Overview

overview

10

Static

static

PO's-282020.exe

windows7_x64

10

PO's-282020.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO's-282020.exe

  • Size

    1.5MB

  • MD5

    c6ee03f38ee45f360ec0b06050c43b7b

  • SHA1

    6a0fb3630f4a2519a0c6163e6f3c93772a375a00

  • SHA256

    0b0537b9f976c4a49f1105bc03d252c0cac7a99b9abdb1a020d2966b6a0b1285

  • SHA512

    f586cc57417b23d42e100ad893c26958b223ff64f8ae746d90c9b94b80bb1f11df691190033725c2f1f624a0cec1a49d5ab656b2f8d5e1b6284a2f04bd9d8f94

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\0F48153F20\Log.txt

Family

masslogger

Ransom Note
<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 10 Pro 64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:08:37 AM MassLogger Started: 5/21/2022 12:08:34 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\PO's-282020.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO's-282020.exe
    "C:\Users\Admin\AppData\Local\Temp\PO's-282020.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Users\Admin\AppData\Local\Temp\PO's-282020.exe
      "{path}"
      2⤵
        PID:4588
      • C:\Users\Admin\AppData\Local\Temp\PO's-282020.exe
        "{path}"
        2⤵
          PID:4524
        • C:\Users\Admin\AppData\Local\Temp\PO's-282020.exe
          "{path}"
          2⤵
            PID:4744
          • C:\Users\Admin\AppData\Local\Temp\PO's-282020.exe
            "{path}"
            2⤵
            • Checks computer location settings
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:4500

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO's-282020.exe.log
          Filesize

          507B

          MD5

          8cf94b5356be60247d331660005941ec

          SHA1

          fdedb361f40f22cb6a086c808fc0056d4e421131

          SHA256

          52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

          SHA512

          b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

          Download Submit
        • memory/4500-138-0x0000000000400000-0x00000000004B8000-memory.dmp
          Filesize

          736KB

          Download
        • memory/4500-142-0x00000000076C0000-0x0000000007710000-memory.dmp
          Filesize

          320KB

          Download
        • memory/4500-141-0x0000000007670000-0x000000000767A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/4500-140-0x0000000005890000-0x00000000058F6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4500-137-0x0000000000000000-mapping.dmp
          Download
        • memory/4524-135-0x0000000000000000-mapping.dmp
          Download
        • memory/4588-134-0x0000000000000000-mapping.dmp
          Download
        • memory/4744-136-0x0000000000000000-mapping.dmp
          Download
        • memory/4760-130-0x0000000000F30000-0x00000000010AE000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/4760-133-0x0000000005E50000-0x0000000005EEC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/4760-132-0x0000000005D10000-0x0000000005DA2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/4760-131-0x0000000006120000-0x00000000066C4000-memory.dmp
          Filesize

          5.6MB

          Download