Analysis
-
max time kernel
40s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:07
Static task
static1
Behavioral task
behavioral1
Sample
74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe
Resource
win10v2004-20220414-en
General
-
Target
74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe
-
Size
754KB
-
MD5
ca12eb7a1b83c0ab450644abf40a6b6c
-
SHA1
d42c8a7c8b17e05fad9463ad7fb6cc87511e27b6
-
SHA256
74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6
-
SHA512
492d936d47c2bc60d15b1a367c1b63803ed0c9f06a4a3a0d09efedcc63d79c82794b1be43cec48a95232ee39d5ef1f62eb7e4c75a145f741cd32b92ce4591d64
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\8506BBE7FF\Log.txt
masslogger
Extracted
C:\Users\Admin\AppData\Local\Temp\8506BBE7FF\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 2 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file C:\Users\Admin\AppData\Local\Temp\8506BBE7FF\Log.txt masslogger_log_file -
Executes dropped EXE 1 IoCs
Processes:
vlc.exepid process 888 vlc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1372 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 792 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exepid process 2024 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe 2024 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exevlc.exedescription pid process Token: SeDebugPrivilege 2024 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe Token: SeDebugPrivilege 888 vlc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.execmd.execmd.exedescription pid process target process PID 2024 wrote to memory of 1488 2024 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe cmd.exe PID 2024 wrote to memory of 1488 2024 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe cmd.exe PID 2024 wrote to memory of 1488 2024 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe cmd.exe PID 2024 wrote to memory of 1488 2024 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe cmd.exe PID 2024 wrote to memory of 1372 2024 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe cmd.exe PID 2024 wrote to memory of 1372 2024 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe cmd.exe PID 2024 wrote to memory of 1372 2024 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe cmd.exe PID 2024 wrote to memory of 1372 2024 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe cmd.exe PID 1488 wrote to memory of 300 1488 cmd.exe schtasks.exe PID 1488 wrote to memory of 300 1488 cmd.exe schtasks.exe PID 1488 wrote to memory of 300 1488 cmd.exe schtasks.exe PID 1488 wrote to memory of 300 1488 cmd.exe schtasks.exe PID 1372 wrote to memory of 792 1372 cmd.exe timeout.exe PID 1372 wrote to memory of 792 1372 cmd.exe timeout.exe PID 1372 wrote to memory of 792 1372 cmd.exe timeout.exe PID 1372 wrote to memory of 792 1372 cmd.exe timeout.exe PID 1372 wrote to memory of 888 1372 cmd.exe vlc.exe PID 1372 wrote to memory of 888 1372 cmd.exe vlc.exe PID 1372 wrote to memory of 888 1372 cmd.exe vlc.exe PID 1372 wrote to memory of 888 1372 cmd.exe vlc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe"C:\Users\Admin\AppData\Local\Temp\74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'3⤵
- Creates scheduled task(s)
PID:300 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp85F3.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:792 -
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
749B
MD565b2de33e270398e7f8570f09a59f64f
SHA1840ef0ea4a63b5fba10d13e4fbcba29927779b85
SHA256e7f8c0ad533e1272b1c318a9039ff6ee4f1316440f298b3980eb0de7e28775e0
SHA512db666e4a336442720ae6136e92b01fabe060144736d5b05f3992fa5e32b83e3295d8b93ee1c61d0040c2f6af46844f5ecbd48f10a0b15c62807a9809cdfd5a67
-
Filesize
156B
MD50b6df837b9d31f0e831ca8fea9b6316d
SHA1923e2bd2a5845a4e123fe2f88c91c1cf9a262bad
SHA2560b1a1be94070233a70afef9da82fc0858c5f4e8f4c93e3daa11c998a6da4a0ce
SHA512a81d665765ed23d25ee1ab5642601fb8d4947c97b87037afeda3dcc81e231815fdae4c3a294e441ece08c1f553762420254ff6945c90d55033d8cd68f4e845fd
-
Filesize
754KB
MD5ca12eb7a1b83c0ab450644abf40a6b6c
SHA1d42c8a7c8b17e05fad9463ad7fb6cc87511e27b6
SHA25674ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6
SHA512492d936d47c2bc60d15b1a367c1b63803ed0c9f06a4a3a0d09efedcc63d79c82794b1be43cec48a95232ee39d5ef1f62eb7e4c75a145f741cd32b92ce4591d64
-
Filesize
754KB
MD5ca12eb7a1b83c0ab450644abf40a6b6c
SHA1d42c8a7c8b17e05fad9463ad7fb6cc87511e27b6
SHA25674ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6
SHA512492d936d47c2bc60d15b1a367c1b63803ed0c9f06a4a3a0d09efedcc63d79c82794b1be43cec48a95232ee39d5ef1f62eb7e4c75a145f741cd32b92ce4591d64
-
Filesize
754KB
MD5ca12eb7a1b83c0ab450644abf40a6b6c
SHA1d42c8a7c8b17e05fad9463ad7fb6cc87511e27b6
SHA25674ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6
SHA512492d936d47c2bc60d15b1a367c1b63803ed0c9f06a4a3a0d09efedcc63d79c82794b1be43cec48a95232ee39d5ef1f62eb7e4c75a145f741cd32b92ce4591d64