masslogger | e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519

General

Target

e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
Size

856KB
MD5

c0fab232c11bc39a7c86f3f8e99b1dcf
SHA1

442df6e94256fa1a803850f369bf1bf8f4ccf5ad
SHA256

e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519
SHA512

d074eed8e3405947814c64ac5e8d14752055b0551998cd24b4b8124b84f0934101bf0b2dca5bb6187a5ddf43b22c314ec806d56880adbe60c3d4b86c843f2426

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4512-139-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe

description	pid	process	target process
PID 3000 set thread context of 4512	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

412 schtasks.exe

pid	process
412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exee66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exepowershell.exe

pid	process
3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
4512	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
4512	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
216	powershell.exe
216	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exee66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
Token: SeDebugPrivilege	4512	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
Token: SeDebugPrivilege	216	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exee66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe

description	pid	process	target process
PID 3000 wrote to memory of 412	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	schtasks.exe
PID 3000 wrote to memory of 412	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	schtasks.exe
PID 3000 wrote to memory of 412	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	schtasks.exe
PID 3000 wrote to memory of 4512	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
PID 3000 wrote to memory of 4512	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
PID 3000 wrote to memory of 4512	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
PID 3000 wrote to memory of 4512	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
PID 3000 wrote to memory of 4512	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
PID 3000 wrote to memory of 4512	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
PID 3000 wrote to memory of 4512	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
PID 3000 wrote to memory of 4512	3000	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
PID 4512 wrote to memory of 216	4512	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	powershell.exe
PID 4512 wrote to memory of 216	4512	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	powershell.exe
PID 4512 wrote to memory of 216	4512	e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
"C:\Users\Admin\AppData\Local\Temp\e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yhtTXoGhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6ED7.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:412
- C:\Users\Admin\AppData\Local\Temp\e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe
  "C:\Users\Admin\AppData\Local\Temp\e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e66c077ec839037d96e6e66ac676812d6b83c572899febe3d7604e6482f54519.exe.log

Filesize
1KB

MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6ED7.tmp

Filesize
1KB

MD5
c2754065a8790f12ba205da18f7f15cb

SHA1
8bf6136bb583c9e021d7d7510b0c210e41dbba75

SHA256
bbc41312636e74532a1d85beea7af54d2eb425e0e60fd070e9c6bdcd43b8aeec

SHA512
7a5f88fbd6f818edc60dc0c7113d2dc3d0aaa2ca2bf061d8f254cd4f6edcdd098921e5cb5b7e803f269f9b318a2f785025fd8307fc2af87ad476015b2510ddea

Download Submit
memory/216-145-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/216-149-0x00000000060A0000-0x00000000060BA000-memory.dmp

Filesize
104KB

Download
memory/216-148-0x0000000007230000-0x00000000078AA000-memory.dmp

Filesize
6.5MB

Download
memory/216-147-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/216-150-0x0000000006C50000-0x0000000006CE6000-memory.dmp

Filesize
600KB

Download
memory/216-146-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/216-143-0x0000000004610000-0x0000000004646000-memory.dmp

Filesize
216KB

Download
memory/216-144-0x0000000004D20000-0x0000000005348000-memory.dmp

Filesize
6.2MB

Download
memory/216-141-0x0000000000000000-mapping.dmp

Download
memory/216-151-0x0000000006180000-0x00000000061A2000-memory.dmp

Filesize
136KB

Download
memory/412-136-0x0000000000000000-mapping.dmp

Download
memory/3000-135-0x00000000051E0000-0x0000000005236000-memory.dmp

Filesize
344KB

Download
memory/3000-130-0x0000000000580000-0x000000000065C000-memory.dmp

Filesize
880KB

Download
memory/3000-134-0x0000000005010000-0x000000000501A000-memory.dmp

Filesize
40KB

Download
memory/3000-133-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/3000-132-0x0000000005690000-0x0000000005C34000-memory.dmp

Filesize
5.6MB

Download
memory/3000-131-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/4512-140-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/4512-139-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4512-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads