Analysis

  • max time kernel
    4294181s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    26-03-2022 16:54

General

  • Target

    63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe

  • Size

    411KB

  • MD5

    4bf2b285e0392f1be1e357503cead553

  • SHA1

    0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b

  • SHA256

    63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2

  • SHA512

    4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe
    "C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1552
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8749.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1480
      • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
        "C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:1060
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8749.tmp.bat

    Filesize

    160B

    MD5

    bc060de594b60e3694d589dbbaba5ce1

    SHA1

    45a3cb668e1e72c07ad0542500f794d91f2854a0

    SHA256

    04455e07d89d1e9827a40d288b90147d641dffae565022f3434d5f2f71fcd203

    SHA512

    dcb786cdc431a402d827c118418efb63f2719a73022602c8a6603f89fe12ced67776e78e82576acf59bc8a889c62c498b50fe6e4e3a8e736249939aa97acc1f3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    9fff146fd42b655737f7f42eb5873b28

    SHA1

    75621a484f64a237b3246558cc5ad0efc320ee46

    SHA256

    7bf68ae2ccf795bd6ea3dcd25cf7f610e702b3cc1005a443251e198d27893d84

    SHA512

    f3a96f9845b832c2f624009ae57f07a8bdd002f6fe49aeb82f7a73f625ce140d67d8bb92509f8d0857636624fb26604a10d39843f5caa149ee1c37f938b3db42

  • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

    Filesize

    411KB

    MD5

    4bf2b285e0392f1be1e357503cead553

    SHA1

    0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b

    SHA256

    63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2

    SHA512

    4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

  • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

    Filesize

    411KB

    MD5

    4bf2b285e0392f1be1e357503cead553

    SHA1

    0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b

    SHA256

    63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2

    SHA512

    4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

  • \Users\Admin\AppData\Roaming\zygolen\nslookup.exe

    Filesize

    411KB

    MD5

    4bf2b285e0392f1be1e357503cead553

    SHA1

    0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b

    SHA256

    63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2

    SHA512

    4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

  • memory/1060-75-0x0000000004A25000-0x0000000004A36000-memory.dmp

    Filesize

    68KB

  • memory/1060-71-0x0000000001190000-0x00000000011FA000-memory.dmp

    Filesize

    424KB

  • memory/1112-76-0x000000006EC30000-0x000000006F1DB000-memory.dmp

    Filesize

    5.7MB

  • memory/1648-54-0x0000000000A30000-0x0000000000A9A000-memory.dmp

    Filesize

    424KB

  • memory/1648-61-0x0000000004D45000-0x0000000004D56000-memory.dmp

    Filesize

    68KB

  • memory/1648-56-0x0000000007FB0000-0x0000000008036000-memory.dmp

    Filesize

    536KB

  • memory/1648-55-0x0000000004C70000-0x0000000004CD8000-memory.dmp

    Filesize

    416KB

  • memory/1936-65-0x0000000074700000-0x0000000074CAB000-memory.dmp

    Filesize

    5.7MB

  • memory/1936-66-0x00000000023C0000-0x000000000300A000-memory.dmp

    Filesize

    12.3MB

  • memory/1936-58-0x00000000752C1000-0x00000000752C3000-memory.dmp

    Filesize

    8KB