Overview

overview

10

Static

static

NEWSC9 28TH PO.exe

windows7_x64

10

NEWSC9 28TH PO.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    68s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEWSC9 28TH PO.exe

  • Size

    1020KB

  • MD5

    b543a797b74341bf5d8f52b04e7a3141

  • SHA1

    d2b67094fc02aa9f70c7e6c015be86797e38d5f0

  • SHA256

    2467434b0ac840b5f4dfa8ac3bc14ac9ee6004e7b71bfd3303ab62b6345f0c62

  • SHA512

    74dcf634733c2841715e094868e1b651faf962e242591dc35a6a60428d12c2931a93ce82ac4c556158850ce22dd117bddf6f53f46487ad442359535453448bcd

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\8236ADF044\Log.txt

Family

masslogger

Ransom Note
<|| v2.2.0.0 ||> User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 10 Pro 64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:13:47 AM MassLogger Started: 5/21/2022 2:13:34 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\NEWSC9 28TH PO.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| USB Spread ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEWSC9 28TH PO.exe
    "C:\Users\Admin\AppData\Local\Temp\NEWSC9 28TH PO.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\NEWSC9 28TH PO.exe
      "{path}"
      2⤵
        PID:1568
      • C:\Users\Admin\AppData\Local\Temp\NEWSC9 28TH PO.exe
        "{path}"
        2⤵
          PID:3164
        • C:\Users\Admin\AppData\Local\Temp\NEWSC9 28TH PO.exe
          "{path}"
          2⤵
          • Checks computer location settings
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:4328

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEWSC9 28TH PO.exe.log
        Filesize

        1KB

        MD5

        8ec831f3e3a3f77e4a7b9cd32b48384c

        SHA1

        d83f09fd87c5bd86e045873c231c14836e76a05c

        SHA256

        7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

        SHA512

        26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

        Download Submit
      • memory/1568-135-0x0000000000000000-mapping.dmp
        Download
      • memory/2076-130-0x00000000006C0000-0x00000000007C4000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2076-131-0x0000000005810000-0x0000000005DB4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2076-132-0x0000000005170000-0x0000000005202000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2076-133-0x0000000005160000-0x000000000516A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2076-134-0x0000000008BF0000-0x0000000008C8C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/3164-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4328-137-0x0000000000000000-mapping.dmp
        Download
      • memory/4328-138-0x0000000000400000-0x00000000004C4000-memory.dmp
        Filesize

        784KB

        Download
      • memory/4328-140-0x0000000005560000-0x00000000055C6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4328-141-0x0000000007E60000-0x0000000007EB0000-memory.dmp
        Filesize

        320KB

        Download