masslogger | cc00689f0696fe00669c8772958d42c1bd989a457bbee7ca3a6b117413aaf3ed

General

Target

Quotation.exe
Size

761KB
MD5

82a8dd7c9cb60f7f27a3187735fe0e70
SHA1

64db00701378728d6bfa898795922017b3c39bcb
SHA256

f9eb2b428ced4131d2846e50d56e87302b6b7ff986c6c524c55d5cef53111d2e
SHA512

cd8939f5a729bd430644a074a4bc0792277843feb72e7cb47f8f7a46b0497381cb5354486b7dc4d9cceb0dbd0e6a78a08e7a768a8ebeb3c564fe11c74e05ed90

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1352-134-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Quotation.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Quotation.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation.exe

description pid process target process

PID 3764 set thread context of 1352 3764 Quotation.exe Quotation.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3764 set thread context of 1352	3764	Quotation.exe	Quotation.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1768 schtasks.exe

pid	process
1768	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dw20.exe

description pid process

Token: SeBackupPrivilege 2412 dw20.exe
Token: SeBackupPrivilege 2412 dw20.exe

description	pid	process
Token: SeBackupPrivilege	2412	dw20.exe
Token: SeBackupPrivilege	2412	dw20.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Quotation.exeQuotation.exe

description	pid	process	target process
PID 3764 wrote to memory of 1768	3764	Quotation.exe	schtasks.exe
PID 3764 wrote to memory of 1768	3764	Quotation.exe	schtasks.exe
PID 3764 wrote to memory of 1768	3764	Quotation.exe	schtasks.exe
PID 3764 wrote to memory of 1352	3764	Quotation.exe	Quotation.exe
PID 3764 wrote to memory of 1352	3764	Quotation.exe	Quotation.exe
PID 3764 wrote to memory of 1352	3764	Quotation.exe	Quotation.exe
PID 3764 wrote to memory of 1352	3764	Quotation.exe	Quotation.exe
PID 3764 wrote to memory of 1352	3764	Quotation.exe	Quotation.exe
PID 3764 wrote to memory of 1352	3764	Quotation.exe	Quotation.exe
PID 3764 wrote to memory of 1352	3764	Quotation.exe	Quotation.exe
PID 3764 wrote to memory of 1352	3764	Quotation.exe	Quotation.exe
PID 1352 wrote to memory of 2412	1352	Quotation.exe	dw20.exe
PID 1352 wrote to memory of 2412	1352	Quotation.exe	dw20.exe
PID 1352 wrote to memory of 2412	1352	Quotation.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jKyhYdgyjTlQP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D6D.tmp"
2⤵
- Creates scheduled task(s)
PID:1768

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 756
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Quotation.exe.log

Filesize
581B

MD5
fb7ca783de5c0f0d7e7c7cdee64542b5

SHA1
25aab766c326e43d03ae94a7409b3512dd17d516

SHA256
47fc53ff728224a600a0e80d49e56a224479589d7ed914c6312fec93dad0c3ef

SHA512
2694aea7a5b4998b03ced645003be53152aaa3b31069f0525263fb8b170753a2677acb5a16e84249a070a4a249c52c5520a0c3dad22eca6862fce32adddd155b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9D6D.tmp

Filesize
1KB

MD5
3200d3c06c138323304d7b87fbd48d5a

SHA1
d1ae3535de00cd3e678cd90dd7cc885d10c6d577

SHA256
146f44fd496af3da682442d0d8e9ae4ace46b4bc7f39c0dafc93a6792e0a26ee

SHA512
a0c5f78e90dc384da6c2a07ebacae8410c06f0a941814cc6d47785261035d8aa813b8899a256753ad849657257daa94fbffa6b6cdf97616c169c03700bc2a7ee

Download Submit
memory/1352-133-0x0000000000000000-mapping.dmp

Download
memory/1352-134-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1352-137-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1768-131-0x0000000000000000-mapping.dmp

Download
memory/2412-136-0x0000000000000000-mapping.dmp

Download
memory/3764-130-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads