Overview

overview

10

Static

static

10

Neptune_028887E.exe

windows7_x64

10

Neptune_028887E.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 23:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Neptune_028887E.exe

  • Size

    1.4MB

  • MD5

    8dff4b620965db5895629bc5e4733154

  • SHA1

    7aab2496a2cba81df62eb42b6b069dcba4e80424

  • SHA256

    8ba2916d91cfaa19c67d2e8a9603fca8a41fac3f960b79edcadab0bb094c3e52

  • SHA512

    fc901d3cb5908ee2a094577d669d0acba760e2ea30fd514845ce674dd0e150c9813c4ef933b76521e93d7357aa5e432f5ee1493468497caa013a4b795087a846

Score
10/10
massloggeragilenetspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 38 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Neptune_028887E.exe
    "C:\Users\Admin\AppData\Local\Temp\Neptune_028887E.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\mas.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\mas.exe"
        3⤵
          PID:1972
      • C:\Users\Admin\AppData\Roaming\mas.exe
        "C:\Users\Admin\AppData\Roaming\mas.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1252
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\mas.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:820
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\mas.exe"
            4⤵
              PID:1492
          • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
            "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
            3⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1468

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        Filesize

        40KB

        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        Filesize

        40KB

        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mas.exe
        Filesize

        1.4MB

        MD5

        8dff4b620965db5895629bc5e4733154

        SHA1

        7aab2496a2cba81df62eb42b6b069dcba4e80424

        SHA256

        8ba2916d91cfaa19c67d2e8a9603fca8a41fac3f960b79edcadab0bb094c3e52

        SHA512

        fc901d3cb5908ee2a094577d669d0acba760e2ea30fd514845ce674dd0e150c9813c4ef933b76521e93d7357aa5e432f5ee1493468497caa013a4b795087a846

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mas.exe
        Filesize

        1.4MB

        MD5

        8dff4b620965db5895629bc5e4733154

        SHA1

        7aab2496a2cba81df62eb42b6b069dcba4e80424

        SHA256

        8ba2916d91cfaa19c67d2e8a9603fca8a41fac3f960b79edcadab0bb094c3e52

        SHA512

        fc901d3cb5908ee2a094577d669d0acba760e2ea30fd514845ce674dd0e150c9813c4ef933b76521e93d7357aa5e432f5ee1493468497caa013a4b795087a846

        Download Submit

      • \Users\Admin\AppData\Local\Temp\InstallUtil.exe
        Filesize

        40KB

        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit

      • \Users\Admin\AppData\Roaming\mas.exe
        Filesize

        1.4MB

        MD5

        8dff4b620965db5895629bc5e4733154

        SHA1

        7aab2496a2cba81df62eb42b6b069dcba4e80424

        SHA256

        8ba2916d91cfaa19c67d2e8a9603fca8a41fac3f960b79edcadab0bb094c3e52

        SHA512

        fc901d3cb5908ee2a094577d669d0acba760e2ea30fd514845ce674dd0e150c9813c4ef933b76521e93d7357aa5e432f5ee1493468497caa013a4b795087a846

        Download Submit

      • memory/1252-66-0x0000000004710000-0x000000000471A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1252-63-0x00000000003A0000-0x0000000000512000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1468-86-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-96-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-595-0x0000000000560000-0x00000000005A4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/1468-134-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-132-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-69-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-70-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-72-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-73-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-74-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-130-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-78-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-80-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-82-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-84-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-128-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-88-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-90-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-92-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-94-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-126-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-98-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-100-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-102-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-104-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-106-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-108-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-110-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-112-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-114-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-116-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-118-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-120-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-122-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1468-124-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1708-54-0x0000000000E00000-0x0000000000F72000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1708-55-0x0000000000460000-0x000000000047E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1708-56-0x00000000004A0000-0x00000000004AA000-memory.dmp

        Filesize

        40KB

        Download