Analysis
-
max time kernel
204s -
max time network
220s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 06:28
General
-
Target
ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe
-
Size
1.1MB
-
MD5
2db21d61d37712d83a0c44dc9eae8ae8
-
SHA1
1e48335707a769cfeef577750c411a3777ececb4
-
SHA256
ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f
-
SHA512
d72565ccbc05b94bd01814f1d930429f7f077753a8d3fcb4132224cb8ba43bcd7de86d2edf6d2be8cf63eb54a94ba6ed943ac6b2ef8fb2db7c9963e7db2a8582
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe"C:\Users\Admin\AppData\Local\Temp\ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe"1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zCaIIpkruTk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp88B1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe'2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp88B1.tmpFilesize
1KB
MD5543943a0bfe2979f647db6faca38111d
SHA182989c53f679751e92514db4d529229ecb9bccef
SHA2563f749cdd00417a0fe34f3679deae8c6f3bde00a8d0e38326762f7b6bc777ae99
SHA512203aec865ea436d155cd8d836b197615e8904064f49d4d71bf5843db4a373596a206289d3610352cf7a719ca42fbc538c76b19508c3b685167c90cd37b554934
-
memory/1352-54-0x0000000000F20000-0x0000000001042000-memory.dmpFilesize
1.1MB
-
memory/1352-55-0x0000000075E51000-0x0000000075E53000-memory.dmpFilesize
8KB
-
memory/1352-56-0x00000000004D0000-0x00000000004DA000-memory.dmpFilesize
40KB
-
memory/1352-57-0x0000000005530000-0x00000000055E8000-memory.dmpFilesize
736KB
-
memory/1352-58-0x0000000006190000-0x0000000006246000-memory.dmpFilesize
728KB
-
memory/1352-61-0x0000000004800000-0x0000000004886000-memory.dmpFilesize
536KB
-
memory/1512-62-0x0000000000000000-mapping.dmp
-
memory/1952-59-0x0000000000000000-mapping.dmp