Overview

overview

10

Static

static

10

TILOCRYP.exe

windows7_x64

10

TILOCRYP.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    112s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TILOCRYP.exe

  • Size

    1.1MB

  • MD5

    204bdadf1189b3224b4ddc9317ae1559

  • SHA1

    27eafcc0591dc3742718a24f59aacd80a7dd3b47

  • SHA256

    3f83c090819bc1dd8a9c1db3588b51ecd839bf0ca85a21f552c4346abe09efdc

  • SHA512

    b73ebdc5a67acfa1b78ca1a18c2b74806034ac00e5d8eb6f35bb24e5e4106ee575886d70382c68be84f3b5f975a6a1b66a3a37c09a3492073bd318c99fbcca61

Score
10/10
massloggercollectionpersistencespywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TILOCRYP.exe
    "C:\Users\Admin\AppData\Local\Temp\TILOCRYP.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v app /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Documents\app.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v app /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Documents\app.exe"
        3⤵
        • Adds Run key to start application
        PID:3240
    • C:\Users\Admin\Documents\app.exe
      "C:\Users\Admin\Documents\app.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:1844

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    0d5df43af2916f47d00c1573797c1a13

    SHA1

    230ab5559e806574d26b4c20847c368ed55483b0

    SHA256

    c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

    SHA512

    f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    0d5df43af2916f47d00c1573797c1a13

    SHA1

    230ab5559e806574d26b4c20847c368ed55483b0

    SHA256

    c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

    SHA512

    f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    Download Submit

  • C:\Users\Admin\Documents\app.exe
    Filesize

    1.1MB

    MD5

    204bdadf1189b3224b4ddc9317ae1559

    SHA1

    27eafcc0591dc3742718a24f59aacd80a7dd3b47

    SHA256

    3f83c090819bc1dd8a9c1db3588b51ecd839bf0ca85a21f552c4346abe09efdc

    SHA512

    b73ebdc5a67acfa1b78ca1a18c2b74806034ac00e5d8eb6f35bb24e5e4106ee575886d70382c68be84f3b5f975a6a1b66a3a37c09a3492073bd318c99fbcca61

    Download Submit

  • C:\Users\Admin\Documents\app.exe
    Filesize

    1.1MB

    MD5

    204bdadf1189b3224b4ddc9317ae1559

    SHA1

    27eafcc0591dc3742718a24f59aacd80a7dd3b47

    SHA256

    3f83c090819bc1dd8a9c1db3588b51ecd839bf0ca85a21f552c4346abe09efdc

    SHA512

    b73ebdc5a67acfa1b78ca1a18c2b74806034ac00e5d8eb6f35bb24e5e4106ee575886d70382c68be84f3b5f975a6a1b66a3a37c09a3492073bd318c99fbcca61

    Download Submit

  • memory/1680-135-0x0000000000000000-mapping.dmp

    Download

  • memory/1844-142-0x0000000005BE0000-0x0000000005C46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1844-138-0x0000000000000000-mapping.dmp

    Download

  • memory/1844-139-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1844-143-0x0000000006AB0000-0x0000000006B00000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1844-144-0x0000000006A80000-0x0000000006A8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1844-145-0x0000000006CB0000-0x0000000006D4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2180-133-0x0000000000000000-mapping.dmp

    Download

  • memory/3240-134-0x0000000000000000-mapping.dmp

    Download

  • memory/3368-132-0x0000000005350000-0x00000000053E2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3368-131-0x0000000005820000-0x0000000005DC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3368-130-0x00000000000A0000-0x00000000001C8000-memory.dmp

    Filesize

    1.2MB

    Download