Overview

overview

10

Static

static

NEWSC_37.exe

windows7_x64

10

NEWSC_37.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    183s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEWSC_37.exe

  • Size

    1.2MB

  • MD5

    e83e32c469eed4bee5aa056ddfbf2d54

  • SHA1

    eac7c02821527551bdcae95ced049c7975923e6d

  • SHA256

    a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

  • SHA512

    6f4f63ac5e2592a4018a4cccb41282c8d346a1d9fac6bed5c2583692353cb9a6b230f595c98bbf4d6412a6b7a4a10e29066817218c4ae2cd96aa7741058af14c

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:16:28 AM MassLogger Started: 5/21/2022 3:16:18 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\VideoLAN\vlc.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Window Searcher ||> Disabled <|| Downloader ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEWSC_37.exe
    "C:\Users\Admin\AppData\Local\Temp\NEWSC_37.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Users\Admin\AppData\Local\Temp\NEWSC_37.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:580
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5D3E.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1692
        • C:\Users\Admin\VideoLAN\vlc.exe
          "C:\Users\Admin\VideoLAN\vlc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1548
          • C:\Users\Admin\VideoLAN\vlc.exe
            "{path}"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:1188

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5D3E.tmp.bat
    Filesize

    140B

    MD5

    2be990a4bc6b5a996366bc4f54a9db66

    SHA1

    2d16c4f0349a5a43a47959c8ece53e8915aa365c

    SHA256

    6e3340e1dce933036272a597df451732534b38bc10f1345f5ffc4ec139011397

    SHA512

    8fa31e024a68031b32b1d54db360c10fec053bcf6923f62c51310f5e7a18b8b4065c3c562f8328d64bc6d1fc50ad6fcd5b68ed6a55bfaefbbc6db72abd8cdab3

    Download Submit

  • C:\Users\Admin\VideoLAN\vlc.exe
    Filesize

    1.2MB

    MD5

    e83e32c469eed4bee5aa056ddfbf2d54

    SHA1

    eac7c02821527551bdcae95ced049c7975923e6d

    SHA256

    a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

    SHA512

    6f4f63ac5e2592a4018a4cccb41282c8d346a1d9fac6bed5c2583692353cb9a6b230f595c98bbf4d6412a6b7a4a10e29066817218c4ae2cd96aa7741058af14c

    Download Submit

  • C:\Users\Admin\VideoLAN\vlc.exe
    Filesize

    1.2MB

    MD5

    e83e32c469eed4bee5aa056ddfbf2d54

    SHA1

    eac7c02821527551bdcae95ced049c7975923e6d

    SHA256

    a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

    SHA512

    6f4f63ac5e2592a4018a4cccb41282c8d346a1d9fac6bed5c2583692353cb9a6b230f595c98bbf4d6412a6b7a4a10e29066817218c4ae2cd96aa7741058af14c

    Download Submit

  • C:\Users\Admin\VideoLAN\vlc.exe
    Filesize

    1.2MB

    MD5

    e83e32c469eed4bee5aa056ddfbf2d54

    SHA1

    eac7c02821527551bdcae95ced049c7975923e6d

    SHA256

    a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

    SHA512

    6f4f63ac5e2592a4018a4cccb41282c8d346a1d9fac6bed5c2583692353cb9a6b230f595c98bbf4d6412a6b7a4a10e29066817218c4ae2cd96aa7741058af14c

    Download Submit

  • \Users\Admin\VideoLAN\vlc.exe
    Filesize

    1.2MB

    MD5

    e83e32c469eed4bee5aa056ddfbf2d54

    SHA1

    eac7c02821527551bdcae95ced049c7975923e6d

    SHA256

    a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

    SHA512

    6f4f63ac5e2592a4018a4cccb41282c8d346a1d9fac6bed5c2583692353cb9a6b230f595c98bbf4d6412a6b7a4a10e29066817218c4ae2cd96aa7741058af14c

    Download Submit

  • memory/1064-54-0x0000000000910000-0x0000000000A3E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1064-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1064-56-0x0000000000320000-0x0000000000330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1064-57-0x0000000005260000-0x0000000005320000-memory.dmp

    Filesize

    768KB

    Download

  • memory/1064-58-0x0000000005C10000-0x0000000005CC8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1088-60-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1088-69-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1088-63-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1088-74-0x0000000004DD5000-0x0000000004DE6000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1088-62-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1088-59-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1088-64-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1088-67-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1088-70-0x0000000000880000-0x00000000008F8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1188-93-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1188-95-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1188-97-0x0000000000D25000-0x0000000000D36000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1548-82-0x0000000000DA0000-0x0000000000ECE000-memory.dmp

    Filesize

    1.2MB

    Download