory of 1724 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 34 PID 1340 wrote to memory of 1724 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 34 PID 1340 wrote to memory of 1724 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 34 PID 1340 wrote to memory of 1724 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 34 PID 1340 wrote to memory of 864 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 36 PID 1340 wrote to memory of 864 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 36 PID 1340 wrote to memory of 864 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 36 PID 1340 wrote to memory of 864 1340 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe 36 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"2⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3d5b5cf62fb348a1997d8acab32e4735.xml"3⤵
- Creates scheduled task(s)
PID:1948
-
-
-
C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\575ceb882f19bc136874018d14e3b8222741098dfb7fc3012d1248bf7293e2e2.exe'3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5de0568b191c83304806f799becda4ebb
SHA1fa173d7dbcfbff032aed5c0c78f2e77758acfbac
SHA2565a76e8ae2a68014deae6999886f074625e6397692d1578697c76e47a2ba2f442
SHA5121190c6ec33d231d18f52cad4e5ed234f8670fad22acb05292c5cd9dc9a96d3f7cbc6d6dbdca8bf18f9852aff3b0c1a04721f82d7f43133ae66f8c8680f80eb5d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD53bb07001b62f6ad492cbc71abac3736c
SHA19790625d2fad12c074bb23e3dd63040fbafe6f0d
SHA256c72a068c8551b235f0fe4cd51955c2a3c1c4d6c3e8d99a29b44a28ce88130ecc
SHA5125a079dfe37d7accc9f3d460ee54d3d1adaa57fc76137db8ff6b798ea740eee47d2b147dce1b0f6445204be1b022fd2e7e2c8136e421c2500980cbe4172788a40