Analysis
-
max time kernel
68s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:05
Static task
static1
Behavioral task
behavioral1
Sample
NEWSC9 28TH PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NEWSC9 28TH PO.exe
Resource
win10v2004-20220414-en
General
-
Target
NEWSC9 28TH PO.exe
-
Size
1020KB
-
MD5
b543a797b74341bf5d8f52b04e7a3141
-
SHA1
d2b67094fc02aa9f70c7e6c015be86797e38d5f0
-
SHA256
2467434b0ac840b5f4dfa8ac3bc14ac9ee6004e7b71bfd3303ab62b6345f0c62
-
SHA512
74dcf634733c2841715e094868e1b651faf962e242591dc35a6a60428d12c2931a93ce82ac4c556158850ce22dd117bddf6f53f46487ad442359535453448bcd
Malware Config
Extracted
C:\Users\Admin\AppData\Local\8236ADF044\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEWSC9 28TH PO.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation NEWSC9 28TH PO.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
Processes:
NEWSC9 28TH PO.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook NEWSC9 28TH PO.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEWSC9 28TH PO.exedescription pid process target process PID 2076 set thread context of 4328 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
NEWSC9 28TH PO.exepid process 4328 NEWSC9 28TH PO.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
NEWSC9 28TH PO.exeNEWSC9 28TH PO.exepid process 2076 NEWSC9 28TH PO.exe 2076 NEWSC9 28TH PO.exe 2076 NEWSC9 28TH PO.exe 2076 NEWSC9 28TH PO.exe 2076 NEWSC9 28TH PO.exe 2076 NEWSC9 28TH PO.exe 2076 NEWSC9 28TH PO.exe 4328 NEWSC9 28TH PO.exe 4328 NEWSC9 28TH PO.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEWSC9 28TH PO.exeNEWSC9 28TH PO.exedescription pid process Token: SeDebugPrivilege 2076 NEWSC9 28TH PO.exe Token: SeDebugPrivilege 4328 NEWSC9 28TH PO.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NEWSC9 28TH PO.exepid process 4328 NEWSC9 28TH PO.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
NEWSC9 28TH PO.exedescription pid process target process PID 2076 wrote to memory of 1568 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 1568 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 1568 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 3164 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 3164 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 3164 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 4328 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 4328 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 4328 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 4328 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 4328 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 4328 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 4328 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe PID 2076 wrote to memory of 4328 2076 NEWSC9 28TH PO.exe NEWSC9 28TH PO.exe -
outlook_office_path 1 IoCs
Processes:
NEWSC9 28TH PO.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe -
outlook_win_path 1 IoCs
Processes:
NEWSC9 28TH PO.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEWSC9 28TH PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEWSC9 28TH PO.exe"C:\Users\Admin\AppData\Local\Temp\NEWSC9 28TH PO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\NEWSC9 28TH PO.exe"{path}"2⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\NEWSC9 28TH PO.exe"{path}"2⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\NEWSC9 28TH PO.exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEWSC9 28TH PO.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
memory/1568-135-0x0000000000000000-mapping.dmp
-
memory/2076-130-0x00000000006C0000-0x00000000007C4000-memory.dmpFilesize
1.0MB
-
memory/2076-131-0x0000000005810000-0x0000000005DB4000-memory.dmpFilesize
5.6MB
-
memory/2076-132-0x0000000005170000-0x0000000005202000-memory.dmpFilesize
584KB
-
memory/2076-133-0x0000000005160000-0x000000000516A000-memory.dmpFilesize
40KB
-
memory/2076-134-0x0000000008BF0000-0x0000000008C8C000-memory.dmpFilesize
624KB
-
memory/3164-136-0x0000000000000000-mapping.dmp
-
memory/4328-137-0x0000000000000000-mapping.dmp
-
memory/4328-138-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/4328-140-0x0000000005560000-0x00000000055C6000-memory.dmpFilesize
408KB
-
memory/4328-141-0x0000000007E60000-0x0000000007EB0000-memory.dmpFilesize
320KB