Overview

overview

10

Static

static

NEWPO9399172.exe

windows7_x64

10

NEWPO9399172.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEWPO9399172.exe

  • Size

    912KB

  • MD5

    5737d1acc70ed4c7085a9e69b9e7216e

  • SHA1

    0601ecdf6c8e7559a405855756a80cda08407b38

  • SHA256

    0fe7af2933781cea89408cc70b9563727d7d4e96dc9a7d18d8d92460823e0a9f

  • SHA512

    639bcf98fbb7c5f8bd5e1b8691f83a9d59671fa1cef45590d14998e7e3ecbde975d2ead61109d3692dd8aa80f0d8d87c7da99f860632abb610eb70b706a35832

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/20/2022 11:27:45 PM MassLogger Started: 5/20/2022 11:27:34 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\VideoLAN\vlc.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEWPO9399172.exe
    "C:\Users\Admin\AppData\Local\Temp\NEWPO9399172.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\NEWPO9399172.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1740
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF08.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1496
        • C:\Users\Admin\VideoLAN\vlc.exe
          "C:\Users\Admin\VideoLAN\vlc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1196
          • C:\Users\Admin\VideoLAN\vlc.exe
            "{path}"
            5⤵
            • Executes dropped EXE
            PID:1420
          • C:\Users\Admin\VideoLAN\vlc.exe
            "{path}"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:1372

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpFF08.tmp.bat
    Filesize

    140B

    MD5

    33c7dca245c051ad410d83518383e470

    SHA1

    32a83cd83dff53f4e32b2e4a35f2a08a56ec5a38

    SHA256

    06fdb9b733c763cc7ed6dc8519b4efac88de658b3be6df2eeb073415ccc41bbb

    SHA512

    7eab5d6d402804e58f44e529de3eb1b8a7f8fcbeaa6da5a2d4d5a931eccbf0b269dccc2d6d66e9fd6339cf49a68d91b7c7ddcfdb7631fea2f8d5d28ef6cb3862

    Download Submit

  • C:\Users\Admin\VideoLAN\vlc.exe
    Filesize

    912KB

    MD5

    5737d1acc70ed4c7085a9e69b9e7216e

    SHA1

    0601ecdf6c8e7559a405855756a80cda08407b38

    SHA256

    0fe7af2933781cea89408cc70b9563727d7d4e96dc9a7d18d8d92460823e0a9f

    SHA512

    639bcf98fbb7c5f8bd5e1b8691f83a9d59671fa1cef45590d14998e7e3ecbde975d2ead61109d3692dd8aa80f0d8d87c7da99f860632abb610eb70b706a35832

    Download Submit

  • C:\Users\Admin\VideoLAN\vlc.exe
    Filesize

    912KB

    MD5

    5737d1acc70ed4c7085a9e69b9e7216e

    SHA1

    0601ecdf6c8e7559a405855756a80cda08407b38

    SHA256

    0fe7af2933781cea89408cc70b9563727d7d4e96dc9a7d18d8d92460823e0a9f

    SHA512

    639bcf98fbb7c5f8bd5e1b8691f83a9d59671fa1cef45590d14998e7e3ecbde975d2ead61109d3692dd8aa80f0d8d87c7da99f860632abb610eb70b706a35832

    Download Submit

  • C:\Users\Admin\VideoLAN\vlc.exe
    Filesize

    912KB

    MD5

    5737d1acc70ed4c7085a9e69b9e7216e

    SHA1

    0601ecdf6c8e7559a405855756a80cda08407b38

    SHA256

    0fe7af2933781cea89408cc70b9563727d7d4e96dc9a7d18d8d92460823e0a9f

    SHA512

    639bcf98fbb7c5f8bd5e1b8691f83a9d59671fa1cef45590d14998e7e3ecbde975d2ead61109d3692dd8aa80f0d8d87c7da99f860632abb610eb70b706a35832

    Download Submit

  • C:\Users\Admin\VideoLAN\vlc.exe
    Filesize

    912KB

    MD5

    5737d1acc70ed4c7085a9e69b9e7216e

    SHA1

    0601ecdf6c8e7559a405855756a80cda08407b38

    SHA256

    0fe7af2933781cea89408cc70b9563727d7d4e96dc9a7d18d8d92460823e0a9f

    SHA512

    639bcf98fbb7c5f8bd5e1b8691f83a9d59671fa1cef45590d14998e7e3ecbde975d2ead61109d3692dd8aa80f0d8d87c7da99f860632abb610eb70b706a35832

    Download Submit

  • \Users\Admin\VideoLAN\vlc.exe
    Filesize

    912KB

    MD5

    5737d1acc70ed4c7085a9e69b9e7216e

    SHA1

    0601ecdf6c8e7559a405855756a80cda08407b38

    SHA256

    0fe7af2933781cea89408cc70b9563727d7d4e96dc9a7d18d8d92460823e0a9f

    SHA512

    639bcf98fbb7c5f8bd5e1b8691f83a9d59671fa1cef45590d14998e7e3ecbde975d2ead61109d3692dd8aa80f0d8d87c7da99f860632abb610eb70b706a35832

    Download Submit

  • memory/1196-82-0x0000000000A40000-0x0000000000B28000-memory.dmp

    Filesize

    928KB

    Download

  • memory/1288-62-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1288-67-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1288-69-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1288-70-0x0000000000AA0000-0x0000000000B18000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1288-72-0x0000000004E75000-0x0000000004E86000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1288-64-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1288-59-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1288-60-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1288-63-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1372-98-0x0000000004D25000-0x0000000004D36000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1372-96-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1372-94-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1660-54-0x0000000000B60000-0x0000000000C48000-memory.dmp

    Filesize

    928KB

    Download

  • memory/1660-56-0x0000000000510000-0x0000000000520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1660-57-0x0000000005410000-0x00000000054CC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/1660-55-0x0000000076781000-0x0000000076783000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1660-58-0x0000000005EB0000-0x0000000005F68000-memory.dmp

    Filesize

    736KB

    Download