masslogger | 106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b

General

Target

106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe
Size

1.1MB
MD5

4a60e245aff468c7b6bed7dec3b877e3
SHA1

6e215e7b54b4b7f412dd8735ca87a22284e67abc
SHA256

106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b
SHA512

17d243a02365bc33e0b3edecf0cd1569b51bfa5bbc5ace6fd0c56063ac833411eddc575dced657dc1a0fa4bc867dabec19369b4bd92e97e7b6453a6baad76aad

Score

10^/10

masslogger persistence spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/392-73-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/392-74-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/392-75-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/392-76-0x00000000004819EE-mapping.dmp	family_masslogger
behavioral1/memory/392-79-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/392-81-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Executes dropped EXE 2 IoCs

Processes:

winpro.exewinpro.exe

pid process

812 winpro.exe
392 winpro.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

winpro.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation winpro.exe

pid	process
812	winpro.exe
392	winpro.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	winpro.exe

Loads dropped DLL 4 IoCs

Processes:

106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exewinpro.exe

pid	process
1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe
1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe
812	winpro.exe
812	winpro.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\winpro = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\Documents\\winpro.exe"	reg.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

winpro.exe

description pid process target process

PID 812 set thread context of 392 812 winpro.exe winpro.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 812 set thread context of 392	812	winpro.exe	winpro.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exewinpro.exewinpro.exe

pid	process
1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe
1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe
812	winpro.exe
392	winpro.exe
392	winpro.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exewinpro.exewinpro.exe

description	pid	process
Token: SeDebugPrivilege	1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe
Token: SeTakeOwnershipPrivilege	1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe
Token: SeRestorePrivilege	1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe
Token: SeDebugPrivilege	812	winpro.exe
Token: SeTakeOwnershipPrivilege	812	winpro.exe
Token: SeRestorePrivilege	812	winpro.exe
Token: SeDebugPrivilege	392	winpro.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.execmd.exewinpro.exe

description	pid	process	target process
PID 1656 wrote to memory of 2040	1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe	cmd.exe
PID 1656 wrote to memory of 2040	1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe	cmd.exe
PID 1656 wrote to memory of 2040	1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe	cmd.exe
PID 1656 wrote to memory of 2040	1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe	cmd.exe
PID 2040 wrote to memory of 2028	2040	cmd.exe	reg.exe
PID 2040 wrote to memory of 2028	2040	cmd.exe	reg.exe
PID 2040 wrote to memory of 2028	2040	cmd.exe	reg.exe
PID 2040 wrote to memory of 2028	2040	cmd.exe	reg.exe
PID 1656 wrote to memory of 812	1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe	winpro.exe
PID 1656 wrote to memory of 812	1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe	winpro.exe
PID 1656 wrote to memory of 812	1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe	winpro.exe
PID 1656 wrote to memory of 812	1656	106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe	winpro.exe
PID 812 wrote to memory of 392	812	winpro.exe	winpro.exe
PID 812 wrote to memory of 392	812	winpro.exe	winpro.exe
PID 812 wrote to memory of 392	812	winpro.exe	winpro.exe
PID 812 wrote to memory of 392	812	winpro.exe	winpro.exe
PID 812 wrote to memory of 392	812	winpro.exe	winpro.exe
PID 812 wrote to memory of 392	812	winpro.exe	winpro.exe
PID 812 wrote to memory of 392	812	winpro.exe	winpro.exe
PID 812 wrote to memory of 392	812	winpro.exe	winpro.exe
PID 812 wrote to memory of 392	812	winpro.exe	winpro.exe

C:\Users\Admin\AppData\Local\Temp\106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe
"C:\Users\Admin\AppData\Local\Temp\106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v winpro /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Documents\winpro.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v winpro /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Documents\winpro.exe"
    3⤵
    - Adds Run key to start application
    PID:2028
- C:\Users\Admin\Documents\winpro.exe
  "C:\Users\Admin\Documents\winpro.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Users\Admin\Documents\winpro.exe
    "C:\Users\Admin\Documents\winpro.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e34dd831-6d57-4d92-81ec-c008864dca6e\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\Documents\winpro.exe

Filesize
1.1MB

MD5
4a60e245aff468c7b6bed7dec3b877e3

SHA1
6e215e7b54b4b7f412dd8735ca87a22284e67abc

SHA256
106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b

SHA512
17d243a02365bc33e0b3edecf0cd1569b51bfa5bbc5ace6fd0c56063ac833411eddc575dced657dc1a0fa4bc867dabec19369b4bd92e97e7b6453a6baad76aad

Download Submit
C:\Users\Admin\Documents\winpro.exe

Filesize
1.1MB

MD5
4a60e245aff468c7b6bed7dec3b877e3

SHA1
6e215e7b54b4b7f412dd8735ca87a22284e67abc

SHA256
106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b

SHA512
17d243a02365bc33e0b3edecf0cd1569b51bfa5bbc5ace6fd0c56063ac833411eddc575dced657dc1a0fa4bc867dabec19369b4bd92e97e7b6453a6baad76aad

Download Submit
C:\Users\Admin\Documents\winpro.exe

Filesize
1.1MB

MD5
4a60e245aff468c7b6bed7dec3b877e3

SHA1
6e215e7b54b4b7f412dd8735ca87a22284e67abc

SHA256
106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b

SHA512
17d243a02365bc33e0b3edecf0cd1569b51bfa5bbc5ace6fd0c56063ac833411eddc575dced657dc1a0fa4bc867dabec19369b4bd92e97e7b6453a6baad76aad

Download Submit
\Users\Admin\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\AppData\Local\Temp\e34dd831-6d57-4d92-81ec-c008864dca6e\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\AppData\Local\Temp\e34dd831-6d57-4d92-81ec-c008864dca6e\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\Documents\winpro.exe

Filesize
1.1MB

MD5
4a60e245aff468c7b6bed7dec3b877e3

SHA1
6e215e7b54b4b7f412dd8735ca87a22284e67abc

SHA256
106a72ea42836e5d06b29fe9f93294b6a14c33ff31669089851666645b176c8b

SHA512
17d243a02365bc33e0b3edecf0cd1569b51bfa5bbc5ace6fd0c56063ac833411eddc575dced657dc1a0fa4bc867dabec19369b4bd92e97e7b6453a6baad76aad

Download Submit
memory/392-71-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-76-0x00000000004819EE-mapping.dmp

Download
memory/392-79-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-75-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-81-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-74-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-73-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/392-70-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/812-61-0x0000000000000000-mapping.dmp

Download
memory/812-68-0x0000000000530000-0x000000000054C000-memory.dmp

Filesize
112KB

Download
memory/812-67-0x0000000074200000-0x0000000074280000-memory.dmp

Filesize
512KB

Download
memory/812-64-0x0000000000060000-0x0000000000174000-memory.dmp

Filesize
1.1MB

Download
memory/1656-54-0x00000000010D0000-0x00000000011E4000-memory.dmp

Filesize
1.1MB

Download
memory/1656-55-0x0000000000930000-0x0000000000968000-memory.dmp

Filesize
224KB

Download
memory/2028-59-0x0000000000000000-mapping.dmp

Download
memory/2040-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads