Analysis
-
max time kernel
149s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:31
General
-
Target
OOCS DI 20002876.exe
-
Size
1.4MB
-
MD5
27f8ea7f5eca57a8ad069629b50f942e
-
SHA1
2ac3264d1221cf22de0f38690dfb4bbdd2a694a1
-
SHA256
83b37e01d5d48f6a7bc0557863a4e91e84dfc8a1e721850ea265f78cbd6d275a
-
SHA512
e4dfd9a5aaab3713ca06a7d8808b3ff06c09c6c3fb101cab5d87af46a830a6447bfb66396c911e4ef3ae5fca96c60c25db633ec7f3ae09ccea22808df05d8e35
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 38 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\OOCS DI 20002876.exe"C:\Users\Admin\AppData\Local\Temp\OOCS DI 20002876.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\chu.exe"C:\Users\Admin\AppData\Roaming\chu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chu.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD591c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
Filesize
40KB
MD591c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
Filesize
1.4MB
MD527f8ea7f5eca57a8ad069629b50f942e
SHA12ac3264d1221cf22de0f38690dfb4bbdd2a694a1
SHA25683b37e01d5d48f6a7bc0557863a4e91e84dfc8a1e721850ea265f78cbd6d275a
SHA512e4dfd9a5aaab3713ca06a7d8808b3ff06c09c6c3fb101cab5d87af46a830a6447bfb66396c911e4ef3ae5fca96c60c25db633ec7f3ae09ccea22808df05d8e35
-
Filesize
1.4MB
MD527f8ea7f5eca57a8ad069629b50f942e
SHA12ac3264d1221cf22de0f38690dfb4bbdd2a694a1
SHA25683b37e01d5d48f6a7bc0557863a4e91e84dfc8a1e721850ea265f78cbd6d275a
SHA512e4dfd9a5aaab3713ca06a7d8808b3ff06c09c6c3fb101cab5d87af46a830a6447bfb66396c911e4ef3ae5fca96c60c25db633ec7f3ae09ccea22808df05d8e35
-
Filesize
40KB
MD591c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
Filesize
1.4MB
MD527f8ea7f5eca57a8ad069629b50f942e
SHA12ac3264d1221cf22de0f38690dfb4bbdd2a694a1
SHA25683b37e01d5d48f6a7bc0557863a4e91e84dfc8a1e721850ea265f78cbd6d275a
SHA512e4dfd9a5aaab3713ca06a7d8808b3ff06c09c6c3fb101cab5d87af46a830a6447bfb66396c911e4ef3ae5fca96c60c25db633ec7f3ae09ccea22808df05d8e35
-
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
272KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
-
-
Filesize
40KB
-
Filesize
1.4MB
-
-
-
Filesize
1.4MB
-
Filesize
120KB
-
Filesize
40KB