masslogger | 68cfc485479b0e8c9d632ea389f3614e1c2ebd11fc79cc3075eaf005e361a155

Analysis

max time kernel
105s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inquiry specification.exe
Size

1.1MB
MD5

16c4321bc234cdab8a4d88ab7ec34dce
SHA1

5d14eca7122d63f168dda48f6d93cdc74493d265
SHA256

18e55619cb6c0b70275af3562d71f362114ac432ec97fbcd4ad8425113f6471a
SHA512

d3d5277cdcca9c99a3a797bb0bbf68f2fcdf41efef540e5c445006ec2893bd6c240e620efd78ebe559f608d6423e03d57e161ca03da5e618f4a95a288e368c2a

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4592-138-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-140-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-142-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-144-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-146-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-148-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-150-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-152-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-154-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-156-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-158-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-160-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-162-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-164-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-166-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-168-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-170-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-172-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-174-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-176-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-178-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-180-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-184-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-182-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-186-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-188-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-190-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-192-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-194-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-196-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-198-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger
behavioral2/memory/4592-200-0x0000000000400000-0x00000000004B2000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

inquiry specification.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	inquiry specification.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

inquiry specification.exe

description pid process target process

PID 896 set thread context of 4592 896 inquiry specification.exe inquiry specification.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3516 schtasks.exe

description	pid	process	target process
PID 896 set thread context of 4592	896	inquiry specification.exe	inquiry specification.exe

pid	process
3516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

inquiry specification.exepowershell.exe

pid	process
896	inquiry specification.exe
896	inquiry specification.exe
896	inquiry specification.exe
896	inquiry specification.exe
896	inquiry specification.exe
896	inquiry specification.exe
620	powershell.exe
620	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

inquiry specification.exeinquiry specification.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	896	inquiry specification.exe
Token: SeDebugPrivilege	4592	inquiry specification.exe
Token: SeDebugPrivilege	620	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

inquiry specification.exeinquiry specification.execmd.exe

description	pid	process	target process
PID 896 wrote to memory of 3516	896	inquiry specification.exe	schtasks.exe
PID 896 wrote to memory of 3516	896	inquiry specification.exe	schtasks.exe
PID 896 wrote to memory of 3516	896	inquiry specification.exe	schtasks.exe
PID 896 wrote to memory of 4592	896	inquiry specification.exe	inquiry specification.exe
PID 896 wrote to memory of 4592	896	inquiry specification.exe	inquiry specification.exe
PID 896 wrote to memory of 4592	896	inquiry specification.exe	inquiry specification.exe
PID 896 wrote to memory of 4592	896	inquiry specification.exe	inquiry specification.exe
PID 896 wrote to memory of 4592	896	inquiry specification.exe	inquiry specification.exe
PID 896 wrote to memory of 4592	896	inquiry specification.exe	inquiry specification.exe
PID 896 wrote to memory of 4592	896	inquiry specification.exe	inquiry specification.exe
PID 896 wrote to memory of 4592	896	inquiry specification.exe	inquiry specification.exe
PID 4592 wrote to memory of 1964	4592	inquiry specification.exe	cmd.exe
PID 4592 wrote to memory of 1964	4592	inquiry specification.exe	cmd.exe
PID 4592 wrote to memory of 1964	4592	inquiry specification.exe	cmd.exe
PID 1964 wrote to memory of 620	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 620	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 620	1964	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\inquiry specification.exe
"C:\Users\Admin\AppData\Local\Temp\inquiry specification.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNlszk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp"
2⤵
- Creates scheduled task(s)
PID:3516

C:\Users\Admin\AppData\Local\Temp\inquiry specification.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\inquiry specification.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\inquiry specification.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\inquiry specification.exe.log

Filesize
1KB

MD5
400f1cc1a0a0ce1cdabda365ab3368ce

SHA1
1ecf683f14271d84f3b6063493dce00ff5f42075

SHA256
c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

SHA512
14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp

Filesize
1KB

MD5
84daf002c89dbaaa06ad244de34f2b2f

SHA1
f5481f9c16d73935172bcbebfb87f4c44ff0045a

SHA256
7de4f3cca4b93b2a0481834768428d7f9e9fafd88206b4cfab02cf04b6c0402a

SHA512
c494ca248dcbfefc81cde972774b6163100d7b57a946db18f086fae58b0c21f77e0bb9d6abbbd1afc1c01e747d90d2a26d43cd433e4b5236cdc0544ba0f070da

Download Submit
memory/620-666-0x0000000006D00000-0x0000000006D96000-memory.dmp

Filesize
600KB

Download
memory/620-658-0x0000000000000000-mapping.dmp

Download
memory/620-659-0x00000000021D0000-0x0000000002206000-memory.dmp

Filesize
216KB

Download
memory/620-660-0x0000000004D40000-0x0000000005368000-memory.dmp

Filesize
6.2MB

Download
memory/620-661-0x0000000004C00000-0x0000000004C22000-memory.dmp

Filesize
136KB

Download
memory/620-662-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/620-663-0x00000000059D0000-0x00000000059EE000-memory.dmp

Filesize
120KB

Download
memory/620-664-0x00000000072E0000-0x000000000795A000-memory.dmp

Filesize
6.5MB

Download
memory/620-665-0x0000000005FF0000-0x000000000600A000-memory.dmp

Filesize
104KB

Download
memory/620-667-0x0000000006C60000-0x0000000006C82000-memory.dmp

Filesize
136KB

Download
memory/896-130-0x0000000000240000-0x000000000036A000-memory.dmp

Filesize
1.2MB

Download
memory/896-134-0x000000000D6A0000-0x000000000D73C000-memory.dmp

Filesize
624KB

Download
memory/896-133-0x0000000005140000-0x000000000514A000-memory.dmp

Filesize
40KB

Download
memory/896-132-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/896-131-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/1964-656-0x0000000000000000-mapping.dmp

Download
memory/3516-135-0x0000000000000000-mapping.dmp

Download
memory/4592-166-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-186-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-156-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-158-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-160-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-162-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-164-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-152-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-168-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-170-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-172-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-174-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-176-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-178-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-180-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-184-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-182-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-154-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-188-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-190-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-192-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-194-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-150-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-148-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-146-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-144-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-137-0x0000000000000000-mapping.dmp

Download
memory/4592-196-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-198-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-200-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4592-655-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download