Analysis
-
max time kernel
117s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:57
Static task
static1
Behavioral task
behavioral1
Sample
paymet swift.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
paymet swift.exe
Resource
win10v2004-20220414-en
General
-
Target
paymet swift.exe
-
Size
1.1MB
-
MD5
c3d8e5019f423a7c1ea2666ca16287c6
-
SHA1
35e02cc1c9e04f08e6f456c10705fd07f8289b49
-
SHA256
be5577611493fb291815b0a9ed2a682b283febf79ee5ab2e647087494dd3a9c4
-
SHA512
7b88728bddc5e404e465b7806e1f3c8277f9bbbe17993418cda1605196afc98c960324edb0a0179059b7e9518a01716f29c4905c2c0310c4dc9251a710a7944b
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\8506BBE7FF\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-62-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/1728-63-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/1728-64-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/1728-65-0x00000000004A2D1E-mapping.dmp family_masslogger behavioral1/memory/1728-67-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger behavioral1/memory/1728-69-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
paymet swift.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation paymet swift.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
Processes:
paymet swift.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook paymet swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook paymet swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 paymet swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 paymet swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 paymet swift.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 paymet swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 paymet swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook paymet swift.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 paymet swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook paymet swift.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 paymet swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook paymet swift.exe Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 paymet swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 paymet swift.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook paymet swift.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
paymet swift.exedescription pid process target process PID 1860 set thread context of 1728 1860 paymet swift.exe paymet swift.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
paymet swift.exepaymet swift.exepid process 1860 paymet swift.exe 1860 paymet swift.exe 1860 paymet swift.exe 1860 paymet swift.exe 1860 paymet swift.exe 1860 paymet swift.exe 1728 paymet swift.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
paymet swift.exepaymet swift.exedescription pid process Token: SeDebugPrivilege 1860 paymet swift.exe Token: SeDebugPrivilege 1728 paymet swift.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
paymet swift.exedescription pid process target process PID 1860 wrote to memory of 948 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 948 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 948 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 948 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 904 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 904 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 904 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 904 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 1728 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 1728 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 1728 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 1728 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 1728 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 1728 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 1728 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 1728 1860 paymet swift.exe paymet swift.exe PID 1860 wrote to memory of 1728 1860 paymet swift.exe paymet swift.exe -
outlook_office_path 1 IoCs
Processes:
paymet swift.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 paymet swift.exe -
outlook_win_path 1 IoCs
Processes:
paymet swift.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 paymet swift.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\paymet swift.exe"C:\Users\Admin\AppData\Local\Temp\paymet swift.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\paymet swift.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\paymet swift.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\paymet swift.exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1728-64-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1728-65-0x00000000004A2D1E-mapping.dmp
-
memory/1728-72-0x0000000005085000-0x0000000005096000-memory.dmpFilesize
68KB
-
memory/1728-70-0x00000000003B0000-0x00000000003F4000-memory.dmpFilesize
272KB
-
memory/1728-69-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1728-59-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1728-67-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1728-63-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1728-60-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1728-62-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1860-54-0x00000000001A0000-0x00000000002B2000-memory.dmpFilesize
1.1MB
-
memory/1860-55-0x0000000075E41000-0x0000000075E43000-memory.dmpFilesize
8KB
-
memory/1860-58-0x0000000006060000-0x0000000006108000-memory.dmpFilesize
672KB
-
memory/1860-57-0x0000000005B30000-0x0000000005BE2000-memory.dmpFilesize
712KB
-
memory/1860-56-0x0000000000380000-0x0000000000390000-memory.dmpFilesize
64KB