Analysis

  • max time kernel
    142s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    26-03-2022 14:01

General

  • Target

    56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe

  • Size

    1.1MB

  • MD5

    6830019535eeca9c9fb9a28349c71ab8

  • SHA1

    d256790b9bf99acdc5fe3fe97dda339a7ff6e502

  • SHA256

    56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9

  • SHA512

    037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
    "C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
      "C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"
      2⤵
        PID:4720
      • C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
        "C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"
        2⤵
          PID:4736
        • C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
          "C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"
          2⤵
          • Checks computer location settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4708
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe'
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2620
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn src.exe /tr '"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"' & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3016
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn src.exe /tr '"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"'
              4⤵
              • Creates scheduled task(s)
              PID:4588
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6980.tmp.bat""
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3040
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3
              4⤵
              • Delays execution with timeout.exe
              PID:3140
            • C:\Users\Admin\AppData\Local\Temp\sre\src.exe
              "C:\Users\Admin\AppData\Local\Temp\sre\src.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4444
              • C:\Users\Admin\AppData\Local\Temp\sre\src.exe
                "C:\Users\Admin\AppData\Local\Temp\sre\src.exe"
                5⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Accesses Microsoft Outlook profiles
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • outlook_office_path
                • outlook_win_path
                PID:728
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sre\src.exe'
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2068

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe.log

        Filesize

        1KB

        MD5

        17573558c4e714f606f997e5157afaac

        SHA1

        13e16e9415ceef429aaf124139671ebeca09ed23

        SHA256

        c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

        SHA512

        f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        3d086a433708053f9bf9523e1d87a4e8

        SHA1

        b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

        SHA256

        6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

        SHA512

        931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\src.exe.log

        Filesize

        1KB

        MD5

        17573558c4e714f606f997e5157afaac

        SHA1

        13e16e9415ceef429aaf124139671ebeca09ed23

        SHA256

        c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

        SHA512

        f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        18KB

        MD5

        d32cdaea3f61bc05ebb8e8a2bb4482f8

        SHA1

        4c51cb7429e4edd073aa1148535b44eaa4a82b31

        SHA256

        eea8db918dafa24b6312b67fd38c321dfd7bc9dd70aa2a91012480e463e6abae

        SHA512

        597f37391f25a97d6679743bb4574973095a713485cd80cb64b02d485d0f579cbf3bf756247b6d54ce3aa1712978827a148c09573a81e679d6da78dacbd21638

      • C:\Users\Admin\AppData\Local\Temp\sre\src.exe

        Filesize

        1.1MB

        MD5

        6830019535eeca9c9fb9a28349c71ab8

        SHA1

        d256790b9bf99acdc5fe3fe97dda339a7ff6e502

        SHA256

        56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9

        SHA512

        037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

      • C:\Users\Admin\AppData\Local\Temp\sre\src.exe

        Filesize

        1.1MB

        MD5

        6830019535eeca9c9fb9a28349c71ab8

        SHA1

        d256790b9bf99acdc5fe3fe97dda339a7ff6e502

        SHA256

        56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9

        SHA512

        037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

      • C:\Users\Admin\AppData\Local\Temp\sre\src.exe

        Filesize

        1.1MB

        MD5

        6830019535eeca9c9fb9a28349c71ab8

        SHA1

        d256790b9bf99acdc5fe3fe97dda339a7ff6e502

        SHA256

        56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9

        SHA512

        037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

      • C:\Users\Admin\AppData\Local\Temp\tmp6980.tmp.bat

        Filesize

        154B

        MD5

        38451202f50b7cf1d4678a9966f9d448

        SHA1

        b8a53b523393abd825a4231ed37d08cf38c32bbc

        SHA256

        d9124ded590b01abae8712e15ef4d54285f669bd2c67e400a3a2912be130ba2c

        SHA512

        ca588804845288fa6af398448bb135c3a1ee08d99ac5fdeb39e1321183cc12e49bbb3b4692acd16cc6a7ca43ef3e42fc7d33d0699d4a7ee317ba8dbb41a83eb8

      • memory/728-173-0x0000000004FE3000-0x0000000004FE5000-memory.dmp

        Filesize

        8KB

      • memory/728-175-0x0000000006EB0000-0x0000000006F00000-memory.dmp

        Filesize

        320KB

      • memory/1752-135-0x0000000005440000-0x0000000005496000-memory.dmp

        Filesize

        344KB

      • memory/1752-134-0x0000000005210000-0x000000000521A000-memory.dmp

        Filesize

        40KB

      • memory/1752-133-0x00000000052B0000-0x0000000005342000-memory.dmp

        Filesize

        584KB

      • memory/1752-130-0x00000000006A0000-0x00000000007B4000-memory.dmp

        Filesize

        1.1MB

      • memory/1752-132-0x00000000057C0000-0x0000000005D64000-memory.dmp

        Filesize

        5.6MB

      • memory/1752-131-0x0000000005170000-0x000000000520C000-memory.dmp

        Filesize

        624KB

      • memory/2068-177-0x00000000048F5000-0x00000000048F7000-memory.dmp

        Filesize

        8KB

      • memory/2068-178-0x0000000070230000-0x000000007027C000-memory.dmp

        Filesize

        304KB

      • memory/2620-166-0x0000000007C30000-0x0000000007C4A000-memory.dmp

        Filesize

        104KB

      • memory/2620-163-0x0000000007960000-0x000000000796A000-memory.dmp

        Filesize

        40KB

      • memory/2620-153-0x00000000065F0000-0x000000000660E000-memory.dmp

        Filesize

        120KB

      • memory/2620-144-0x0000000005010000-0x0000000005046000-memory.dmp

        Filesize

        216KB

      • memory/2620-145-0x00000000057E0000-0x0000000005E08000-memory.dmp

        Filesize

        6.2MB

      • memory/2620-146-0x0000000005720000-0x0000000005742000-memory.dmp

        Filesize

        136KB

      • memory/2620-157-0x0000000006BC0000-0x0000000006BF2000-memory.dmp

        Filesize

        200KB

      • memory/2620-158-0x0000000071850000-0x000000007189C000-memory.dmp

        Filesize

        304KB

      • memory/2620-159-0x00000000051A5000-0x00000000051A7000-memory.dmp

        Filesize

        8KB

      • memory/2620-160-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

        Filesize

        120KB

      • memory/2620-161-0x0000000007F40000-0x00000000085BA000-memory.dmp

        Filesize

        6.5MB

      • memory/2620-162-0x00000000078F0000-0x000000000790A000-memory.dmp

        Filesize

        104KB

      • memory/2620-167-0x0000000007C20000-0x0000000007C28000-memory.dmp

        Filesize

        32KB

      • memory/2620-164-0x0000000007B70000-0x0000000007C06000-memory.dmp

        Filesize

        600KB

      • memory/2620-165-0x0000000007B30000-0x0000000007B3E000-memory.dmp

        Filesize

        56KB

      • memory/2620-147-0x0000000005F00000-0x0000000005F66000-memory.dmp

        Filesize

        408KB

      • memory/4708-142-0x0000000005013000-0x0000000005015000-memory.dmp

        Filesize

        8KB

      • memory/4708-141-0x0000000006360000-0x00000000063C6000-memory.dmp

        Filesize

        408KB

      • memory/4708-139-0x0000000000400000-0x0000000000486000-memory.dmp

        Filesize

        536KB