masslogger | 3015ce1d2c48a9edba2b6480828c0184cf40cc0114c148c9d9557b7285ddcd7f

General

Target

contract document.exe
Size

821KB
MD5

6f3ce8fb3b14b587b32f612292e2ac55
SHA1

b326a29c550dfdad23775ad734c9ca9653078b9f
SHA256

f784d412a56ccd414525c22e6b2e7c9482040e89be20fdb1f2e4db0016812ea7
SHA512

5fb520283e2dd276c7bf36e1cfbf152603379fd8eb8b218ce8412a83ba520380d11c6bea210b01b29af53822a9c618c3ee9d95c0b466f09d30a5fe36450d1f6d

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4696-140-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

contract document.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	contract document.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

contract document.exe

description pid process target process

PID 1452 set thread context of 4696 1452 contract document.exe contract document.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4460 schtasks.exe

description	pid	process	target process
PID 1452 set thread context of 4696	1452	contract document.exe	contract document.exe

pid	process
4460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

contract document.execontract document.exepowershell.exe

pid	process
1452	contract document.exe
1452	contract document.exe
1452	contract document.exe
1452	contract document.exe
1452	contract document.exe
4696	contract document.exe
4696	contract document.exe
3152	powershell.exe
3152	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

contract document.execontract document.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1452	contract document.exe
Token: SeDebugPrivilege	4696	contract document.exe
Token: SeDebugPrivilege	3152	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

contract document.execontract document.exe

description	pid	process	target process
PID 1452 wrote to memory of 4460	1452	contract document.exe	schtasks.exe
PID 1452 wrote to memory of 4460	1452	contract document.exe	schtasks.exe
PID 1452 wrote to memory of 4460	1452	contract document.exe	schtasks.exe
PID 1452 wrote to memory of 4756	1452	contract document.exe	contract document.exe
PID 1452 wrote to memory of 4756	1452	contract document.exe	contract document.exe
PID 1452 wrote to memory of 4756	1452	contract document.exe	contract document.exe
PID 1452 wrote to memory of 4696	1452	contract document.exe	contract document.exe
PID 1452 wrote to memory of 4696	1452	contract document.exe	contract document.exe
PID 1452 wrote to memory of 4696	1452	contract document.exe	contract document.exe
PID 1452 wrote to memory of 4696	1452	contract document.exe	contract document.exe
PID 1452 wrote to memory of 4696	1452	contract document.exe	contract document.exe
PID 1452 wrote to memory of 4696	1452	contract document.exe	contract document.exe
PID 1452 wrote to memory of 4696	1452	contract document.exe	contract document.exe
PID 1452 wrote to memory of 4696	1452	contract document.exe	contract document.exe
PID 4696 wrote to memory of 3152	4696	contract document.exe	powershell.exe
PID 4696 wrote to memory of 3152	4696	contract document.exe	powershell.exe
PID 4696 wrote to memory of 3152	4696	contract document.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\contract document.exe
"C:\Users\Admin\AppData\Local\Temp\contract document.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cscqYzNqmoZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F52.tmp"
2⤵
- Creates scheduled task(s)
PID:4460

C:\Users\Admin\AppData\Local\Temp\contract document.exe
"{path}"
2⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\contract document.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\contract document.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\contract document.exe.log

Filesize
1KB

MD5
2dc88967f8ab98d834998c930371997a

SHA1
fe54fd90824e71d0df04a47f460e1f72b9e1ffc4

SHA256
454ef7333f3fcdfff8957611a2bc97b3ab5aca972406b6d323e407424f2e7da9

SHA512
975af2932004d1f90474b2e0be35143e1c824c51d92b504cffb52036a4f37f1b62256c5c536089b570f23ada2cf37bbd3af96b14ebfdcfaacf7a65ba406cda77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F52.tmp

Filesize
1KB

MD5
c18e631e4e55bace3d4d2d92fc3b7018

SHA1
1fab9109bd2a8a4b10b1f713e61b718aa81aa421

SHA256
14ed615887d0d8d431fa4e208dcf70126cc2a2f498edb0c4893d5b0c6807c2c6

SHA512
af8fdcc57f6684a2c84f34486e79286a19830116a27290aa6ec882ad59d1e4467adba36e503ee534df4ef34e61ae231a23573ab2505e14b7df5f3fc9e03dd0d7

Download Submit
memory/1452-131-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/1452-132-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/1452-133-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/1452-134-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/1452-135-0x0000000008460000-0x00000000084FC000-memory.dmp

Filesize
624KB

Download
memory/1452-130-0x00000000008E0000-0x00000000009B4000-memory.dmp

Filesize
848KB

Download
memory/3152-145-0x0000000004DE0000-0x0000000005408000-memory.dmp

Filesize
6.2MB

Download
memory/3152-148-0x00000000070E0000-0x000000000775A000-memory.dmp

Filesize
6.5MB

Download
memory/3152-151-0x0000000006040000-0x0000000006062000-memory.dmp

Filesize
136KB

Download
memory/3152-150-0x0000000006C60000-0x0000000006CF6000-memory.dmp

Filesize
600KB

Download
memory/3152-142-0x0000000000000000-mapping.dmp

Download
memory/3152-149-0x0000000005F80000-0x0000000005F9A000-memory.dmp

Filesize
104KB

Download
memory/3152-144-0x0000000000D40000-0x0000000000D76000-memory.dmp

Filesize
216KB

Download
memory/3152-147-0x0000000005A60000-0x0000000005A7E000-memory.dmp

Filesize
120KB

Download
memory/3152-146-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/4460-136-0x0000000000000000-mapping.dmp

Download
memory/4696-139-0x0000000000000000-mapping.dmp

Download
memory/4696-141-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/4696-140-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4756-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads