masslogger | 8c689dedf337057280913d9a8dfc9c10c297e2dc9669a1e19e2c8cbf99cd5ed9

General

Target

PO31909704_1.exe
Size

788KB
MD5

4425e6eccd87b5f867f0e8591b869c6c
SHA1

1c84f8ae03b5c314e64caec354130c4e9adc3974
SHA256

3e57aaffcd5dfe4c6487c73f7c457865405070f276efab07164f30be4741e733
SHA512

48aee6277d3bc33c3024f6c0fb3f889970bc80725af65995be71e9a78041a917b09c0945042b0704e8a4d7ed4db85af6213fbfc9335336596026013826dc2eb7

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1452-136-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PO31909704_1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	PO31909704_1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO31909704_1.exe

description pid process target process

PID 3468 set thread context of 1452 3468 PO31909704_1.exe PO31909704_1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4088 schtasks.exe

description	pid	process	target process
PID 3468 set thread context of 1452	3468	PO31909704_1.exe	PO31909704_1.exe

pid	process
4088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

PO31909704_1.exepowershell.exe

pid	process
3468	PO31909704_1.exe
3468	PO31909704_1.exe
3468	PO31909704_1.exe
3468	PO31909704_1.exe
3468	PO31909704_1.exe
3468	PO31909704_1.exe
3468	PO31909704_1.exe
3860	powershell.exe
3860	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO31909704_1.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3468 PO31909704_1.exe
Token: SeDebugPrivilege 3860 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3468	PO31909704_1.exe
Token: SeDebugPrivilege	3860	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

PO31909704_1.exePO31909704_1.execmd.exe

description	pid	process	target process
PID 3468 wrote to memory of 4088	3468	PO31909704_1.exe	schtasks.exe
PID 3468 wrote to memory of 4088	3468	PO31909704_1.exe	schtasks.exe
PID 3468 wrote to memory of 4088	3468	PO31909704_1.exe	schtasks.exe
PID 3468 wrote to memory of 1452	3468	PO31909704_1.exe	PO31909704_1.exe
PID 3468 wrote to memory of 1452	3468	PO31909704_1.exe	PO31909704_1.exe
PID 3468 wrote to memory of 1452	3468	PO31909704_1.exe	PO31909704_1.exe
PID 3468 wrote to memory of 1452	3468	PO31909704_1.exe	PO31909704_1.exe
PID 3468 wrote to memory of 1452	3468	PO31909704_1.exe	PO31909704_1.exe
PID 3468 wrote to memory of 1452	3468	PO31909704_1.exe	PO31909704_1.exe
PID 3468 wrote to memory of 1452	3468	PO31909704_1.exe	PO31909704_1.exe
PID 3468 wrote to memory of 1452	3468	PO31909704_1.exe	PO31909704_1.exe
PID 1452 wrote to memory of 1864	1452	PO31909704_1.exe	cmd.exe
PID 1452 wrote to memory of 1864	1452	PO31909704_1.exe	cmd.exe
PID 1452 wrote to memory of 1864	1452	PO31909704_1.exe	cmd.exe
PID 1864 wrote to memory of 3860	1864	cmd.exe	powershell.exe
PID 1864 wrote to memory of 3860	1864	cmd.exe	powershell.exe
PID 1864 wrote to memory of 3860	1864	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PO31909704_1.exe
"C:\Users\Admin\AppData\Local\Temp\PO31909704_1.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mLTzugcgmAqgi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2EA1.tmp"
2⤵
- Creates scheduled task(s)
PID:4088

C:\Users\Admin\AppData\Local\Temp\PO31909704_1.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO31909704_1.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO31909704_1.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO31909704_1.exe.log

Filesize
412B

MD5
ad1c7f6525cfeb54c0487efd38b0e26c

SHA1
ed3da94723ac7e3828a9e93d68418bb810592f3b

SHA256
0a534a3d0fa82e6a427164c5f6e702cac7e4afc9967af9bc5ddba4f84ab33276

SHA512
48d625e6be5391d91d95c2850226fe39bb2411cb72139797699cfe126e6b066182e83950a8ea67e63b64a66b0d45f58d8bc97cab0363d55c2fd88c0d1d28009c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2EA1.tmp

Filesize
1KB

MD5
80d845ae691096bbc0df3a7b7e0bfdf6

SHA1
1d5c43d9bc46152f198d84fb46b5d1c99e4eb4dc

SHA256
90091fa94b044d3b28729da37e27e52caa45845af4ae978b74067036dd463f9c

SHA512
25c391c92b6d1f665005d98d063d0f0b728f73d001e13c9f22ee645d84da21be47042257b4899c286ff2f2928ec5bbab6ec2be0f1d14bfa27e80c8493848cd88

Download Submit
memory/1452-136-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1452-139-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/1452-138-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/1452-135-0x0000000000000000-mapping.dmp

Download
memory/1864-140-0x0000000000000000-mapping.dmp

Download
memory/3468-130-0x0000000000AE0000-0x0000000000BAC000-memory.dmp

Filesize
816KB

Download
memory/3468-132-0x0000000005A20000-0x0000000005AB2000-memory.dmp

Filesize
584KB

Download
memory/3468-131-0x00000000058E0000-0x000000000597C000-memory.dmp

Filesize
624KB

Download
memory/3860-143-0x0000000005B30000-0x0000000006158000-memory.dmp

Filesize
6.2MB

Download
memory/3860-141-0x0000000000000000-mapping.dmp

Download
memory/3860-142-0x00000000053D0000-0x0000000005406000-memory.dmp

Filesize
216KB

Download
memory/3860-144-0x00000000058A0000-0x00000000058C2000-memory.dmp

Filesize
136KB

Download
memory/3860-145-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/3860-146-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3860-147-0x0000000007FC0000-0x000000000863A000-memory.dmp

Filesize
6.5MB

Download
memory/3860-148-0x0000000006E70000-0x0000000006E8A000-memory.dmp

Filesize
104KB

Download
memory/3860-149-0x0000000007BE0000-0x0000000007C76000-memory.dmp

Filesize
600KB

Download
memory/3860-150-0x0000000006F50000-0x0000000006F72000-memory.dmp

Filesize
136KB

Download
memory/4088-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads