Overview

overview

10

Static

static

air way bill.exe

windows7_x64

10

air way bill.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    87s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    air way bill.exe

  • Size

    861KB

  • MD5

    c9e0dc9c74c3782c0319ed1ce090287d

  • SHA1

    9fabc323f888b25b7005d2f793ac941c9091f0f3

  • SHA256

    b2169a0b14394b89cad7d3d4092b1a3e940c4504f9e7d982ebbcfd0b8c603530

  • SHA512

    8d13fa2d64d7a5fcb6e57ec014b18e469092ab122a6850dffbe37afc7d752f5c80a50b4cfa171194cf1e96614c0c9c3de50978c9a26f50805b5a016c436180d5

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:41:27 AM MassLogger Started: 5/21/2022 12:41:18 AM Interval: 1 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\air way bill.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Window Searcher ||> Disabled <|| Downloader ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\air way bill.exe
    "C:\Users\Admin\AppData\Local\Temp\air way bill.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJcljmyFlZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC591.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1584
    • C:\Users\Admin\AppData\Local\Temp\air way bill.exe
      "{path}"
      2⤵
        PID:2000
      • C:\Users\Admin\AppData\Local\Temp\air way bill.exe
        "{path}"
        2⤵
          PID:1084
        • C:\Users\Admin\AppData\Local\Temp\air way bill.exe
          "{path}"
          2⤵
            PID:1808
          • C:\Users\Admin\AppData\Local\Temp\air way bill.exe
            "{path}"
            2⤵
            • Checks computer location settings
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:1484

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpC591.tmp
          Filesize

          1KB

          MD5

          f1a3a661ce7a812fa9581319488d4822

          SHA1

          7695002acfc263b338798e663b858614b87c033b

          SHA256

          42eb314af9caf8897b45219cd1b7d78fb2033e16df0679049709055c85604ea2

          SHA512

          f69d5980adbc553d0191cc4ae7938482c23af1f6cb237c8084b82ff3c95b6358d3475845ab2e298af73850848462d1d20bfe0b0891840ea2b05104d593e84be8

          Download Submit

        • memory/1484-67-0x00000000004B2E7E-mapping.dmp

          Download

        • memory/1484-62-0x0000000000400000-0x00000000004B8000-memory.dmp

          Filesize

          736KB

          Download

        • memory/1484-74-0x0000000000885000-0x0000000000896000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1484-72-0x0000000002100000-0x0000000002178000-memory.dmp

          Filesize

          480KB

          Download

        • memory/1484-64-0x0000000000400000-0x00000000004B8000-memory.dmp

          Filesize

          736KB

          Download

        • memory/1484-71-0x0000000000400000-0x00000000004B8000-memory.dmp

          Filesize

          736KB

          Download

        • memory/1484-69-0x0000000000400000-0x00000000004B8000-memory.dmp

          Filesize

          736KB

          Download

        • memory/1484-61-0x0000000000400000-0x00000000004B8000-memory.dmp

          Filesize

          736KB

          Download

        • memory/1484-66-0x0000000000400000-0x00000000004B8000-memory.dmp

          Filesize

          736KB

          Download

        • memory/1484-65-0x0000000000400000-0x00000000004B8000-memory.dmp

          Filesize

          736KB

          Download

        • memory/1584-59-0x0000000000000000-mapping.dmp

          Download

        • memory/1612-54-0x0000000000290000-0x000000000036E000-memory.dmp

          Filesize

          888KB

          Download

        • memory/1612-56-0x0000000000380000-0x000000000038A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1612-55-0x0000000076531000-0x0000000076533000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1612-58-0x0000000005E70000-0x0000000005F28000-memory.dmp

          Filesize

          736KB

          Download

        • memory/1612-57-0x0000000001FE0000-0x0000000002098000-memory.dmp

          Filesize

          736KB

          Download