Analysis
-
max time kernel
90s -
max time network
92s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-04-2022 04:08
General
-
Target
3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
-
Size
1.2MB
-
MD5
f0459ea78912ae96a3b503e483db6ce5
-
SHA1
782aa3b2d3ec604627e4ed8174bd63b5df876d22
-
SHA256
3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897
-
SHA512
b266b8286852d7d9ad063fdf19d05ea35d0b38b788de7141ca950c7fdc4f2aacb04748278e04b5ecbe8474af88308494b0fd97cc2a55efbc880c868b91b43554
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe"C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe"C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe'3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5b0fbf37290c41293483d8bbad064de1a
SHA1a25ac2b37d9ba93629a729ffadc3976fd407aff5
SHA25638f0e36114cb3f067b06d86957bf716af4708dc862a94027aade1cfce63d7b71
SHA51232b865270173fce846313eeb4f611c7158c48d8c23e1bd8d8439ab77e070ea134e3b08f8f27bbd8ddf1cc97ef6d6e5b4414d913ec0937d447c95a3b5f5e519c9
-
Filesize
5.7MB
-
-
-
Filesize
12.3MB
-
Filesize
5.7MB
-
Filesize
8KB
-
Filesize
536KB
-
Filesize
536KB
-
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
68KB
-
Filesize
536KB
-
Filesize
1.3MB
-
Filesize
544KB
-
Filesize
768KB
-
Filesize
64KB