Analysis

  • max time kernel
    4294181s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    28-03-2022 22:22

General

  • Target

    0cd32defaaa5d1d14d19f9317df3ab366951a2544185fc68132fd4c6bf8ea689.exe

  • Size

    1.8MB

  • MD5

    74af9467eb836f933d28abaf4710a4b7

  • SHA1

    dba84ce4920d9d149a8ef040905c273bb753e17a

  • SHA256

    0cd32defaaa5d1d14d19f9317df3ab366951a2544185fc68132fd4c6bf8ea689

  • SHA512

    2e3d7d06393443925e5d4dee7edf9ab851f93703cbc22c7fc2e6c5cff1b164a6f2efcec5d544480fb7a3b3bfcd524cf513f8a97a5c4ee79fc4fcddddbb0bac78

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cd32defaaa5d1d14d19f9317df3ab366951a2544185fc68132fd4c6bf8ea689.exe
    "C:\Users\Admin\AppData\Local\Temp\0cd32defaaa5d1d14d19f9317df3ab366951a2544185fc68132fd4c6bf8ea689.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1488
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1696

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/580-54-0x0000000075561000-0x0000000075563000-memory.dmp

    Filesize

    8KB

  • memory/580-56-0x0000000003210000-0x0000000003291000-memory.dmp

    Filesize

    516KB

  • memory/1488-57-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1488-60-0x0000000004425000-0x0000000004436000-memory.dmp

    Filesize

    68KB

  • memory/1696-61-0x000000006E9F0000-0x000000006EF9B000-memory.dmp

    Filesize

    5.7MB