Overview

overview

10

Static

static

MBin.exe

windows7_x64

10

MBin.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    181s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-05-2022 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MBin.exe

  • Size

    929KB

  • MD5

    c4cf28c1d5e4da94c3391b90cd91671d

  • SHA1

    2c0db45e4852ab67255f78fe6921ada7a305244e

  • SHA256

    433c68e89fe741e7ec59e064861baf726ab0b8637849d9d92fa5e3a2819d211c

  • SHA512

    23590c2584a04127ec7c75f5f642a6884715390158b897e3617d4cbd536d6369388a0f3cce6d926ae7bf3e149d4cc8c99f82a35e340553421411d1c624506f39

Score
10/10
massloggercollectionevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MBin.exe
    "C:\Users\Admin\AppData\Local\Temp\MBin.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MBin.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3632
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MBin.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3560
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MBin.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4584
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MBin.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Users\Admin\AppData\Local\Temp\MBin.exe
      "C:\Users\Admin\AppData\Local\Temp\MBin.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:228
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MBin.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1328
      2⤵
      • Program crash
      PID:1776
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4992 -ip 4992
    1⤵
      PID:1912

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    6
    T1112

    Disabling Security Tools

    4
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      54KB

      MD5

      8cac77e8fc9193fb3f7e46d0fcbdfd2f

      SHA1

      46c3f9e46cab5cd7cc3073bd8cd00ad5a47577b2

      SHA256

      188dc4bf8463234d87bb0d4c6bf87a2c405c3a3e1a67a63f5ae11293ee13d650

      SHA512

      0ef180ad0458d4514ae23abf41e1542c95b89f1bee8ccc0759fc5db9ea77e39f1b7748f3325f2109aaf12dd286f8fa5bb600edd9673b1c66eabb264c50574fa4

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      54KB

      MD5

      8cac77e8fc9193fb3f7e46d0fcbdfd2f

      SHA1

      46c3f9e46cab5cd7cc3073bd8cd00ad5a47577b2

      SHA256

      188dc4bf8463234d87bb0d4c6bf87a2c405c3a3e1a67a63f5ae11293ee13d650

      SHA512

      0ef180ad0458d4514ae23abf41e1542c95b89f1bee8ccc0759fc5db9ea77e39f1b7748f3325f2109aaf12dd286f8fa5bb600edd9673b1c66eabb264c50574fa4

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      6d6a42f2284e57b24075bdbcfa5f560a

      SHA1

      f5f0b09d9b6f4325c57b19b0dab87fa44532f09c

      SHA256

      a4cfe63c20d0d90d9898ad26feb9432c912408d50257d4f960fdc86979864781

      SHA512

      1edaba2cd913ffd41b67ba6219a596752647943c1ef4ca10758ad8b70ee3ac548075ccf4c8b17a4a5db307e16392834684a12a25ae7f85dafbdd2b8a09e6c726

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      6d6a42f2284e57b24075bdbcfa5f560a

      SHA1

      f5f0b09d9b6f4325c57b19b0dab87fa44532f09c

      SHA256

      a4cfe63c20d0d90d9898ad26feb9432c912408d50257d4f960fdc86979864781

      SHA512

      1edaba2cd913ffd41b67ba6219a596752647943c1ef4ca10758ad8b70ee3ac548075ccf4c8b17a4a5db307e16392834684a12a25ae7f85dafbdd2b8a09e6c726

      Download Submit
    • memory/228-145-0x0000000004FE0000-0x0000000005072000-memory.dmp
      Filesize

      584KB

      Download
    • memory/228-168-0x0000000006CF0000-0x0000000006D40000-memory.dmp
      Filesize

      320KB

      Download
    • memory/228-143-0x0000000000000000-mapping.dmp
      Download
    • memory/228-144-0x0000000000400000-0x0000000000486000-memory.dmp
      Filesize

      536KB

      Download
    • memory/228-169-0x0000000006CA0000-0x0000000006CAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1068-172-0x0000000070810000-0x000000007085C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1068-166-0x0000000000000000-mapping.dmp
      Download
    • memory/2752-151-0x000000006FF30000-0x000000006FF7C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2752-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3560-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3560-158-0x0000000007AB0000-0x0000000007B46000-memory.dmp
      Filesize

      600KB

      Download
    • memory/3560-152-0x000000006FF30000-0x000000006FF7C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3560-159-0x0000000007A70000-0x0000000007A7E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3560-140-0x0000000005D20000-0x0000000005D86000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3632-153-0x000000006FF30000-0x000000006FF7C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3632-138-0x00000000052F0000-0x0000000005918000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3632-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3632-157-0x00000000072F0000-0x00000000072FA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3632-135-0x0000000002690000-0x00000000026C6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3632-155-0x0000000007900000-0x0000000007F7A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3632-139-0x0000000004FC0000-0x0000000004FE2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3632-141-0x0000000005920000-0x0000000005986000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3632-142-0x0000000005F90000-0x0000000005FAE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3632-149-0x0000000006570000-0x00000000065A2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4584-161-0x0000000007710000-0x0000000007718000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4584-160-0x0000000007730000-0x000000000774A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4584-154-0x0000000006680000-0x000000000669E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4584-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4584-150-0x000000006FF30000-0x000000006FF7C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4584-156-0x00000000073E0000-0x00000000073FA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4992-130-0x0000000000890000-0x000000000097C000-memory.dmp
      Filesize

      944KB

      Download
    • memory/4992-132-0x0000000005910000-0x0000000005EB4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4992-131-0x00000000052C0000-0x000000000535C000-memory.dmp
      Filesize

      624KB

      Download