Overview

overview

10

Static

static

10

Payment.exe

windows7_x64

10

Payment.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    184s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 23:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment.exe

  • Size

    1.5MB

  • MD5

    ab56ad172a0bbb66aeff5c8d18aadc53

  • SHA1

    9e79bba575e0e09d1b9c0f06f298f9c020b57198

  • SHA256

    b22c648668d77e156bb1d3df67f22c0731bc3ea1010b4ddba7317f3f71b33329

  • SHA512

    c30ee4d5da355679b8c73ab9c52372e4487b79bedbc2689ce2d1103a28b0209fcd95c2f0a7a39c253ddda367136ec5d5225d492b5af220bd706a0e3b913a2ce3

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.6.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:40:11 AM MassLogger Started: 5/21/2022 1:39:52 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 38 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:272
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"
        3⤵
          PID:1972
      • C:\Users\Admin\AppData\Roaming\chu.exe
        "C:\Users\Admin\AppData\Roaming\chu.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1640
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"
            4⤵
              PID:1884
          • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
            "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
            3⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:2008

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        Filesize

        40KB

        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        Filesize

        40KB

        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\chu.exe
        Filesize

        1.5MB

        MD5

        ab56ad172a0bbb66aeff5c8d18aadc53

        SHA1

        9e79bba575e0e09d1b9c0f06f298f9c020b57198

        SHA256

        b22c648668d77e156bb1d3df67f22c0731bc3ea1010b4ddba7317f3f71b33329

        SHA512

        c30ee4d5da355679b8c73ab9c52372e4487b79bedbc2689ce2d1103a28b0209fcd95c2f0a7a39c253ddda367136ec5d5225d492b5af220bd706a0e3b913a2ce3

        Download Submit
      • C:\Users\Admin\AppData\Roaming\chu.exe
        Filesize

        1.5MB

        MD5

        ab56ad172a0bbb66aeff5c8d18aadc53

        SHA1

        9e79bba575e0e09d1b9c0f06f298f9c020b57198

        SHA256

        b22c648668d77e156bb1d3df67f22c0731bc3ea1010b4ddba7317f3f71b33329

        SHA512

        c30ee4d5da355679b8c73ab9c52372e4487b79bedbc2689ce2d1103a28b0209fcd95c2f0a7a39c253ddda367136ec5d5225d492b5af220bd706a0e3b913a2ce3

        Download Submit
      • \Users\Admin\AppData\Local\Temp\InstallUtil.exe
        Filesize

        40KB

        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit
      • \Users\Admin\AppData\Roaming\chu.exe
        Filesize

        1.5MB

        MD5

        ab56ad172a0bbb66aeff5c8d18aadc53

        SHA1

        9e79bba575e0e09d1b9c0f06f298f9c020b57198

        SHA256

        b22c648668d77e156bb1d3df67f22c0731bc3ea1010b4ddba7317f3f71b33329

        SHA512

        c30ee4d5da355679b8c73ab9c52372e4487b79bedbc2689ce2d1103a28b0209fcd95c2f0a7a39c253ddda367136ec5d5225d492b5af220bd706a0e3b913a2ce3

        Download Submit
      • memory/272-54-0x0000000000CF0000-0x0000000000E6E000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/272-56-0x0000000000390000-0x000000000039A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/272-55-0x0000000000350000-0x000000000036E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/856-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1640-64-0x0000000000000000-mapping.dmp
        Download
      • memory/1884-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1972-58-0x0000000000000000-mapping.dmp
        Download
      • memory/2008-86-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-102-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-69-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-70-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-72-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-73-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-74-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-598-0x0000000002190000-0x00000000021A4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2008-75-0x00000000004ACB6E-mapping.dmp
        Download
      • memory/2008-78-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-80-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-82-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-84-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-597-0x0000000004D85000-0x0000000004D96000-memory.dmp
        Filesize

        68KB

        Download
      • memory/2008-88-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-90-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-92-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-94-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-96-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-98-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-104-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-595-0x00000000005D0000-0x0000000000614000-memory.dmp
        Filesize

        272KB

        Download
      • memory/2008-100-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-108-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-110-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-106-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-112-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-116-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-118-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-114-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-124-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-122-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-120-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-130-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-128-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-126-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-132-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2008-134-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2028-66-0x00000000008C0000-0x00000000008CA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2028-60-0x0000000000000000-mapping.dmp
        Download
      • memory/2028-63-0x00000000000A0000-0x000000000021E000-memory.dmp
        Filesize

        1.5MB

        Download