Analysis

  • max time kernel
    4294178s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    26-03-2022 15:02

General

  • Target

    3de18c7fe5a555a5839761c35486a1032bf654a1d56106dc92912a540f6df46e.exe

  • Size

    821KB

  • MD5

    b0c6c62c19099f962f6a8c942051c33d

  • SHA1

    0985c98469e35361d235df11417b0bf9ead7f110

  • SHA256

    3de18c7fe5a555a5839761c35486a1032bf654a1d56106dc92912a540f6df46e

  • SHA512

    bc9710bf121a9c4887a317931e60b57f73497bd836e918e1765812bedbc312af611e8c298860b44bce2ecc3a3776725b0be4cb4091382d74d41e94930897e735

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3de18c7fe5a555a5839761c35486a1032bf654a1d56106dc92912a540f6df46e.exe
    "C:\Users\Admin\AppData\Local\Temp\3de18c7fe5a555a5839761c35486a1032bf654a1d56106dc92912a540f6df46e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml"
        3⤵
        • Creates scheduled task(s)
        PID:2032
    • C:\Users\Admin\AppData\Local\Temp\3de18c7fe5a555a5839761c35486a1032bf654a1d56106dc92912a540f6df46e.exe
      "C:\Users\Admin\AppData\Local\Temp\3de18c7fe5a555a5839761c35486a1032bf654a1d56106dc92912a540f6df46e.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1216
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3de18c7fe5a555a5839761c35486a1032bf654a1d56106dc92912a540f6df46e.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1580
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\3de18c7fe5a555a5839761c35486a1032bf654a1d56106dc92912a540f6df46e.exe'
        3⤵
        • Deletes itself
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9d77f4a40ffa452f8c1e2fdd2b545943.xml

    Filesize

    1KB

    MD5

    de0568b191c83304806f799becda4ebb

    SHA1

    fa173d7dbcfbff032aed5c0c78f2e77758acfbac

    SHA256

    5a76e8ae2a68014deae6999886f074625e6397692d1578697c76e47a2ba2f442

    SHA512

    1190c6ec33d231d18f52cad4e5ed234f8670fad22acb05292c5cd9dc9a96d3f7cbc6d6dbdca8bf18f9852aff3b0c1a04721f82d7f43133ae66f8c8680f80eb5d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    3a3320d6fd7c6fef48ec232f933b3247

    SHA1

    4b5550ed6dcd9a499534df2c2f2c1e5f575f7774

    SHA256

    b04d000316bd1e4c740aa7974e4bff33956e5c7f29d9a0e8dc889b6356efce70

    SHA512

    ec839971d6431f2f07f576637d4fb653343e73254bb9a931e7cbad97fa6010a77b8e045b5eb9c952e4a2a2b9761e5f214324eac4b156fd011e151aa890ecb77a

  • memory/1216-64-0x0000000006440000-0x00000000064D0000-memory.dmp

    Filesize

    576KB

  • memory/1216-60-0x00000000043F0000-0x000000000447C000-memory.dmp

    Filesize

    560KB

  • memory/1216-65-0x00000000049C9000-0x00000000049DA000-memory.dmp

    Filesize

    68KB

  • memory/1216-63-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

    Filesize

    248KB

  • memory/1220-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

  • memory/1540-71-0x0000000073160000-0x000000007370B000-memory.dmp

    Filesize

    5.7MB

  • memory/1540-72-0x0000000002530000-0x000000000317A000-memory.dmp

    Filesize

    12.3MB

  • memory/1580-66-0x000000006EA90000-0x000000006F03B000-memory.dmp

    Filesize

    5.7MB

  • memory/1580-67-0x0000000002362000-0x0000000002364000-memory.dmp

    Filesize

    8KB