Analysis

  • max time kernel
    4294179s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    28-03-2022 22:21

General

  • Target

    49f4342e228862604183cbb019d232bd60cba908799b1adbdd57b6b435d076dd.exe

  • Size

    1.9MB

  • MD5

    d2f0590df55127f29bc9c984fbf4a45f

  • SHA1

    3024d55b72ccfea5daabd2e87756e7fd6ff7703e

  • SHA256

    49f4342e228862604183cbb019d232bd60cba908799b1adbdd57b6b435d076dd

  • SHA512

    27e446e589dc350382017da11775cf9e8b02c56f26a168f4479f15f4647ee6e0f3bf990bb9cd8a4793aaebc232818d14b488c00a9a4337ef38434a53fb9e7980

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 1 IoCs
  • Drops startup file 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49f4342e228862604183cbb019d232bd60cba908799b1adbdd57b6b435d076dd.exe
    "C:\Users\Admin\AppData\Local\Temp\49f4342e228862604183cbb019d232bd60cba908799b1adbdd57b6b435d076dd.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:760
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:452

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/452-62-0x000000006F2B0000-0x000000006F85B000-memory.dmp

    Filesize

    5.7MB

  • memory/452-63-0x00000000023D0000-0x000000000301A000-memory.dmp

    Filesize

    12.3MB

  • memory/760-58-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/760-61-0x0000000000605000-0x0000000000616000-memory.dmp

    Filesize

    68KB

  • memory/1776-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

    Filesize

    8KB

  • memory/1776-55-0x0000000001150000-0x00000000011D1000-memory.dmp

    Filesize

    516KB

  • memory/1776-56-0x0000000000160000-0x0000000000163000-memory.dmp

    Filesize

    12KB