Overview

overview

10

Static

static

554e73533c...88.exe

windows7_x64

10

554e73533c...88.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    109s
  • max time network
    97s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-04-2022 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe

  • Size

    1.0MB

  • MD5

    a427fa19edceed5c843947b91f52aea9

  • SHA1

    13d9e0da2f94c66f60d83e6cb67fba608ab6d4b4

  • SHA256

    554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88

  • SHA512

    5cab06db2cb641e88a40e09b47b458e46330f475b960b7a1ac81f51b57c30e1e49b7fea47567c61be1ae31061d31132c3f6848f2f06de2e2cc61d20c236674e3

Score
10/10
massloggercollectionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe
    "C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe
      "C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe"
      2⤵
        PID:1568
      • C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe
        "C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe"
        2⤵
          PID:1732
        • C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe
          "C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe"
          2⤵
            PID:1612
          • C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe
            "C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe"
            2⤵
              PID:1268
            • C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe
              "C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe"
              2⤵
              • Checks computer location settings
              • Accesses Microsoft Outlook profiles
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • outlook_office_path
              • outlook_win_path
              PID:1464
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\554e73533c3dbdf6c4fa0d4a3404ef7997d05c0886ff65d9c8c538663550fd88.exe'
                3⤵
                • Deletes itself
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:324

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/324-71-0x0000000000000000-mapping.dmp

            Download

          • memory/324-74-0x0000000002612000-0x0000000002614000-memory.dmp

            Filesize

            8KB

            Download

          • memory/324-73-0x0000000073E90000-0x000000007443B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/324-72-0x0000000075261000-0x0000000075263000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1308-55-0x0000000000460000-0x000000000047C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1308-56-0x00000000054F0000-0x00000000055B0000-memory.dmp

            Filesize

            768KB

            Download

          • memory/1308-57-0x0000000000650000-0x000000000065A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1308-58-0x0000000004E10000-0x0000000004E98000-memory.dmp

            Filesize

            544KB

            Download

          • memory/1308-54-0x00000000002B0000-0x00000000003BE000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1464-63-0x0000000000400000-0x0000000000486000-memory.dmp

            Filesize

            536KB

            Download

          • memory/1464-65-0x0000000000481B9E-mapping.dmp

            Download

          • memory/1464-67-0x0000000000400000-0x0000000000486000-memory.dmp

            Filesize

            536KB

            Download

          • memory/1464-69-0x0000000000400000-0x0000000000486000-memory.dmp

            Filesize

            536KB

            Download

          • memory/1464-70-0x0000000004D05000-0x0000000004D16000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1464-64-0x0000000000400000-0x0000000000486000-memory.dmp

            Filesize

            536KB

            Download

          • memory/1464-62-0x0000000000400000-0x0000000000486000-memory.dmp

            Filesize

            536KB

            Download

          • memory/1464-60-0x0000000000400000-0x0000000000486000-memory.dmp

            Filesize

            536KB

            Download

          • memory/1464-59-0x0000000000400000-0x0000000000486000-memory.dmp

            Filesize

            536KB

            Download