Overview

overview

10

Static

static

INQ4556 PO.exe

windows7_x64

10

INQ4556 PO.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    163s
  • max time network
    235s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 22:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INQ4556 PO.exe

  • Size

    953KB

  • MD5

    787505a211af41260aa84e8473ca533e

  • SHA1

    303bb329745f99bf3c88535914f8b0ac768ac107

  • SHA256

    925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6

  • SHA512

    bfdf5ef6801412652ba9da5c2271317cfa8a153171bf7c3c2648170c4f2f0362fafe0697290a99534c27a977df55882462ae5ee3e03351f844c3b6d21b7ad78b

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:51:05 AM MassLogger Started: 5/21/2022 12:50:54 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\VideoLAN\vlc.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    masslog1960

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INQ4556 PO.exe
    "C:\Users\Admin\AppData\Local\Temp\INQ4556 PO.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\AppData\Local\Temp\INQ4556 PO.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1228
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6401.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1604
        • C:\Users\Admin\VideoLAN\vlc.exe
          "C:\Users\Admin\VideoLAN\vlc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1848
          • C:\Users\Admin\VideoLAN\vlc.exe
            "{path}"
            5⤵
            • Executes dropped EXE
            PID:280
          • C:\Users\Admin\VideoLAN\vlc.exe
            "{path}"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:1500

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6401.tmp.bat
    Filesize

    140B

    MD5

    051042414389f70c8d5b4e263a6dfbf8

    SHA1

    6f0dd47ab30e68c07f2d6547a1fa39c6f2d2c12a

    SHA256

    78d5a27b90f7fc240edb1a09249117afca52673055daad43f4feacfdf0e6e0a7

    SHA512

    ce28c723eb3de50686c195f0197a36fac6786d7dc0470a4c7278320044c6cfa8104c7dc6809fad9b92b2184425da931c425b796bd071458e0e658f6446ecbc21

    Download Submit

  • C:\Users\Admin\VideoLAN\vlc.exe
    Filesize

    953KB

    MD5

    787505a211af41260aa84e8473ca533e

    SHA1

    303bb329745f99bf3c88535914f8b0ac768ac107

    SHA256

    925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6

    SHA512

    bfdf5ef6801412652ba9da5c2271317cfa8a153171bf7c3c2648170c4f2f0362fafe0697290a99534c27a977df55882462ae5ee3e03351f844c3b6d21b7ad78b

    Download Submit

  • C:\Users\Admin\VideoLAN\vlc.exe
    Filesize

    953KB

    MD5

    787505a211af41260aa84e8473ca533e

    SHA1

    303bb329745f99bf3c88535914f8b0ac768ac107

    SHA256

    925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6

    SHA512

    bfdf5ef6801412652ba9da5c2271317cfa8a153171bf7c3c2648170c4f2f0362fafe0697290a99534c27a977df55882462ae5ee3e03351f844c3b6d21b7ad78b

    Download Submit

  • C:\Users\Admin\VideoLAN\vlc.exe
    Filesize

    953KB

    MD5

    787505a211af41260aa84e8473ca533e

    SHA1

    303bb329745f99bf3c88535914f8b0ac768ac107

    SHA256

    925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6

    SHA512

    bfdf5ef6801412652ba9da5c2271317cfa8a153171bf7c3c2648170c4f2f0362fafe0697290a99534c27a977df55882462ae5ee3e03351f844c3b6d21b7ad78b

    Download Submit

  • C:\Users\Admin\VideoLAN\vlc.exe
    Filesize

    953KB

    MD5

    787505a211af41260aa84e8473ca533e

    SHA1

    303bb329745f99bf3c88535914f8b0ac768ac107

    SHA256

    925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6

    SHA512

    bfdf5ef6801412652ba9da5c2271317cfa8a153171bf7c3c2648170c4f2f0362fafe0697290a99534c27a977df55882462ae5ee3e03351f844c3b6d21b7ad78b

    Download Submit

  • \Users\Admin\VideoLAN\vlc.exe
    Filesize

    953KB

    MD5

    787505a211af41260aa84e8473ca533e

    SHA1

    303bb329745f99bf3c88535914f8b0ac768ac107

    SHA256

    925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6

    SHA512

    bfdf5ef6801412652ba9da5c2271317cfa8a153171bf7c3c2648170c4f2f0362fafe0697290a99534c27a977df55882462ae5ee3e03351f844c3b6d21b7ad78b

    Download Submit

  • memory/1392-62-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1392-63-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1392-67-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1392-69-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1392-70-0x0000000002260000-0x00000000022D8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1392-59-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1392-64-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1392-60-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1392-75-0x0000000004CE5000-0x0000000004CF6000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1500-94-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1500-98-0x0000000001285000-0x0000000001296000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1500-96-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1616-54-0x0000000000D60000-0x0000000000E54000-memory.dmp

    Filesize

    976KB

    Download

  • memory/1616-57-0x00000000057A0000-0x0000000005860000-memory.dmp

    Filesize

    768KB

    Download

  • memory/1616-56-0x0000000000770000-0x000000000077A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1616-55-0x0000000074F91000-0x0000000074F93000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1616-58-0x0000000005960000-0x0000000005A18000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1848-82-0x0000000001370000-0x0000000001464000-memory.dmp

    Filesize

    976KB

    Download