Overview

overview

10

Static

static

7cd8e8bdf1...74.exe

windows7_x64

10

7cd8e8bdf1...74.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    75s
  • max time network
    175s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-05-2022 06:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe

  • Size

    956KB

  • MD5

    61d1229b0d488254e427690371417bad

  • SHA1

    a5b44ab6d137d29a46b38926b95c6d3c70fb6c8d

  • SHA256

    7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74

  • SHA512

    5f865181f4b1d683c51f5e044f12be4987a3fbf4047d7f424f7805f3d350298f0b889910f9be423f5b8a5912dd137dced5f9e4c84575199edfd73d28d1ff1b27

Score
10/10
massloggercollectionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 6 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe
    "C:\Users\Admin\AppData\Local\Temp\7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "{path}"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1332
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/884-54-0x0000000000CC0000-0x0000000000DB6000-memory.dmp
    Filesize

    984KB

    Download
  • memory/884-55-0x0000000075D21000-0x0000000075D23000-memory.dmp
    Filesize

    8KB

    Download
  • memory/884-56-0x00000000003A0000-0x00000000003AA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/884-57-0x0000000005720000-0x00000000057E0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/884-58-0x0000000005AE0000-0x0000000005B9C000-memory.dmp
    Filesize

    752KB

    Download
  • memory/1332-63-0x0000000000400000-0x0000000000486000-memory.dmp
    Filesize

    536KB

    Download
  • memory/1332-60-0x0000000000400000-0x0000000000486000-memory.dmp
    Filesize

    536KB

    Download
  • memory/1332-62-0x0000000000400000-0x0000000000486000-memory.dmp
    Filesize

    536KB

    Download
  • memory/1332-59-0x0000000000400000-0x0000000000486000-memory.dmp
    Filesize

    536KB

    Download
  • memory/1332-64-0x0000000000400000-0x0000000000486000-memory.dmp
    Filesize

    536KB

    Download
  • memory/1332-65-0x000000000048127E-mapping.dmp
    Download
  • memory/1332-67-0x0000000000400000-0x0000000000486000-memory.dmp
    Filesize

    536KB

    Download
  • memory/1332-69-0x0000000000400000-0x0000000000486000-memory.dmp
    Filesize

    536KB

    Download
  • memory/1332-73-0x0000000004DA5000-0x0000000004DB6000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1728-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1728-74-0x000000006EE80000-0x000000006F42B000-memory.dmp
    Filesize

    5.7MB

    Download