Overview

overview

10

Static

static

246af49565...4a.exe

windows7_x64

10

246af49565...4a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    173s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    246af49565355a8604a3df23fece37dfef3a06c93ea5750fc3fd90d4375e234a.exe

  • Size

    571KB

  • MD5

    9aa57ec1e10674582b36181788cb6e5c

  • SHA1

    204b63af90168bd49591f05f2db4906ffff0a75d

  • SHA256

    246af49565355a8604a3df23fece37dfef3a06c93ea5750fc3fd90d4375e234a

  • SHA512

    7f480e22b784f6e56a3ab5a48a23bcfc5511e023830c048d9ef0add8f05826d31beab20493de1a0f17af1302490f62f58862b932765f4ea72aaa191aef0aa355

Score
10/10
massloggercollectionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\246af49565355a8604a3df23fece37dfef3a06c93ea5750fc3fd90d4375e234a.exe
    "C:\Users\Admin\AppData\Local\Temp\246af49565355a8604a3df23fece37dfef3a06c93ea5750fc3fd90d4375e234a.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\AppData\Local\Temp\246af49565355a8604a3df23fece37dfef3a06c93ea5750fc3fd90d4375e234a.exe
      "C:\Users\Admin\AppData\Local\Temp\246af49565355a8604a3df23fece37dfef3a06c93ea5750fc3fd90d4375e234a.exe"
      2⤵
        PID:4056
      • C:\Users\Admin\AppData\Local\Temp\246af49565355a8604a3df23fece37dfef3a06c93ea5750fc3fd90d4375e234a.exe
        "C:\Users\Admin\AppData\Local\Temp\246af49565355a8604a3df23fece37dfef3a06c93ea5750fc3fd90d4375e234a.exe"
        2⤵
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:480
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\246af49565355a8604a3df23fece37dfef3a06c93ea5750fc3fd90d4375e234a.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4636

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/480-140-0x0000000006AC0000-0x0000000006B10000-memory.dmp

      Filesize

      320KB

      Download

    • memory/480-136-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/480-138-0x0000000005FE0000-0x0000000006046000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3032-131-0x00000000058D0000-0x0000000005E74000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3032-132-0x00000000053C0000-0x0000000005452000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3032-133-0x0000000005F20000-0x0000000005FBC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3032-137-0x0000000001120000-0x000000000112A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3032-130-0x0000000000940000-0x00000000009D4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4636-142-0x0000000005460000-0x0000000005A88000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4636-147-0x000000006F760000-0x000000006F7AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4636-143-0x00000000053A0000-0x00000000053C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4636-144-0x0000000005C80000-0x0000000005CE6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4636-145-0x00000000050F0000-0x000000000510E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4636-146-0x0000000006930000-0x0000000006962000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4636-141-0x0000000004DF0000-0x0000000004E26000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4636-148-0x0000000006910000-0x000000000692E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4636-149-0x0000000007D20000-0x000000000839A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4636-150-0x00000000069A0000-0x00000000069BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4636-151-0x00000000076F0000-0x00000000076FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4636-152-0x0000000007900000-0x0000000007996000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4636-153-0x0000000007630000-0x000000000763E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4636-154-0x00000000079C0000-0x00000000079DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4636-155-0x00000000079A0000-0x00000000079A8000-memory.dmp

      Filesize

      32KB

      Download