masslogger | 74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6

General

Target

74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe
Size

754KB
MD5

ca12eb7a1b83c0ab450644abf40a6b6c
SHA1

d42c8a7c8b17e05fad9463ad7fb6cc87511e27b6
SHA256

74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6
SHA512

492d936d47c2bc60d15b1a367c1b63803ed0c9f06a4a3a0d09efedcc63d79c82794b1be43cec48a95232ee39d5ef1f62eb7e4c75a145f741cd32b92ce4591d64

Score

10^/10

masslogger ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8506BBE7FF\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:07:32 AM MassLogger Started: 5/21/2022 12:07:24 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe MassLogger Melt: true MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8506BBE7FF\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:07:32 AM MassLogger Started: 5/21/2022 12:07:24 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe MassLogger Melt: true MassLogger Exit after delivery: false As Administrator: True Processes: ### WD Exclusion ### Disabled

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger log file 2 IoCs

Detects a log file produced by MassLogger.

Processes:

yara_rule
masslogger_log_file
C:\Users\Admin\AppData\Local\Temp\8506BBE7FF\Log.txt	masslogger_log_file

Executes dropped EXE 1 IoCs

Processes:

vlc.exe

pid process

888 vlc.exe

pid	process
888	vlc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1372 cmd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

300 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

792 timeout.exe

pid	process
1372	cmd.exe

flow	ioc
3	api.ipify.org

pid	process
300	schtasks.exe

pid	process
792	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe

pid	process
2024	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe
2024	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exevlc.exe

description	pid	process
Token: SeDebugPrivilege	2024	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe
Token: SeDebugPrivilege	888	vlc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.execmd.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 1488	2024	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe	cmd.exe
PID 2024 wrote to memory of 1488	2024	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe	cmd.exe
PID 2024 wrote to memory of 1488	2024	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe	cmd.exe
PID 2024 wrote to memory of 1488	2024	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe	cmd.exe
PID 2024 wrote to memory of 1372	2024	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe	cmd.exe
PID 2024 wrote to memory of 1372	2024	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe	cmd.exe
PID 2024 wrote to memory of 1372	2024	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe	cmd.exe
PID 2024 wrote to memory of 1372	2024	74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe	cmd.exe
PID 1488 wrote to memory of 300	1488	cmd.exe	schtasks.exe
PID 1488 wrote to memory of 300	1488	cmd.exe	schtasks.exe
PID 1488 wrote to memory of 300	1488	cmd.exe	schtasks.exe
PID 1488 wrote to memory of 300	1488	cmd.exe	schtasks.exe
PID 1372 wrote to memory of 792	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 792	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 792	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 792	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 888	1372	cmd.exe	vlc.exe
PID 1372 wrote to memory of 888	1372	cmd.exe	vlc.exe
PID 1372 wrote to memory of 888	1372	cmd.exe	vlc.exe
PID 1372 wrote to memory of 888	1372	cmd.exe	vlc.exe

C:\Users\Admin\AppData\Local\Temp\74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe
"C:\Users\Admin\AppData\Local\Temp\74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'
3⤵
- Creates scheduled task(s)
PID:300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp85F3.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:792

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8506BBE7FF\Log.txt

Filesize
749B

MD5
65b2de33e270398e7f8570f09a59f64f

SHA1
840ef0ea4a63b5fba10d13e4fbcba29927779b85

SHA256
e7f8c0ad533e1272b1c318a9039ff6ee4f1316440f298b3980eb0de7e28775e0

SHA512
db666e4a336442720ae6136e92b01fabe060144736d5b05f3992fa5e32b83e3295d8b93ee1c61d0040c2f6af46844f5ecbd48f10a0b15c62807a9809cdfd5a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85F3.tmp.bat

Filesize
156B

MD5
0b6df837b9d31f0e831ca8fea9b6316d

SHA1
923e2bd2a5845a4e123fe2f88c91c1cf9a262bad

SHA256
0b1a1be94070233a70afef9da82fc0858c5f4e8f4c93e3daa11c998a6da4a0ce

SHA512
a81d665765ed23d25ee1ab5642601fb8d4947c97b87037afeda3dcc81e231815fdae4c3a294e441ece08c1f553762420254ff6945c90d55033d8cd68f4e845fd

Download Submit
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

Filesize
754KB

MD5
ca12eb7a1b83c0ab450644abf40a6b6c

SHA1
d42c8a7c8b17e05fad9463ad7fb6cc87511e27b6

SHA256
74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6

SHA512
492d936d47c2bc60d15b1a367c1b63803ed0c9f06a4a3a0d09efedcc63d79c82794b1be43cec48a95232ee39d5ef1f62eb7e4c75a145f741cd32b92ce4591d64

Download Submit
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

Filesize
754KB

MD5
ca12eb7a1b83c0ab450644abf40a6b6c

SHA1
d42c8a7c8b17e05fad9463ad7fb6cc87511e27b6

SHA256
74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6

SHA512
492d936d47c2bc60d15b1a367c1b63803ed0c9f06a4a3a0d09efedcc63d79c82794b1be43cec48a95232ee39d5ef1f62eb7e4c75a145f741cd32b92ce4591d64

Download Submit
\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

Filesize
754KB

MD5
ca12eb7a1b83c0ab450644abf40a6b6c

SHA1
d42c8a7c8b17e05fad9463ad7fb6cc87511e27b6

SHA256
74ff711492a61aca0091936e7c5e20d93138fccd4899c0d84ff55307253d4bc6

SHA512
492d936d47c2bc60d15b1a367c1b63803ed0c9f06a4a3a0d09efedcc63d79c82794b1be43cec48a95232ee39d5ef1f62eb7e4c75a145f741cd32b92ce4591d64

Download Submit
memory/300-59-0x0000000000000000-mapping.dmp

Download
memory/792-62-0x0000000000000000-mapping.dmp

Download
memory/888-67-0x0000000000EE0000-0x0000000000FA2000-memory.dmp

Filesize
776KB

Download
memory/888-65-0x0000000000000000-mapping.dmp

Download
memory/1372-58-0x0000000000000000-mapping.dmp

Download
memory/1488-57-0x0000000000000000-mapping.dmp

Download
memory/2024-60-0x0000000004C25000-0x0000000004C36000-memory.dmp

Filesize
68KB

Download
memory/2024-54-0x0000000000AA0000-0x0000000000B62000-memory.dmp

Filesize
776KB

Download
memory/2024-56-0x0000000075381000-0x0000000075383000-memory.dmp

Filesize
8KB

Download
memory/2024-55-0x0000000000640000-0x0000000000684000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads